swishard
asked on
Cisco Port Forwarding Through Multiple Routers Issue
I am attempting to port forward port 80 from a secondary ISP to a web server. Going from the public address to 10.0.0.2. Considerable research shows my port forwarding statements are correct, but the traffic doesn't make it to the web server.
The path is from the ISP to the pix at 192.168.5.2 into a Cisco 2600 series at 192.168.5.1. The same router alos has a second ether net port on the 192.168.2.x subnet. Out of that router to Cisco 3640 on the 192.168.1.x subnet, to an ASA firewall to the 10.0.0.X subnet.
From the pix, I can ping the 10.0.0.x subnet as well as the 192.168.x.x subnets on the network. I have also tried forwarding port 23 to our AS400 on the 192.168.1.x subnet with the same results.
What do I need to do on either the 3640 or the 2600 series routers to allow the port forwarding to pass?
The path is from the ISP to the pix at 192.168.5.2 into a Cisco 2600 series at 192.168.5.1. The same router alos has a second ether net port on the 192.168.2.x subnet. Out of that router to Cisco 3640 on the 192.168.1.x subnet, to an ASA firewall to the 10.0.0.X subnet.
From the pix, I can ping the 10.0.0.x subnet as well as the 192.168.x.x subnets on the network. I have also tried forwarding port 23 to our AS400 on the 192.168.1.x subnet with the same results.
What do I need to do on either the 3640 or the 2600 series routers to allow the port forwarding to pass?
Last Comment
JFrederick29
Does the ASA have a static and access-list entry to allow this traffic to pass to the 10.0.0.2 server? Does either the 2600 or 3640 have access-lists?
ASKER
The 2600 has no access lists in the config.
The access list for the 3640 is as follows:
access-list 100 permit tcp host 192.168.20.1 any eq 1994
access-list 100 permit tcp any host 192.168.20.1 eq 1994
access-list 150 permit icmp any any
access-list 199 permit ip host 10.0.0.3 any
access-list 199 permit ip any host 10.0.0.3
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
There are no Access-Group statements.
The ASA has the following static entry to the 10.0.0.2 Webserver:
static (dmz,outside) 65.126.15.3 10.0.0.2 netmask 255.255.255.255
Note from the primary ISP there are no issues reaching the webserver, only from the secondary. To take the ASA out of the picture I also forwarded telnet to a box in the 192.168.1.x subnet. I got the same results, traffic not passing, just in this case the ASA was excluded whereas it is involved with the web server.
The access list for the 3640 is as follows:
access-list 100 permit tcp host 192.168.20.1 any eq 1994
access-list 100 permit tcp any host 192.168.20.1 eq 1994
access-list 150 permit icmp any any
access-list 199 permit ip host 10.0.0.3 any
access-list 199 permit ip any host 10.0.0.3
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
There are no Access-Group statements.
The ASA has the following static entry to the 10.0.0.2 Webserver:
static (dmz,outside) 65.126.15.3 10.0.0.2 netmask 255.255.255.255
Note from the primary ISP there are no issues reaching the webserver, only from the secondary. To take the ASA out of the picture I also forwarded telnet to a box in the 192.168.1.x subnet. I got the same results, traffic not passing, just in this case the ASA was excluded whereas it is involved with the web server.
This isn't going to work because the 10.0.0.x subnet is off the ASA and the return traffic won't make it back to the PIX doing the original NAT.
For the telnet port forward to the AS400, the AS400 return traffic would need to route back through the PIX and not the ASA for it to work through the second ISP/PIX connection.
For the telnet port forward to the AS400, the AS400 return traffic would need to route back through the PIX and not the ASA for it to work through the second ISP/PIX connection.
ASKER
Ok, I'll accept the web server issue from the dmz. I can always move that to the inside subnet in the event of a ISP issue . What do I need to do to get the forwarding to work on the 192.168.1.0 subnet? Since the forwarded telnet traffic to the 400 doesn't pass through the ASA, I assume I would have the same issue if I moved the Web Server, or forwarded PPTP through the pix to the .1 subnet.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
