Avatar of swishard
swishard

asked on 

Cisco Port Forwarding Through Multiple Routers Issue

I am attempting to port forward port 80 from a secondary ISP to a web server. Going from the public address to 10.0.0.2. Considerable research shows my port forwarding statements are correct, but the traffic doesn't make it to the web server.

The path is from the ISP to the pix at 192.168.5.2 into a Cisco 2600 series at 192.168.5.1. The same router alos has a second ether net port on the 192.168.2.x subnet. Out of that router to Cisco 3640 on the 192.168.1.x subnet, to an ASA firewall to the 10.0.0.X subnet.

From the pix, I can ping the 10.0.0.x subnet as well as the 192.168.x.x subnets on the network. I have also tried forwarding port 23 to our AS400 on the 192.168.1.x subnet with the same results.

What do I need to do on either the 3640 or the 2600 series routers to allow the port forwarding to pass?
RoutersTCP/IP

Avatar of undefined
Last Comment
JFrederick29
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Does the ASA have a static and access-list entry to allow this traffic to pass to the 10.0.0.2 server?  Does either the 2600 or 3640 have access-lists?
Avatar of swishard
swishard

ASKER

The 2600 has no access lists in the config.

The access list for the 3640 is as follows:
access-list 100 permit tcp host 192.168.20.1 any eq 1994
access-list 100 permit tcp any host 192.168.20.1 eq 1994
access-list 150 permit icmp any any
access-list 199 permit ip host 10.0.0.3 any
access-list 199 permit ip any host 10.0.0.3
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply

There are no Access-Group statements.

The ASA has the following static entry to the 10.0.0.2 Webserver:

static (dmz,outside) 65.126.15.3 10.0.0.2 netmask 255.255.255.255

Note from the primary ISP there are no issues reaching the webserver, only from the secondary. To take the ASA out of the picture I also forwarded telnet to a box in the 192.168.1.x subnet. I got the same results, traffic not passing, just in this case the ASA was excluded whereas it is involved with the web server.
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

This isn't going to work because the 10.0.0.x subnet is off the ASA and the return traffic won't make it back to the PIX doing the original NAT.

For the telnet port forward to the AS400, the AS400 return traffic would need to route back through the PIX and not the ASA for it to work through the second ISP/PIX connection.
Avatar of swishard
swishard

ASKER

Ok, I'll accept the web server issue from the dmz. I can always move that to the inside subnet in the event of a ISP issue . What do I need to do to get the forwarding to work on the 192.168.1.0 subnet? Since the forwarded telnet traffic to the 400 doesn't pass through the ASA, I assume I would have the same issue if I moved the Web Server, or forwarded PPTP through the pix to the .1 subnet.

ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Routers
Routers

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo