Link to home
Start Free TrialLog in
Avatar of Dan560
Dan560Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Port forwarding cisco 837

Hi

I want to configure my cisco 837 to forward ports 25,80,443, to my exhange server, but I am not sure what the commands are.
Avatar of apcsolutionsuk
apcsolutionsuk
Flag of United Kingdom of Great Britain and Northern Ireland image
If i was you i would set "dmz" that would forward all the traffic (every port) to what ip address you want ie your server then let your server deal with it
Avatar of Dan560
Dan560
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

what is dmz? I've heard of it.... is it safe to port forward all outside traffic to my server though?
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
You need to add static NAT entries and possibly access-list rules.  Can you post your configuration?  It will make it easier.
Avatar of Dan560
Dan560
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER




Password:
Router>en
Password:
Router#Show running-config
Building configuration...

Current configuration : 5187 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$OJik$j/nBnvxwOGhysHNfcr6uO/
enable password password
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.13.1.1 10.13.1.49
ip dhcp excluded-address 10.13.1.101 10.13.1.254
!
ip dhcp pool default

Router#
Router#
Router#
Router#Show running-config
Building configuration...

Current configuration : 5187 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$OJik$j/nBnvxwOGhysHNfcr6uO/
enable password password
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.13.1.1 10.13.1.49
ip dhcp excluded-address 10.13.1.101 10.13.1.254
!
ip dhcp pool default
   import all
   dns-server 62.24.128.17 62.24.128.18
!
ip dhcp pool steve
   network 10.13.1.0 255.255.255.0
   default-router 10.13.1.1
   dns-server 62.24.128.18
!
!
ip name-server 62.24.128.17
ip name-server 62.24.128.18
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Password address remote ip
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel toremote ip
 set peer remote ip
 set transform-set ESP-3DES-SHA
 match address 102
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 10.13.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip tcp adjust-mss 1392
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 62.24.X.X 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname user@ecocallnet.co.uk
 ppp chap password 0 password
 ppp pap sent-userecocallnet.co.uk password 0 password
 crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 62.24.236.60 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.13.1.0 0.0.0.255
access-list 101 permit udp host remote ip host 62.24.X.X eq non500-isakmp
access-list 101 permit udp host remote ip host 62.24.X.X eq isakmp
access-list 101 permit esp host remote ip host 62.24.X.X
access-list 101 permit ahp host remote ip host 62.24.X.X
access-list 101 permit udp host 62.24.128.18 eq domain host 62.24.X.X
access-list 101 permit udp host 62.24.128.17 eq domain host 62.24.X.X
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 permit icmp any host 62.24.X.X echo-reply
access-list 101 permit icmp any host 62.24.X.X time-exceeded
access-list 101 permit icmp any host 62.24.X.X unreachable
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit icmp any host 62.24.X.X
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 exec-timeout 120 0
 password Password
 login
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

Router#
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dacselat
dacselat
ip nat inside source static tcp "yourserverIP" 25 "yourpublicIP" 25
ip nat inside source static tcp "yourserverIP" 80 "yourpublicIP" 80
ip nat inside source static tcp "yourserverIP" 443 "yourpublicIP" 443

or

ip nat inside source static tcp "yourserverIP" 25 interface "yourinternetinterface" 25
ip nat inside source static tcp "yourserverIP" 80 "yourinternetinterface" 80
ip nat inside source static tcp "yourserverIP" 443 "yourinternetinterface" 443

And:

!The interface used by your server
interface XX
  ip nat inside

!The interface used by your internet connection
interface YY
  ip nat outside