Cisco 2651 Router Port Forwarding

Hello Everyone,
I am trying to set up port forwarding on my Cisco 2651 router. both FA0/0 and FA0/1 are already set up as designated interfaces so i assume that i can not use NAT for this. is there another way to make this happen? Keep in mind the IP address on the FA0/1 is dynamic as this is for a HOME environment with a Broadband Cable internet connection that has a dynamic IP.


Here is what im looking for
hostname.domain.com:91  to translate into 192.168.1.70:91
hostname.domain.com:80 to translate into 192.168.1.99:443 (This is the ip for my sonicwall SSL vpn appliance)

I dont have any ACL in place as of yet, i am going to configure this but only if you feel its the reccommended way becasue i am already using both FA0/0 FA0/1 as designated interfaces for my NAT.

Any Help would be greatly appreciated.

thanks
LVL 1
mxrider_420Asked:
Who is Participating?
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Is NAT enabled?

If not

int f0/1
ip nat outside
!
int fa0/0
ip nat inside
!
end
wr mem
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Hello

Not sure what you mean by they are setup as designated interfaces.

I believe you can create static mappings using IP address or Interface. Maybe interface would be more appropriate since IP is dynamic.


ip nat inside source static 192.168.1.99 tcp 443 <ip_address>  tcp 80
ip nat inside source static 192.168.1.70 tcp 91  <ip_address> tcp 91

OR

ip nat inside source static 192.168.1.99 tcp 443<interface> tcp 80
ip nat inside source static 192.168.1.70 tcp 91  <interface> tcp 91


0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Apologies for the syntax there should be ....

ip nat inside source static 192.168.1.99 tcp 443  <ip_address> tcp 80
ip nat inside source static 192.168.1.70 tcp 91  <ip_address> tcp 91

OR

ip nat inside source static 192.168.1.99 tcp 443 <interface> tcp 80
ip nat inside source static 192.168.1.70 tcp 91 <interface> tcp 91



0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
mxrider_420Author Commented:
is the <interface>for your second post the WAN or LAN port?  i have internet on FA0/1 and LAN on FA0/0 so if you dont mind can you let me know so i can complete this command. also how do i remove one when ido a show run i made a nat id like to delete.
thanks
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
This will be your Internet facing interface - Fa0/1

You can remove by preceeding the command with "no"

0
 
mxrider_420Author Commented:
Thank you,

i think my syntax is incorrect:


ROUTER1A-EXCHANGE(config)#ip nat inside source static 192.168.1.99 tcp 443 FA0/1 tcp 80
                                                                   ^
% Invalid input detected at '^' marker.
0
 
mxrider_420Author Commented:
im also assuming i should be in confit t mode?
0
 
mxrider_420Author Commented:
yes it is.i can see it with SDM even. its working for sure...
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
yes thats right
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
what exactly is working?
0
 
mxrider_420Author Commented:
The command above just keeps suggesting its not correct and shows a marker :s hence why I think my syntax was incorrect, but your solution seems correct. I'm just wondering why its not accepting it.
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Are you sure "ip nat inside" and "ip nat outside"have been applied under each interface? Maybe you have NAT VI enabled.

Try using this config after removing previous NAT configuration added:

int fa0/1
ip nat enable
int fa0/0
ip nat enable
!
ip nat source static 192.168.1.99 tcp 443 fa0/1 tcp 80
ip nat source static 192.168.1.70 tcp 91 fa0/1 tcp 91
!
0
 
mxrider_420Author Commented:
would this be the correct syntax?

ip nat inside source static tcp 192.168.1.99 91 interface fa0/1 91

?
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Yep, thats right!

My eyes are getting crossed :-s

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
So in summary ...


int fa0/1
ip nat outside
!
int fa0/0
ip nat inside
!
ip nat inside source static tcp 192.168.1.99 443 fa0/1 tcp 80
ip nat inside source static tcp 192.168.1.70 91 fa0/1 tcp 91
!
0
 
mxrider_420Author Commented:
ok great. and how can i check the nat?

show ip nat translation?

this shows a WHOLE LOT of info. is there a way to narrow it down?...
0
 
mxrider_420Author Commented:
PS.


This is what my sh ru shows:

router rip
 version 2
 passive-interface FastEthernet0/1
 network 192.168.1.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 91 interface FastEthernet0/1 91
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Try filtering with the "|"

sh ip nat translation | i <fa0/1 IP Address:91>

sh ip nat translation | i <fa0/1 IP Address:80>
0
 
mxrider_420Author Commented:
it shows

tcp 174.5.165.113:80   192.168.1.99:443   ---                ---
tcp 174.5.165.113:91   192.168.1.70:91    ---                ---
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Thats fine, shows translations are statically mapped. Once theres a connection you should see outside global/local mappings
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Please request your previous post be deleted as it contains your public IP
0
 
mxrider_420Author Commented:
how do i do that? lol

also. its strange because when i go to connect.exchangesolution.ca it brings me to the router logon (not a good thing!!) i have http enabled for use with SDM  (at the moment anyways) but is if my nat was working correctly then should it not redirect people to my sonicwall page on https:// 443 for a login?

id assume so thats at least what i am trying to accomplish. try it from where you are.
go to
connect.exchangesolution.ca and tell me what comes up.
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
You cant have http enabled on the router and also redirect the traffic, i believe the router will take precedence.

As you've split the services to seperate ports that should be OK. Find time to test, I'm very much available should you need further assistance.

0
 
mxrider_420Author Commented:
Thank you for all your help. i am going to turn off http on the router then test. and if still nothing then i will do this with ACL rules and dynamic nat instead. perhaps that would work. so far it looks like the rules we created are for internal to fa0/1 when i need from fa0/1 TO network (fa0/0) nat translations.

thanks so much i will keep this post active till i complete this task. thanks
0
 
mxrider_420Author Commented:
This is what i have yet its still not working correctly. any suggestions appreciated.

network 192.168.1.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat outside source static tcp 174.5.x.x 443 192.168.1.99 443 extendable
ip nat outside source static tcp 174.5.x.x 80 192.168.1.99 80 extendable
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxxx
 login local
 transport input telnet ssh
!
!
end
0
 
mxrider_420Author Commented:
anyone know why the nat is just simply NOT working?
0
 
TAMSCODANCommented:
do you have the ip nat inside and outside on the correct interfaces?
0
 
TAMSCODANCommented:
humm this looks backward:
ip nat outside source static tcp 174.5.x.x 443 192.168.1.99 443 extendable
ip nat outside source static tcp 174.5.x.x 80 192.168.1.99 80 extendable


should be:

ip nat inside source static tcp 192.168.1.99 443 174.5.x.x 443 extendable
ip nat inside source static tcp 192.168.1.99 80 174.5.x.x 80 extendable

then make sure that the ip nat inside is on your inside interface
and
ip nat outside on the outside interface
0
 
TAMSCODANCommented:
FA0/1 according to your config looks like the outside interface therefore:

int fa0/1
ip nat outside
0
 
mxrider_420Author Commented:
Thanks for the help. can i do this with interfaces instead of IP? instead of 174.5.x.x can i use fa0/1  ?... reason is because my ip is dynamic.

thanks
0
 
TAMSCODANCommented:
the answer could be yes! its all depending on your IOS? you can use the "?" mark to see if it is available



ip nat inside source static tcp 192.168.1.99 443 ?

check your options?
0
 
mxrider_420Author Commented:
it came back with the followig:

ROUTER1A-EXCHANGE(config)#ip nat inside source static tcp 192.168.1.99 443 ?
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

so how would i specify interface?...

thanks
0
 
TAMSCODANCommented:
your config should look like

ip nat inside source static tcp 192.168.1.99 80 interface fa 1/0
0
 
mxrider_420Author Commented:
for some reason when i type in the  site.domain.com it goes to my router on 192.168.1.1 instead of the server im trying to push to?

how come?...
0
 
TAMSCODANCommented:
do you have another device performing forwarding funtions prior to your router? draw out your topology and past it. and post your config... dont forget to XX ip address and pw for your devices.
0
 
mxrider_420Author Commented:
No device performing forwarding functions.

my topology is as follows:

broadband cable modem - > cisco 2651 router fa0/1
fa0/0 to 24 port procurve 1700 series switch (shich is directly attatched to my win 2k3 DHCP server) as well as 192.168.1.99 (my sonicwall SSL VPN) as well as my ftp server which i need on port 29 or 91 which ever (because Shaw ISP blocks port 21) this switch is then connected via LACP to another 8 port procurve on the 2nd floor where some pc's and my cisco 1242 AP reside.


0
 
mxrider_420Author Commented:
i keep getting this now when i redo the nap trans:
ROUTER1A-EXCHANGE(config)#ip nat inside source static tcp 192.168.1.99 80 inte$
ip nat inside source static tcp 192.168.1.99 80 interface fa 1/0
                                                          ^
% Invalid input detected at '^' marker.
0
 
mxrider_420Author Commented:
OK... SO i got my nat to work correctly. but im having an issue with FTP and i assume its not related to the router but here it is if anyone can help me on this here great, if not i will opena  new thread. but here is whats going on:

Status:      Connecting to 174.5.165.113:29...
Status:      Connection established, waiting for welcome message...
Response:      220 Welcome to the BEST FTP server!   <---- it gets to the FTP through the NAT as you can see its got the welcome banner..
Command:      USER memyselfandi
Response:      331 Please specify the password.
Command:      PASS ***
Response:      230 Login successful.
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/"
Command:      TYPE I
Response:      200 Switching to Binary mode.
Command:      PASV
Response:      227 Entering Passive Mode (192,168,1,70,162,138)
Status:      Server sent passive reply with unroutable address. Using server address instead.
Command:      LIST
Error:      Connection timed out
Error:      Failed to retrieve directory listing
0
 
mxrider_420Author Commented:
this is my configuration. its no longere working. any reason? please help.

ROUTER1A-EXCHANGE#sh run
Building configuration...

Current configuration : 2313 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xbbbb
enable password xx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
!
!
!

!
username xxxx privilege 15 password 0 xxx
!

interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group block-guest out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip access-group guest-inet in
 ip helper-address 192.168.1.59
 ip nat inside
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/0.1
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/0.1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!

line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxx
 login local
 transport input telnet ssh
!
!
end
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.