• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 603
  • Last Modified:

Cisco 1712 Inbound port forwarding question

I have an internet circuit (T1) coming in to the serial 0 on a 1721.  The IT guy on site wants to keep his router behind my cisco, no idea why.  

L3 T1 <--> Cisco1721  <-->  OtherRouter  <-->  Switch  <-->  PCs

I've got it working where a PC can browse the internet no problem. I'm using static nat with an overload statement. Then the guy tells me that I need to enable inbound port forwarding so that he can get to some internal server, let's say its 192.168.2.10.  I ask him what the ports are, he says there are more than 30 so just enable them all. I'm a little confused.  If I forward all inbound traffic to his server won't that screw up replies to other out to in queries?  

Any help would be appreciated.  Is this possible to forward all inbound traffic that isn't a reply to some IP?  What statements would be required on either the serial 0 or the FE0/0 interfaces?
0
atrevido
Asked:
atrevido
2 Solutions
 
agonza07Commented:
You either need another IP or limit the ports. You can do a range of ports if you want.
0
 
Syed_M_UsmanSystem AdministratorCommented:
Dear,

The typlogy you are trying to follow is a BAD IDEA...
if you are from ISP side why dont you remove your 1721 and place a modem as router behind nated router will trouble client and ISP both.

but if you want to continue you need to provide 1 more public ip pool on 1721 LAN to allow client router to have public ip on WAN and let him play his own.....
0
 
atrevidoAuthor Commented:
Let's say my public WAN IP is 12.12.12.12
and my LAN public block provided by ISP is 13.13.13.13/30

Do I then use the 13.13.13.14 address for these inbound server requests?  And more importantly, HOW?  what are the commands?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
agonza07Commented:
Just tell him to use 13.13.13.14/30 with a default gateway of 13.13.13.13 (your router) and let him figure it out.

As long as the 13.13.13.14 is reachable on the internet you should be set.

L3 T1 <--> (WAN - 12.12.12.12) Cisco1721  (LAN - 13.13.13.13) <--> (WAN 13.13.13.14) OtherRouter (Private IPs) <-->  Switch  <-->  PCs
0
 
atrevidoAuthor Commented:
don't I need to put some kind of inbound routing statement or something in the router though?  Or will it just magically work?
0
 
agonza07Commented:
You'll need to firewall your internet IPs so that someone can't just telnet to your router.

Beyond that, all you have to do is "ip route 0.0.0.0 0.0.0.0 12.12.12.14" (or whatever your default gateway is.

The "Other router" will have to be configured properly with NAT, but that's something you can let the other IT guy handle from his end.
0
 
hau_itCommented:
The public IP 12.12.12.12 is assigned to the 1721 WAN interface?
Of yes then you have 2 public IPs. One is already reserved (though you could use it) for Internet access from your inside hosts.
You have another one 13.13.13.14.
You will create a static NAT on the 1721 router so that every packet that 1721 receives and has a destination IP 13.13.13.14 will be NATed to the 192.168.2.10. My opinion is to specify the ports and not just NAT everything

the command is:

ip nat inside source static
0
 
atrevidoAuthor Commented:
Its nice when contributors put details and statements in their answers.  Thanks for all your input.  I finally got it working, statements are below.  He also had screwed up something on his side so there was a delay there.

ip nat pool VXXX 4.x.x.x 4.x.x.x prefix-length 24
ip nat pool Net192 192.168.2.253 192.168.2.253 netmask 255.255.255.0
ip nat inside source list 7 pool VXXX overload
ip nat outside source list 1 pool Net192 add-route
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.y
!
access-list 1 permit any
access-list 7 permit 192.168.2.0 0.0.0.255
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now