Cisco 1712 Inbound port forwarding question

I have an internet circuit (T1) coming in to the serial 0 on a 1721.  The IT guy on site wants to keep his router behind my cisco, no idea why.  

L3 T1 <--> Cisco1721  <-->  OtherRouter  <-->  Switch  <-->  PCs

I've got it working where a PC can browse the internet no problem. I'm using static nat with an overload statement. Then the guy tells me that I need to enable inbound port forwarding so that he can get to some internal server, let's say its 192.168.2.10.  I ask him what the ports are, he says there are more than 30 so just enable them all. I'm a little confused.  If I forward all inbound traffic to his server won't that screw up replies to other out to in queries?  

Any help would be appreciated.  Is this possible to forward all inbound traffic that isn't a reply to some IP?  What statements would be required on either the serial 0 or the FE0/0 interfaces?
LVL 12
atrevidoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

agonza07Commented:
You either need another IP or limit the ports. You can do a range of ports if you want.
0
Syed_M_UsmanSystem AdministratorCommented:
Dear,

The typlogy you are trying to follow is a BAD IDEA...
if you are from ISP side why dont you remove your 1721 and place a modem as router behind nated router will trouble client and ISP both.

but if you want to continue you need to provide 1 more public ip pool on 1721 LAN to allow client router to have public ip on WAN and let him play his own.....
0
atrevidoAuthor Commented:
Let's say my public WAN IP is 12.12.12.12
and my LAN public block provided by ISP is 13.13.13.13/30

Do I then use the 13.13.13.14 address for these inbound server requests?  And more importantly, HOW?  what are the commands?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

agonza07Commented:
Just tell him to use 13.13.13.14/30 with a default gateway of 13.13.13.13 (your router) and let him figure it out.

As long as the 13.13.13.14 is reachable on the internet you should be set.

L3 T1 <--> (WAN - 12.12.12.12) Cisco1721  (LAN - 13.13.13.13) <--> (WAN 13.13.13.14) OtherRouter (Private IPs) <-->  Switch  <-->  PCs
0
atrevidoAuthor Commented:
don't I need to put some kind of inbound routing statement or something in the router though?  Or will it just magically work?
0
agonza07Commented:
You'll need to firewall your internet IPs so that someone can't just telnet to your router.

Beyond that, all you have to do is "ip route 0.0.0.0 0.0.0.0 12.12.12.14" (or whatever your default gateway is.

The "Other router" will have to be configured properly with NAT, but that's something you can let the other IT guy handle from his end.
0
hau_itCommented:
The public IP 12.12.12.12 is assigned to the 1721 WAN interface?
Of yes then you have 2 public IPs. One is already reserved (though you could use it) for Internet access from your inside hosts.
You have another one 13.13.13.14.
You will create a static NAT on the 1721 router so that every packet that 1721 receives and has a destination IP 13.13.13.14 will be NATed to the 192.168.2.10. My opinion is to specify the ports and not just NAT everything

the command is:

ip nat inside source static
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atrevidoAuthor Commented:
Its nice when contributors put details and statements in their answers.  Thanks for all your input.  I finally got it working, statements are below.  He also had screwed up something on his side so there was a delay there.

ip nat pool VXXX 4.x.x.x 4.x.x.x prefix-length 24
ip nat pool Net192 192.168.2.253 192.168.2.253 netmask 255.255.255.0
ip nat inside source list 7 pool VXXX overload
ip nat outside source list 1 pool Net192 add-route
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.y
!
access-list 1 permit any
access-list 7 permit 192.168.2.0 0.0.0.255
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.