Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco 1712 Inbound port forwarding question

Posted on 2013-01-12
8
Medium Priority
?
591 Views
Last Modified: 2013-02-11
I have an internet circuit (T1) coming in to the serial 0 on a 1721.  The IT guy on site wants to keep his router behind my cisco, no idea why.  

L3 T1 <--> Cisco1721  <-->  OtherRouter  <-->  Switch  <-->  PCs

I've got it working where a PC can browse the internet no problem. I'm using static nat with an overload statement. Then the guy tells me that I need to enable inbound port forwarding so that he can get to some internal server, let's say its 192.168.2.10.  I ask him what the ports are, he says there are more than 30 so just enable them all. I'm a little confused.  If I forward all inbound traffic to his server won't that screw up replies to other out to in queries?  

Any help would be appreciated.  Is this possible to forward all inbound traffic that isn't a reply to some IP?  What statements would be required on either the serial 0 or the FE0/0 interfaces?
0
Comment
Question by:atrevido
8 Comments
 
LVL 20

Expert Comment

by:agonza07
ID: 38770892
You either need another IP or limit the ports. You can do a range of ports if you want.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38771741
Dear,

The typlogy you are trying to follow is a BAD IDEA...
if you are from ISP side why dont you remove your 1721 and place a modem as router behind nated router will trouble client and ISP both.

but if you want to continue you need to provide 1 more public ip pool on 1721 LAN to allow client router to have public ip on WAN and let him play his own.....
0
 
LVL 12

Author Comment

by:atrevido
ID: 38779022
Let's say my public WAN IP is 12.12.12.12
and my LAN public block provided by ISP is 13.13.13.13/30

Do I then use the 13.13.13.14 address for these inbound server requests?  And more importantly, HOW?  what are the commands?
0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 
LVL 20

Expert Comment

by:agonza07
ID: 38779404
Just tell him to use 13.13.13.14/30 with a default gateway of 13.13.13.13 (your router) and let him figure it out.

As long as the 13.13.13.14 is reachable on the internet you should be set.

L3 T1 <--> (WAN - 12.12.12.12) Cisco1721  (LAN - 13.13.13.13) <--> (WAN 13.13.13.14) OtherRouter (Private IPs) <-->  Switch  <-->  PCs
0
 
LVL 12

Author Comment

by:atrevido
ID: 38779430
don't I need to put some kind of inbound routing statement or something in the router though?  Or will it just magically work?
0
 
LVL 20

Assisted Solution

by:agonza07
agonza07 earned 600 total points
ID: 38779470
You'll need to firewall your internet IPs so that someone can't just telnet to your router.

Beyond that, all you have to do is "ip route 0.0.0.0 0.0.0.0 12.12.12.14" (or whatever your default gateway is.

The "Other router" will have to be configured properly with NAT, but that's something you can let the other IT guy handle from his end.
0
 
LVL 7

Accepted Solution

by:
hau_it earned 1400 total points
ID: 38782705
The public IP 12.12.12.12 is assigned to the 1721 WAN interface?
Of yes then you have 2 public IPs. One is already reserved (though you could use it) for Internet access from your inside hosts.
You have another one 13.13.13.14.
You will create a static NAT on the 1721 router so that every packet that 1721 receives and has a destination IP 13.13.13.14 will be NATed to the 192.168.2.10. My opinion is to specify the ports and not just NAT everything

the command is:

ip nat inside source static
0
 
LVL 12

Author Closing Comment

by:atrevido
ID: 38876357
Its nice when contributors put details and statements in their answers.  Thanks for all your input.  I finally got it working, statements are below.  He also had screwed up something on his side so there was a delay there.

ip nat pool VXXX 4.x.x.x 4.x.x.x prefix-length 24
ip nat pool Net192 192.168.2.253 192.168.2.253 netmask 255.255.255.0
ip nat inside source list 7 pool VXXX overload
ip nat outside source list 1 pool Net192 add-route
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.y
!
access-list 1 permit any
access-list 7 permit 192.168.2.0 0.0.0.255
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
#Citrix #Netscaler #MSSQL #Load Balance
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question