Solved

Cisco 1712 Inbound port forwarding question

Posted on 2013-01-12
8
583 Views
Last Modified: 2013-02-11
I have an internet circuit (T1) coming in to the serial 0 on a 1721.  The IT guy on site wants to keep his router behind my cisco, no idea why.  

L3 T1 <--> Cisco1721  <-->  OtherRouter  <-->  Switch  <-->  PCs

I've got it working where a PC can browse the internet no problem. I'm using static nat with an overload statement. Then the guy tells me that I need to enable inbound port forwarding so that he can get to some internal server, let's say its 192.168.2.10.  I ask him what the ports are, he says there are more than 30 so just enable them all. I'm a little confused.  If I forward all inbound traffic to his server won't that screw up replies to other out to in queries?  

Any help would be appreciated.  Is this possible to forward all inbound traffic that isn't a reply to some IP?  What statements would be required on either the serial 0 or the FE0/0 interfaces?
0
Comment
Question by:atrevido
8 Comments
 
LVL 20

Expert Comment

by:agonza07
ID: 38770892
You either need another IP or limit the ports. You can do a range of ports if you want.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38771741
Dear,

The typlogy you are trying to follow is a BAD IDEA...
if you are from ISP side why dont you remove your 1721 and place a modem as router behind nated router will trouble client and ISP both.

but if you want to continue you need to provide 1 more public ip pool on 1721 LAN to allow client router to have public ip on WAN and let him play his own.....
0
 
LVL 12

Author Comment

by:atrevido
ID: 38779022
Let's say my public WAN IP is 12.12.12.12
and my LAN public block provided by ISP is 13.13.13.13/30

Do I then use the 13.13.13.14 address for these inbound server requests?  And more importantly, HOW?  what are the commands?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 20

Expert Comment

by:agonza07
ID: 38779404
Just tell him to use 13.13.13.14/30 with a default gateway of 13.13.13.13 (your router) and let him figure it out.

As long as the 13.13.13.14 is reachable on the internet you should be set.

L3 T1 <--> (WAN - 12.12.12.12) Cisco1721  (LAN - 13.13.13.13) <--> (WAN 13.13.13.14) OtherRouter (Private IPs) <-->  Switch  <-->  PCs
0
 
LVL 12

Author Comment

by:atrevido
ID: 38779430
don't I need to put some kind of inbound routing statement or something in the router though?  Or will it just magically work?
0
 
LVL 20

Assisted Solution

by:agonza07
agonza07 earned 150 total points
ID: 38779470
You'll need to firewall your internet IPs so that someone can't just telnet to your router.

Beyond that, all you have to do is "ip route 0.0.0.0 0.0.0.0 12.12.12.14" (or whatever your default gateway is.

The "Other router" will have to be configured properly with NAT, but that's something you can let the other IT guy handle from his end.
0
 
LVL 7

Accepted Solution

by:
hau_it earned 350 total points
ID: 38782705
The public IP 12.12.12.12 is assigned to the 1721 WAN interface?
Of yes then you have 2 public IPs. One is already reserved (though you could use it) for Internet access from your inside hosts.
You have another one 13.13.13.14.
You will create a static NAT on the 1721 router so that every packet that 1721 receives and has a destination IP 13.13.13.14 will be NATed to the 192.168.2.10. My opinion is to specify the ports and not just NAT everything

the command is:

ip nat inside source static
0
 
LVL 12

Author Closing Comment

by:atrevido
ID: 38876357
Its nice when contributors put details and statements in their answers.  Thanks for all your input.  I finally got it working, statements are below.  He also had screwed up something on his side so there was a delay there.

ip nat pool VXXX 4.x.x.x 4.x.x.x prefix-length 24
ip nat pool Net192 192.168.2.253 192.168.2.253 netmask 255.255.255.0
ip nat inside source list 7 pool VXXX overload
ip nat outside source list 1 pool Net192 add-route
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.y
!
access-list 1 permit any
access-list 7 permit 192.168.2.0 0.0.0.255
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 60
Radius Debug Error 16 104
WiFi Router device supports GPON! 3 86
How to Link NetGear wireless AC-1200 router to Sonicwall 3600 13 60
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question