Solved

Cisco 1712 Inbound port forwarding question

Posted on 2013-01-12
8
580 Views
Last Modified: 2013-02-11
I have an internet circuit (T1) coming in to the serial 0 on a 1721.  The IT guy on site wants to keep his router behind my cisco, no idea why.  

L3 T1 <--> Cisco1721  <-->  OtherRouter  <-->  Switch  <-->  PCs

I've got it working where a PC can browse the internet no problem. I'm using static nat with an overload statement. Then the guy tells me that I need to enable inbound port forwarding so that he can get to some internal server, let's say its 192.168.2.10.  I ask him what the ports are, he says there are more than 30 so just enable them all. I'm a little confused.  If I forward all inbound traffic to his server won't that screw up replies to other out to in queries?  

Any help would be appreciated.  Is this possible to forward all inbound traffic that isn't a reply to some IP?  What statements would be required on either the serial 0 or the FE0/0 interfaces?
0
Comment
Question by:atrevido
8 Comments
 
LVL 20

Expert Comment

by:agonza07
Comment Utility
You either need another IP or limit the ports. You can do a range of ports if you want.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
Comment Utility
Dear,

The typlogy you are trying to follow is a BAD IDEA...
if you are from ISP side why dont you remove your 1721 and place a modem as router behind nated router will trouble client and ISP both.

but if you want to continue you need to provide 1 more public ip pool on 1721 LAN to allow client router to have public ip on WAN and let him play his own.....
0
 
LVL 12

Author Comment

by:atrevido
Comment Utility
Let's say my public WAN IP is 12.12.12.12
and my LAN public block provided by ISP is 13.13.13.13/30

Do I then use the 13.13.13.14 address for these inbound server requests?  And more importantly, HOW?  what are the commands?
0
 
LVL 20

Expert Comment

by:agonza07
Comment Utility
Just tell him to use 13.13.13.14/30 with a default gateway of 13.13.13.13 (your router) and let him figure it out.

As long as the 13.13.13.14 is reachable on the internet you should be set.

L3 T1 <--> (WAN - 12.12.12.12) Cisco1721  (LAN - 13.13.13.13) <--> (WAN 13.13.13.14) OtherRouter (Private IPs) <-->  Switch  <-->  PCs
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 12

Author Comment

by:atrevido
Comment Utility
don't I need to put some kind of inbound routing statement or something in the router though?  Or will it just magically work?
0
 
LVL 20

Assisted Solution

by:agonza07
agonza07 earned 150 total points
Comment Utility
You'll need to firewall your internet IPs so that someone can't just telnet to your router.

Beyond that, all you have to do is "ip route 0.0.0.0 0.0.0.0 12.12.12.14" (or whatever your default gateway is.

The "Other router" will have to be configured properly with NAT, but that's something you can let the other IT guy handle from his end.
0
 
LVL 7

Accepted Solution

by:
hau_it earned 350 total points
Comment Utility
The public IP 12.12.12.12 is assigned to the 1721 WAN interface?
Of yes then you have 2 public IPs. One is already reserved (though you could use it) for Internet access from your inside hosts.
You have another one 13.13.13.14.
You will create a static NAT on the 1721 router so that every packet that 1721 receives and has a destination IP 13.13.13.14 will be NATed to the 192.168.2.10. My opinion is to specify the ports and not just NAT everything

the command is:

ip nat inside source static
0
 
LVL 12

Author Closing Comment

by:atrevido
Comment Utility
Its nice when contributors put details and statements in their answers.  Thanks for all your input.  I finally got it working, statements are below.  He also had screwed up something on his side so there was a delay there.

ip nat pool VXXX 4.x.x.x 4.x.x.x prefix-length 24
ip nat pool Net192 192.168.2.253 192.168.2.253 netmask 255.255.255.0
ip nat inside source list 7 pool VXXX overload
ip nat outside source list 1 pool Net192 add-route
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.y
!
access-list 1 permit any
access-list 7 permit 192.168.2.0 0.0.0.255
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
jump server vs push server 6 66
Fiber Patch Panel 6 42
New modem? 4 59
Force VPN connection to use a network adapter 6 54
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now