Options
IOS for port forwarding?
Humper
Member Posts: 647
in CCNA & CCENT
Hi All,
I've been looking at the 12.4 IOS files for my 1721 router and I was curious which IOS I should download. I see many with support for /FW/IDS (and IDS PLUS)..But not sure if it will do port forwarding. Im guessing its built into the firewall?
I've been looking at the 12.4 IOS files for my 1721 router and I was curious which IOS I should download. I see many with support for /FW/IDS (and IDS PLUS)..But not sure if it will do port forwarding. Im guessing its built into the firewall?
Now working full time!
Comments
-
Optionsforbesl
Member Posts: 454
I know you are asking about port forwarding, but are you sure you're not talking about port mapping?ModemHumper wrote:Hi All,
I've been looking at the 12.4 IOS files for my 1721 router and I was curious which IOS I should download. I see many with support for /FW/IDS (and IDS PLUS)..But not sure if it will do port forwarding. Im guessing its built into the firewall?
This Link
Port mapping will require the IOS Firewall Feature Set
Or are you really talking about port forwarding?
Or This Link -
OptionsHumper
Member Posts: 647
Looked at both but Im still unsure.
Basically what i want is a box using private addresses behind my cisco router. I want it to be, for example a web server, so when a packet arrives at my router it will know where to forward the packet based on the destination port (for example 80).
Source 142.55.1.1 Destination 24.1.1.55 Destination port 80 *router looks at port forwarding/mapping table and see's where to forward any traffic destined for port 80...I want it send to my server on a private address range*....
Hope this kinda makes sense...Now working full time! -
OptionsHumper
Member Posts: 647
Noone have any idea what i am talking about??Now working full time!
-
Options
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
Is NAT not good enough for you?Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
Options
xwesleyxwillisx
Member Posts: 158
Static NAT is the way to go. Any IOS feature set should support this. -
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
Maybe the person who wrote this DSLReports FAQ entry about Router configuration to run server (port forwarding) knows....ModemHumper wrote:Noone have any idea what i am talking about??
It sounds like it might be what you are asking about.
Oh... and since it uses NAT -- I guess ed_the_lad and xwesleyxwillisx also know what you want to do
:mike: Cisco Certifications -- Collect the Entire Set! -
Optionsforbesl
Member Posts: 454
Is this for a service provider connection? If so, has your service provider given you (or have you paid for) additional public IP addresses. If so, then NAT is the way you want to go as ed, wesley, and mike stated. Translate your internal server private IP to a single public IP for outside access. By the way, the link Mike provide assumes you have been provided a public IP from your ISP.
If this is not the case, I know exactly what you are wanting to do, but truthfully don't know how to do it with the router IOS FW. I've done port redirection using global PAT on a PIX firewall with no problem, but I'm not familiar with doing this on a premise router. -
OptionsDanman32
Member Posts: 1,243
What is being described is Port Address Translation, or PAT. CCNA covers dynamic PAT by way of overloading, but not much else, from what I can see and remember. I can't find info on static PAT.
-
Optionsforbesl
Member Posts: 454
Danman32 wrote:What is being described is Port Address Translation, or PAT. CCNA covers dynamic PAT by way of overloading, but not much else, from what I can see and remember. I can't find info on static PAT.
If a public IP is provided, he wouldn't use PAT for his server. He would NAT the server's private IP to a public IP dedicated just for that server. If this is a service provider connection, he is more than likely already using PAT by overloading on the DHCP-provided IP from his outside interface.
In this case, I believe the question would be, if you don't have an assigned public IP you can use just for your web server, how do you perform port redirection on a router using IOS FW with PAT. It's easy to do on a PIX firewall as I stated, but I've never known this to be done on a premise router. -
OptionsDanman32
Member Posts: 1,243
Well, that depends if he wants to dedicate the public address for the sole use of the server. Most of the time, we want a public address to be useable by multiple private addresses, but some services (ports) we want mapped to specific private IP addresses where the actual service is running.
If he NATs the public address to the server's IP, then no one else on the lan can get to the internet. Well, unless the server proxies web browsing. -
Optionsforbesl
Member Posts: 454
Danman32 wrote:
If he NATs the public address to the server's IP, then no one else on the lan can get to the internet. Well, unless the server proxies web browsing.
Sure he can. He can use static NAT and still overload on the outside interface. The server IP will use NAT and all other users will PAT. It's all in how you set it up.
Example:
ip nat inside source list 1 interface Dialer1 overload ---> PAT
ip nat inside source static 192.168.1.2 205.2.73.2 ---> static NAT
ip nat inside source static 192.168.1.5 205.2.73.3 ---> static NAT
ip nat inside source static 192.168.1.8 205.2.73.4 ----> static NAT
access-list 1 deny 192.168.1.2
access-list 1 deny 192.168.1.5
access-list 1 deny 192.168.1.8
access-list 1 permit 192.168.1.0 0.0.0.255
This will allow all users except for those denied at the access list to be overloaded on Dialer1 interface. Those denied in the access list will have static NAT public IP translations (assuming you have public IP addresses available) as show in the configuration.
Of course you can be more granular with what you permit/deny using an extended ACL, but this is just an example. -
Optionsdarwinism
Member Posts: 59 ■■□□□□□□□□
Static nat works fine when you have more than one public, but if you only have one public and want to redirect incomming requests by port to an internal ip then something like this:
ip nat inside source static tcp 192.168.0.4 65.45.34.12 21 extendable
would give you port forwarding.If you are living in the Columbus, OH area and studying for the CCNA click the following link.
CCNA looking for study partners in Columbus, OH -
Optionsforbesl
Member Posts: 454
Yeah, I looked at the link mike provided, too.....
Again that configuration assumes you have a separate public IP provided to you by your ISP.
The question is, how do you perform port redirection on a router with IOS FW if you have NO public IP space and are overloading (PAT) on your outside interface.
Even though I'll never have a need to do that, I'd still like to find out. I'm wondering if it's as easy to do as it is on a PIX....or if you can do it at all.
I know this can be done on a router using WCCP, but that assumes you are using webcache engines. Don't know if it will work otherwise. -
Optionsdarwinism
Member Posts: 59 ■■□□□□□□□□
The link is nice, but I have the exact same setup on my network and unfortately at one of the WISP's I do work for
If you are living in the Columbus, OH area and studying for the CCNA click the following link.
CCNA looking for study partners in Columbus, OH -
OptionsHumper
Member Posts: 647
Thank you mike, that linked worked awesome!!!! EXACTLY what I was looking for!Now working full time!
