IOS for port forwarding?

Humper

Hi All,

I've been looking at the 12.4 IOS files for my 1721 router and I was curious which IOS I should download. I see many with support for /FW/IDS (and IDS PLUS)..But not sure if it will do port forwarding. Im guessing its built into the firewall?

forbesl

ModemHumper wrote:

Hi All,

I've been looking at the 12.4 IOS files for my 1721 router and I was curious which IOS I should download. I see many with support for /FW/IDS (and IDS PLUS)..But not sure if it will do port forwarding. Im guessing its built into the firewall?

I know you are asking about port forwarding, but are you sure you're not talking about port mapping?

This Link

Port mapping will require the IOS Firewall Feature Set

Or are you really talking about port forwarding?

Or This Link

Humper

Looked at both but Im still unsure.

Basically what i want is a box using private addresses behind my cisco router. I want it to be, for example a web server, so when a packet arrives at my router it will know where to forward the packet based on the destination port (for example 80).


Source 142.55.1.1 Destination 24.1.1.55 Destination port 80 *router looks at port forwarding/mapping table and see's where to forward any traffic destined for port 80...I want it send to my server on a private address range*....

Hope this kinda makes sense...

Humper

Noone have any idea what i am talking about??

EdTheLad

Is NAT not good enough for you?

xwesleyxwillisx

Static NAT is the way to go. Any IOS feature set should support this.

mikej412

ModemHumper wrote:

Noone have any idea what i am talking about??

Maybe the person who wrote this DSLReports FAQ entry about Router configuration to run server (port forwarding) knows.... It sounds like it might be what you are asking about.

Oh... and since it uses NAT -- I guess ed_the_lad and xwesleyxwillisx also know what you want to do

forbesl

Is this for a service provider connection? If so, has your service provider given you (or have you paid for) additional public IP addresses. If so, then NAT is the way you want to go as ed, wesley, and mike stated. Translate your internal server private IP to a single public IP for outside access. By the way, the link Mike provide assumes you have been provided a public IP from your ISP.

If this is not the case, I know exactly what you are wanting to do, but truthfully don't know how to do it with the router IOS FW. I've done port redirection using global PAT on a PIX firewall with no problem, but I'm not familiar with doing this on a premise router.

forbesl

...

Danman32

What is being described is Port Address Translation, or PAT. CCNA covers dynamic PAT by way of overloading, but not much else, from what I can see and remember. I can't find info on static PAT.

forbesl

Danman32 wrote:

What is being described is Port Address Translation, or PAT. CCNA covers dynamic PAT by way of overloading, but not much else, from what I can see and remember. I can't find info on static PAT.

If a public IP is provided, he wouldn't use PAT for his server. He would NAT the server's private IP to a public IP dedicated just for that server. If this is a service provider connection, he is more than likely already using PAT by overloading on the DHCP-provided IP from his outside interface.

In this case, I believe the question would be, if you don't have an assigned public IP you can use just for your web server, how do you perform port redirection on a router using IOS FW with PAT. It's easy to do on a PIX firewall as I stated, but I've never known this to be done on a premise router.

Danman32

Well, that depends if he wants to dedicate the public address for the sole use of the server. Most of the time, we want a public address to be useable by multiple private addresses, but some services (ports) we want mapped to specific private IP addresses where the actual service is running.

If he NATs the public address to the server's IP, then no one else on the lan can get to the internet. Well, unless the server proxies web browsing.

forbesl

Danman32 wrote:

If he NATs the public address to the server's IP, then no one else on the lan can get to the internet. Well, unless the server proxies web browsing.

Sure he can. He can use static NAT and still overload on the outside interface. The server IP will use NAT and all other users will PAT. It's all in how you set it up.

Example:

ip nat inside source list 1 interface Dialer1 overload ---> PAT
ip nat inside source static 192.168.1.2 205.2.73.2 ---> static NAT
ip nat inside source static 192.168.1.5 205.2.73.3 ---> static NAT
ip nat inside source static 192.168.1.8 205.2.73.4 ----> static NAT

access-list 1 deny 192.168.1.2
access-list 1 deny 192.168.1.5
access-list 1 deny 192.168.1.8
access-list 1 permit 192.168.1.0 0.0.0.255

This will allow all users except for those denied at the access list to be overloaded on Dialer1 interface. Those denied in the access list will have static NAT public IP translations (assuming you have public IP addresses available) as show in the configuration.

Of course you can be more granular with what you permit/deny using an extended ACL, but this is just an example.

darwinism

Static nat works fine when you have more than one public, but if you only have one public and want to redirect incomming requests by port to an internal ip then something like this:

ip nat inside source static tcp 192.168.0.4 65.45.34.12 21 extendable

would give you port forwarding.

forbesl

Yeah, I looked at the link mike provided, too.....

Again that configuration assumes you have a separate public IP provided to you by your ISP.

The question is, how do you perform port redirection on a router with IOS FW if you have NO public IP space and are overloading (PAT) on your outside interface.

Even though I'll never have a need to do that, I'd still like to find out. I'm wondering if it's as easy to do as it is on a PIX....or if you can do it at all.

I know this can be done on a router using WCCP, but that assumes you are using webcache engines. Don't know if it will work otherwise.

darwinism

The link is nice, but I have the exact same setup on my network and unfortately at one of the WISP's I do work for

Humper

Thank you mike, that linked worked awesome!!!! EXACTLY what I was looking for!