nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

port forwarding on cisco router

aueddonline

I have a few subnets at my house with a linksys ADSL. directly connected to the linksys router is the internet and th 192.168.2.0 /24 subnet. I also have a cisco router on the subnet which I normally forward all ssh traffic to.

My question is: Could I forward something like RDP to the cisco router and the forward it again to a subnet beyond the cisco router?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Plazma

could you clarify why you want to do this.. like what are you trying to do? and also explain your ssh forwarding setup and why that is. that will help illustrate what your really trying to do.

GT-Rob

Yes you could.

aueddonline

Plazma wrote:

could you clarify why you want to do this.. like what are you trying to do? and also explain your ssh forwarding setup and why that is. that will help illustrate what your really trying to do.

I have a fixed IP at my house so when I ssh to my external address from the internet it takes cisco lab because any traffic coming in on port 22 gets forwarded to the cisco router.

I would like to do the same thing with my server but it is located within the lab on a different subnet so the port forwarding I use on my ADSL router will not forward to that address. So I was wondering if I could forward RDP portd to the cisco router and then have it forward the traffic to the server.

aueddonline

GT-Rob wrote:

Yes you could.

could you point me in the right direction Rob

GT-Rob

haha I just wrote something out based on RTP, but saw you said RDP. lol

Anyway, that shouldn't be a problem. Forward RDP (port 3389) on the linksys to the router. Then setup NAT (which it sounds is already there) to statically forward that port to whatever IP your server is. This way 1.1.1.1:22 gets passed to your router and stays there, where 1.1.1.1:3389 gets passed to your router, then to your server (1.1.1.1 being your internet IP here).

You could always put your Cisco router first if you want to have more/better control, but it should work either way.

Look up Static NAT on Cisco.com and you will get tons of config examples.

Plazma

This should help illustrate the concepts your after:

http://www.azureuswiki.com/index.php/Router_configuration#Cisco_IOS

dtlokee

you can use the rotarty command under the line configuration mode to change the SSH port

aueddonline

Ok I think this is the right command i'll have to do some test with it tomorrow

ip nat inside source static tcp 'adsl IP' 3389 'server ip' 3389 extendable

not sure if I need to configure inside and outside interfaces?

dtlokee

you will need nat inside and outside to make it work.

aueddonline

Ok so i'm having a bit of trouble with this, using the question mark it seem I had the addresses the wrong way round before. this is the way i have it configured with 172.16.1.2 being the server and 192.168.1.100 being the cisco interface the ADSL router is forwarding to.

R1-2691(config)#ip nat inside source static tcp 172.16.1.2 ?
<1-65535> Local UDP/TCP port

R1-2691(config)#ip nat inside source static tcp 172.16.1.2 3389 ?
A.B.C.D Inside global IP address
interface Specify interface for global address

R1-2691(config)#$de source static tcp 172.16.1.2 3389 192.168.1.100 ?
<1-65535> Global UDP/TCP port

R1-2691(config)#ip nat inside source static tcp 172.16.1.2 3389 192.168.1.100 3389 ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
route-map Specify route-map
vrf Specify vrf
<cr>

R1-2691(config)#ip nat inside source static tcp 172.16.1.2 3389 192.168.1.100 3389
R1-2691(config)#

doesn't seem to work

dtlokee

what does the translations table look like? Is there an access-list on the outside interface?

aueddonline

dtlokee wrote:

what does the translations table look like? Is there an access-list on the outside interface?

no ACL, translation table ?

dtlokee

show ip nat translations

aueddonline

R1-2691#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.1.100:3389 172.16.1.2:3389 --- ---
R1-2691#

aueddonline

some more info that might help

when I use the following config I can't RDP from my 192.16.1.0/24 subnet and the show ip nat statistics readout changes, but if I get rid of the static nat entry it works fine.

ip nat inside source static tcp 172.16.1.1 3389 192.168.1.100 3389 extendable
!
interface FastEthernet0/1
ip address 172.16.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
interface FastEthernet0/0
ip address 192.168.1.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

*Mar 1 14:58:18.850: NAT*: s=172.16.1.1->192.168.1.100, d=192.168.1.102 [21764]
*Mar 1 14:58:21.850: NAT*: s=172.16.1.1->192.168.1.100, d=192.168.1.102 [21768]
*Mar 1 14:58:27.850: NAT*: s=172.16.1.1->192.168.1.100, d=192.168.1.102 [21770]

*Mar 1 14:59:27.910: NAT: expiring 192.168.1.100 (172.16.1.1) tcp 3389 (3389)