Port Forwarding with Cisco 871??

Discussion in 'Cisco' started by mhaase-at-springmind.com, Sep 25, 2005.

  1. I hope somebody has some ideas on this, cause it's making me crazy.
    It's probably something dirt simple I'm overlooking.

    We have a Netopia DSL "modem", which provides us with four static
    IP's.

    We take one of those IPs, and run it to a CISCO 871 (which provides a
    VPN that I don't think is pertinent to the problem.). The CISCO is
    also doing DHCP, and NATing to a 192.168.0.x LAN.

    All seems to be working fine, until I try to "Port forward" Ports 25,
    80, and 110 from the outside WAN through to a server on the LAN.

    The Netopia seems to be doing it's part -- I've configured what
    Netopia calls "pinholes", and if I hang a server directly off of it, I
    can access the required ports from the outside.

    The CISCO has been configured by a CISCO tech, via Telnet from their
    support center. He basically put in "permit any to 192.168.0.2 eq 80"
    (I'm not sure of the exact syntax) on the inbound, and "permit
    192.168.0.2 to any eq 80" on the outbound. ((He also put in "permit"
    statements for the other ports).

    Problem is, it's not working. I get no response from anything on the
    LAN when I try to access it from outside. I've checked the CISCO's
    logs, and can't even find a record of the attempts at access, although
    I may not have all the logging I should enabled (I'm not
    super-familiar with CISCO stuff).

    I get the same results no matter which port I try.

    Any thoughts? Suggestions for troubleshooting methods? Is there some
    basic routing/networking reason why this won't work? Seems I've done
    this dozens of times before with Linksys, Dlink and the like without
    problems.


    Thanks!
     
    mhaase-at-springmind.com, Sep 25, 2005
    #1
    1. Advertising

  2. Hi,

    The problem you describe can be solved with NAT. You need to add a static
    translation for ports 25, 80 and 110 of one of the public IP's to the
    designated internal private IP.

    ip nat inside source static tcp 192.168.0.2 25 a.b.c.d 25
    ip nat inside source static tcp 192.168.0.2 80 a.b.c.d 80
    ip nat inside source static tcp 192.168.0.2 110 a.b.c.d 110

    (replace a.b.c.d with the public IP of the outside interface (or any of the
    other public ip's).

    Erik

    "mhaase-at-springmind.com" <mhaase-at-springmind.com@> wrote in message
    news:...
    >I hope somebody has some ideas on this, cause it's making me crazy.
    > It's probably something dirt simple I'm overlooking.
    >
    > We have a Netopia DSL "modem", which provides us with four static
    > IP's.
    >
    > We take one of those IPs, and run it to a CISCO 871 (which provides a
    > VPN that I don't think is pertinent to the problem.). The CISCO is
    > also doing DHCP, and NATing to a 192.168.0.x LAN.
    >
    > All seems to be working fine, until I try to "Port forward" Ports 25,
    > 80, and 110 from the outside WAN through to a server on the LAN.
    >
    > The Netopia seems to be doing it's part -- I've configured what
    > Netopia calls "pinholes", and if I hang a server directly off of it, I
    > can access the required ports from the outside.
    >
    > The CISCO has been configured by a CISCO tech, via Telnet from their
    > support center. He basically put in "permit any to 192.168.0.2 eq 80"
    > (I'm not sure of the exact syntax) on the inbound, and "permit
    > 192.168.0.2 to any eq 80" on the outbound. ((He also put in "permit"
    > statements for the other ports).
    >
    > Problem is, it's not working. I get no response from anything on the
    > LAN when I try to access it from outside. I've checked the CISCO's
    > logs, and can't even find a record of the attempts at access, although
    > I may not have all the logging I should enabled (I'm not
    > super-familiar with CISCO stuff).
    >
    > I get the same results no matter which port I try.
    >
    > Any thoughts? Suggestions for troubleshooting methods? Is there some
    > basic routing/networking reason why this won't work? Seems I've done
    > this dozens of times before with Linksys, Dlink and the like without
    > problems.
    >
    >
    > Thanks!
     
    Erik Tamminga, Sep 26, 2005
    #2
    1. Advertising

  3. On Mon, 26 Sep 2005 21:10:40 +0200, "Erik Tamminga"
    <_revese_the_previous> wrote:

    >Hi,
    >
    >The problem you describe can be solved with NAT. You need to add a static
    >translation for ports 25, 80 and 110 of one of the public IP's to the
    >designated internal private IP.
    >
    >ip nat inside source static tcp 192.168.0.2 25 a.b.c.d 25
    >ip nat inside source static tcp 192.168.0.2 80 a.b.c.d 80
    >ip nat inside source static tcp 192.168.0.2 110 a.b.c.d 110
    >
    >(replace a.b.c.d with the public IP of the outside interface (or any of the
    >other public ip's).
    >
    >Erik



    Thanks Eric! I'll be able to give it a try tomorrow.




    >"mhaase-at-springmind.com" <mhaase-at-springmind.com@> wrote in message
    >news:...
    >>I hope somebody has some ideas on this, cause it's making me crazy.
    >> It's probably something dirt simple I'm overlooking.
    >>
    >> We have a Netopia DSL "modem", which provides us with four static
    >> IP's.
    >>
    >> We take one of those IPs, and run it to a CISCO 871 (which provides a
    >> VPN that I don't think is pertinent to the problem.). The CISCO is
    >> also doing DHCP, and NATing to a 192.168.0.x LAN.
    >>
    >> All seems to be working fine, until I try to "Port forward" Ports 25,
    >> 80, and 110 from the outside WAN through to a server on the LAN.
    >>
    >> The Netopia seems to be doing it's part -- I've configured what
    >> Netopia calls "pinholes", and if I hang a server directly off of it, I
    >> can access the required ports from the outside.
    >>
    >> The CISCO has been configured by a CISCO tech, via Telnet from their
    >> support center. He basically put in "permit any to 192.168.0.2 eq 80"
    >> (I'm not sure of the exact syntax) on the inbound, and "permit
    >> 192.168.0.2 to any eq 80" on the outbound. ((He also put in "permit"
    >> statements for the other ports).
    >>
    >> Problem is, it's not working. I get no response from anything on the
    >> LAN when I try to access it from outside. I've checked the CISCO's
    >> logs, and can't even find a record of the attempts at access, although
    >> I may not have all the logging I should enabled (I'm not
    >> super-familiar with CISCO stuff).
    >>
    >> I get the same results no matter which port I try.
    >>
    >> Any thoughts? Suggestions for troubleshooting methods? Is there some
    >> basic routing/networking reason why this won't work? Seems I've done
    >> this dozens of times before with Linksys, Dlink and the like without
    >> problems.
    >>
    >>
    >> Thanks!

    >
     
    mhaase-at-springmind.com, Sep 28, 2005
    #3
  4. mhaase-at-springmind.com

    thunder04

    Joined:
    Aug 4, 2007
    Messages:
    1
    Hi,

    I'm trying to do the same, except that I only have one IP address and it is dynamically assigned. I had it configured a long time ago, but cannot remember how I did it!

    I tried doing the following...

    oakland(config)#ip nat inside source static tcp 10.1.1.10 80 0.0.0.0 80

    But, unfortunately, it does not like 0.0.0.0 or "any" as an external address.

    Any help would be appreciated!
     
    thunder04, Aug 4, 2007
    #4
  5. mhaase-at-springmind.com

    redboot

    Joined:
    Nov 13, 2007
    Messages:
    1
    It's been a while, but maybe this will help...

    On a port that gets it's IP info automatically from DCHP, just refer to the port itself.

    So, if your server is at 192.168.0.102, you might use:
    ip nat inside source static tcp 192.168.0.102 3389 interface FastEthernet4 3389

    This works for a Cisco 871W which has Fa4 assigned as the WAN port.
    The 3389 port is for M$ RDP protocol for Remote Desktop / Terminal Server

    Too, you may need to let down the ACL. So if the exiting ACL is called "Internet-inbound-ACL" and your server is at 192.168.0.102, you would enter:

    ip access-list extended Internet-inbound-ACL
    permit tcp any any eq 3389
    exit

    Salud,
    Scott
     
    redboot, Nov 14, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly

    [HELP] Cisco PIX 515 Port Forwarding

    Corbin O'Reilly, Sep 26, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,335
    Walter Roberson
    Sep 26, 2003
  2. Salus

    Cisco PIX Port Forwarding

    Salus, Oct 20, 2003, in forum: Cisco
    Replies:
    2
    Views:
    5,291
    Jyri Korhonen
    Oct 20, 2003
  3. jks
    Replies:
    3
    Views:
    1,902
  4. ToyalP2
    Replies:
    7
    Views:
    1,580
    ToyalP2
    Jan 7, 2008
  5. juliosilva

    Cisco 871 Forwarding

    juliosilva, Dec 16, 2008, in forum: Cisco
    Replies:
    4
    Views:
    926
    juliosilva
    Dec 19, 2008
Loading...

Share This Page