Portfowarding on Cisco 1800

Discussion in 'Cisco' started by Lyle, Aug 22, 2008.

  1. Lyle

    Lyle Guest

    Hello,

    Network setup is as follows. Cisco 1800 with one public IP on the ATM
    interface. The ethernet interface has a 192.168.1.1 address. The ISP
    has configured the router so it passes all traffic to 192.168.1.2
    which is our firewall.

    We have a new device at the 192.168.1.3 address.

    I would like the ISP to forward just https traffic to the new device.

    This is posible no? Because they say it is not.

    Thanks,

    Lyle
     
    Lyle, Aug 22, 2008
    #1
    1. Advertising

  2. Lyle

    Trendkill Guest

    On Aug 22, 7:44 am, Lyle <> wrote:
    > Hello,
    >
    > Network setup is as follows. Cisco 1800 with one public IP on the ATM
    > interface. The ethernet interface has a 192.168.1.1 address. The ISP
    > has configured the router so it passes all traffic to 192.168.1.2
    > which is our firewall.
    >
    > We have a new device at the 192.168.1.3 address.
    >
    > I would like the ISP to forward just https traffic to the new device.
    >
    > This is posible no? Because they say it is not.
    >
    > Thanks,
    >
    > Lyle


    They are probably one to one NATing and what you are asking for is
    port address translation (PAT). That way you can forward different
    ports to different internal IP addresses. This should definitely be
    possible, although I'm making assumptions on your setup. If you can
    paste your router config (omit passwords and hide your external IP
    address), then someone here can definitely answer your question.
     
    Trendkill, Aug 22, 2008
    #2
    1. Advertising

  3. Lyle

    Lyle Guest

    On Aug 22, 3:15 pm, Trendkill <> wrote:
    > On Aug 22, 7:44 am, Lyle <> wrote:
    >
    >
    >
    > > Hello,

    >
    > > Network setup is as follows. Cisco 1800 with one public IP on the ATM
    > > interface. The ethernet interface has a 192.168.1.1 address. The ISP
    > > has configured the router so it passes all traffic to 192.168.1.2
    > > which is our firewall.

    >
    > > We have a new device at the 192.168.1.3 address.

    >
    > > I would like the ISP to forward just https traffic to the new device.

    >
    > > This is posible no? Because they say it is not.

    >
    > > Thanks,

    >
    > > Lyle

    >
    > They are probably one to one NATing and what you are asking for is
    > port address translation (PAT).  That way you can forward different
    > ports to different internal IP addresses.  This should definitely be
    > possible, although I'm making assumptions on your setup.  If you can
    > paste your router config (omit passwords and hide your external IP
    > address), then someone here can definitely answer your question.


    Thanks for your reply. I wish I could paste the config here but I dont
    have access to the router. I assume they are doing one-to -one NAT to
    our firewall because we have a VPN up and running and they never asked
    about which ports to forward. So if this is the case, that they are
    doing ono-to-one NAT, I cant do any policy based routing right?
     
    Lyle, Aug 22, 2008
    #3
  4. Lyle

    Trendkill Guest

    On Aug 22, 9:41 am, Lyle <> wrote:
    > On Aug 22, 3:15 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Aug 22, 7:44 am, Lyle <> wrote:

    >
    > > > Hello,

    >
    > > > Network setup is as follows. Cisco 1800 with one public IP on the ATM
    > > > interface. The ethernet interface has a 192.168.1.1 address. The ISP
    > > > has configured the router so it passes all traffic to 192.168.1.2
    > > > which is our firewall.

    >
    > > > We have a new device at the 192.168.1.3 address.

    >
    > > > I would like the ISP to forward just https traffic to the new device.

    >
    > > > This is posible no? Because they say it is not.

    >
    > > > Thanks,

    >
    > > > Lyle

    >
    > > They are probably one to one NATing and what you are asking for is
    > > port address translation (PAT).  That way you can forward different
    > > ports to different internal IP addresses.  This should definitely be
    > > possible, although I'm making assumptions on your setup.  If you can
    > > paste your router config (omit passwords and hide your external IP
    > > address), then someone here can definitely answer your question.

    >
    > Thanks for your reply. I wish I could paste the config here but I dont
    > have access to the router. I assume they are doing one-to -one NAT to
    > our firewall because we have a VPN up and running and they never asked
    > about which ports to forward. So if this is the case, that they are
    > doing ono-to-one NAT, I cant do any policy based routing right?


    There is nothing you can do if they are doing one to one nat, unless
    of course you want to install a router in between and do your own NAT/
    PAT. I've never really tried that kind of nat to nat, but there are
    some folks on this board with some deeper experience in the internet
    security side than me. May be worth trying, although getting them to
    do change to pat shouldn't be that big of a problem. They can forward
    443 to the one server, and everything else to the firewall. Although
    don't you want your web server behind your firewall anyway, so can't
    you put a rule in there to forward 443 to an internal address? Use
    that as your nat to pat instead?
     
    Trendkill, Aug 22, 2008
    #4
  5. Lyle

    Lyle Guest

    >  Although don't you want your web server behind your firewall anyway, so can't
    > you put a rule in there to forward 443 to an internal address?  Use
    > that as your nat to pat instead?



    Actually its not a web server. Its an appliance to publish Web Apps
    and just about anything via SSL. I just wanted it to stay as clean and
    simple as possible, but you are right. I could always try and redirect
    from the firewall itself. The only problem is the firewall handels all
    the SSL stuff as is.

    What I could try is use another port till I am ready to do the
    switch.... Thats what I asked the ISP to do..... redirect 4443 to the
    new box, which I would set it up using 4443, and then test, test,
    test, and when I was happy have them change the port to 443 and BOOM
    into production
     
    Lyle, Aug 22, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kai
    Replies:
    1
    Views:
    1,050
    Ivan Ostreš
    Dec 13, 2004
  2. John Strow

    Cisco 2600 and 1800 number

    John Strow, Apr 30, 2005, in forum: Cisco
    Replies:
    0
    Views:
    391
    John Strow
    Apr 30, 2005
  3. Thomas Reinberger
    Replies:
    1
    Views:
    4,380
  4. Tomasz Grzelak

    DNAT on Cisco 1800?

    Tomasz Grzelak, May 5, 2006, in forum: Cisco
    Replies:
    0
    Views:
    3,601
    Tomasz Grzelak
    May 5, 2006
  5. RobMarsh
    Replies:
    1
    Views:
    4,862
    RobMarsh
    Sep 18, 2006
Loading...

Share This Page