Port Forward -CISCO 836-

Discussion in 'Cisco' started by Pedro, Jan 19, 2005.

  1. Pedro

    Pedro Guest

    Hi,
    I want to forward a tcp 21 port (FTP) to an internal machine on loal
    network (192.168.0.xxx).
    Can help?

    Thanks

    The actual configuration is:


    --------------
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname XXXXXX
    !
    no logging buffered
    enable secret XXXXXX
    !
    username CRWS_Venky privilege 15 password 0 XXXXXX
    ip subnet-zero
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip urlfilter alert
    ip audit notify log
    ip audit po max-events 100
    !
    interface Ethernet0
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip tcp adjust-mss 1452
    !
    interface BRI0
    no ip address
    shutdown
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode etsi
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip mtu 1492
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname XXXXXX
    ppp chap password 0 XXXXXX
    ppp pap sent-username XXXXXX password 0 XXXXXX
    !
    ip nat translation timeout 900
    ip nat translation tcp-timeout 900
    ip nat translation max-entries 1000
    ip nat inside source route-map nonat interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    !
    access-list 23 permit 192.168.0.0 0.0.0.255
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any
    dialer-list 1 protocol ip permit
    route-map nonat permit 10
    !
    !
    line con 0
    stopbits 1
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    password XXXXXX
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end
    ----------
     
    Pedro, Jan 19, 2005
    #1
    1. Advertisements

  2. Pedro

    RobO Guest

    Hello Pedro!
    For starters I would remove the "ip nat inside source route-map nonat
    ****" command and please someone correct me if I'm wrong... because in
    your current config you have no need for the route-map.

    and replace it with:-

    ip nat inside source source list 101 interface Dialer 1 overload
    and set up an access-list:-
    access-list 101 permit ip 192.168.xxx.xxx 0.0.0.255 any

    Then to forward FTP requests you will do:-
    ip nat inside source tcp 192.168.0.xxx 21 interface Dialer 1 21
    extendable.

    Your inbound access-list from the internet should also allow for port
    21 to pass.

    Hope this helps

    Rob
     
    RobO, Jan 19, 2005
    #2
    1. Advertisements

  3. Pedro

    Pedro Guest

    I can't ... see:
    ==============================================
    no ip nat inside source route-map nonat
    %Dynamic mapping in use, cannot remove
    ==============================================
    I do it. Now I have the configuration:

    ==============================================
    ip nat translation timeout 900
    ip nat translation tcp-timeout 900
    ip nat translation max-entries 1000
    ip nat inside source list 101 interface Dialer1 overload
    ip nat inside source route-map nonat interface Dialer1 overload
    ip nat inside source static tcp 192.168.0.12 21 interface Dialer1 21
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    access-list 23 permit 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any
    dialer-list 1 protocol ip permit
    route-map nonat permit 10
    ==============================================

    The NAT table show:
    ==============================================
    sh ip nat translations
    Pro Inside global Inside local Outside local Outside global
    icmperr 213.13.204.151 213.13.204.151 --- ---
    tcp 213.13.204.151:21 192.168.0.12:21 --- ---
    ==============================================
    But don't work.
    Any Idea?

    Pedro
     
    Pedro, Jan 19, 2005
    #3
  4. Pedro

    RobO Guest

    Hi Pedro!

    If you can save your configuration to a tftp server for eg :
    "copy start tftp"

    Then you can edit the config with "wordpad" or "linux editor" and
    remove the lines for the "ip nat inside source route-map" command
    and replace it with:-
    "ip nat inside source list 101 interface dialer 1 overload"
    Make sure you have :-
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    so that the router knows what traffice to NAT.

    Once you have finished copy the config back to your router to start:-

    copy tftp start

    Then you must restart the router to remove the
    "%Dynamic mapping in use, cannot remove"

    Good luck!
    Rob)
     
    RobO, Jan 19, 2005
    #4
  5. Pedro

    Pedro Guest

    Don't work.
    I change the configuration, but when I try to conect to the ftp server
    says: conection refused.

    When I try to see the ip and port (http://www.canyouseeme.org/) gives:
    Error: I could not see your service on xxx.xxx.xxx.xxx on port (21)
    Reason: Connection refused

    There is any problem with access-list 111?

    The actual configuration is:

    =========================================================================

    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname XXXXX
    !
    no logging buffered
    enable secret 5 XXXXX
    !
    ip subnet-zero
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip urlfilter alert
    ip audit notify log
    ip audit po max-events 100
    !
    !
    interface Ethernet0
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip tcp adjust-mss 1452
    !
    interface BRI0
    no ip address
    shutdown
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode etsi
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip mtu 1492
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname XXXXX
    ppp chap password 0 XXXXX
    ppp pap sent-username XXXXX password 0 XXXXX
    !
    ip nat translation timeout 900
    ip nat translation tcp-timeout 900
    ip nat translation max-entries 1000
    ip nat inside source list 101 interface Dialer1 overload
    ip nat inside source static tcp 192.168.0.12 21 interface Dialer1 21
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    !
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit tcp any any eq ftp
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any
    dialer-list 1 protocol ip permit
    !
    !
    line con 0
    stopbits 1
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    password XXXXX
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end
    ==============================================================================
     
    Pedro, Jan 20, 2005
    #5
  6. Pedro

    RobO Guest

    Pedro,

    Come to think of it I believe you have to open 2 ports for ftp 20/21 ie
    ftp/ftp-data
    try put that into your access list and do the same for it for NAT as
    well.
    Also it must say "extendable" at the end:-
    ip nat inside source static tcp 192.168.xxx.xxx 20 interface dialer 1
    20 extendable
    ip nat inside source static tcp 192.168.xxx.xxx 21 interface dialer 1
    21 extendable

    Hope this helps
     
    RobO, Jan 20, 2005
    #6
  7. Pedro

    Pedro Guest

    It Works. Thanks.

    Works from outside. If I try to do it inside i can't!

    Pedro
     
    Pedro, Jan 20, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.