Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port forwarding trouble

Status
Not open for further replies.
Twinmoon

Twinmoon

Technical User
May 11, 2003
52
US
I’m trying to configure port forwarding (for a web server) on a Cisco uBR920 cable-modem router for a small start up company. I’ve tried everything I can think of but I just can’t get it to work.

Server IP: 10.1.1.253
Router: Cisco uBR920
IOS: IOS (tm) 920 Software (UBR920-K1V4Y5-M), Version 12.1(1)T
Interfaces are good – the LAN can access WAN traffic just fine. WAN can get to the router just fine (I’m configuring this from a remote site)
Running config:
Building configuration...

Current configuration:
!
! Last configuration change at 09:05:52 - Mon Jun 23 2003
! NVRAM config last updated at 08:34:03 - Mon Jun 23 2003
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname jscmptr-router
!
{enable passwords edited out}
!
!
!
!
!
clock timezone - 6
ip subnet-zero
ip dhcp excluded-address 10.1.1.250
ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.1.1.2
ip dhcp excluded-address 10.1.1.19
ip dhcp excluded-address 10.1.1.251
ip dhcp excluded-address 10.1.1.252
ip dhcp excluded-address 10.1.1.253
ip dhcp excluded-address 10.1.1.254
ip dhcp excluded-address 10.1.1.10
ip dhcp excluded-address 10.1.1.3
ip dhcp excluded-address 10.1.1.4
ip dhcp excluded-address 10.1.1.5
!
ip dhcp pool j1
network 10.1.1.0 255.255.255.0
domain-name js-computers.com
dns-server 204.70.127.127
default-router 10.1.1.250
!
!
!
!
!
voice-port 0
input gain -2
!
voice-port 1
input gain -2
!
!
!
!
interface Loopback0
ip address 12.211.231.138 255.255.255.255
!
interface Ethernet0
ip address 10.1.1.250 255.255.255.0
ip nat inside
no ip mroute-cache
!
interface cable-modem0
ip address negotiated
ip nat outside
no ip mroute-cache
cable-modem boot admin 2
cable-modem boot oper 5
cable-modem downstream saved channel 609000000 56 5
cable-modem mac-timer t2 40000
no cable-modem compliant bridge
cable-modem dhcp-proxy nat j1
!
router rip
version 2
network 12.0.0.0
!
ip default-gateway 10.158.128.1
ip nat pool j1 12.211.231.138 12.211.231.138 netmask 255.255.254.0
ip nat inside source list 10 pool j1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.158.128.1
no ip http server
no ip http cable-monitor
!
!
ip access-list extended ports
permit tcp any any eq www
access-list 10 permit 10.1.1.0 0.0.0.255
snmp-server engineID local 00000009020000036BD6B880
snmp-server manager
!
line con 0
transport input none
line vty 0 4
password xxxxxxxx
login
!
end

After some looking around I found this thread: thread557-452445 and it seemed to be what I needed. I tried putting in a similar command (changing ips as nessicarry) recommended by ipconfig but it didn’t transfer well. (syntax was different enough I couldn’t translate it) I thought these lines (thought processs included) should work but they didn’t.

!ip nat outside source list [LIST name](Needs to be extended) pool{pool !name for local address} [pool name]
! That will take a packet, if it matches, translate it to the address !in pool. The access list should be extended to filter on port

!ip route [ip address] [subnet mask] [destination] (next hop)
! that's a static route. Intended use would be from the pool(proabbly !the 172.16 network to be routed to the server.

ip nat inside source list ports pool portTrans
ip nat pool portTrans 172.16.0.0 172.16.255.255 netmask 255.255.0.0
ip route 172.16.0.0 255.255.0.0 10.1.1.253

ip access-list extended ports
permit tcp any any eq www
remark Using this one for port forwaring/blocking

Referenced:

I've even tried the http server but to no success. I know I’m missing something but I don’t know what or how to get it to work. Is the answer staring me in the face? Any help would be greatly appreciated.

P.S. If the commands don’t work I quickly remove them.
 
Sort by date Sort by votes
port forwarding/redirection is usually done on cisco routers with static addressing on the outside interface (never seen it with dynamic). it can be done on the pix or linux lrp firewall with a dynamic address (although in the lrp documentation they tell you that it may cause security leaks)

if you are looking to do port redirection for an inside host then you need to do 3 things:

1) allow anyone (or specified hosts/ips) to hit your router on those ports (use an acl to open the ports)

2) point the socket on the outside interface to the internal host you want it to refer to (make the nat statements)

3) apply the acl to the outside interface


-not in above order-

ip address e0 (outside interface)
ip address 123.123.123.123 255.255.255.0
ip access-group 123 in

access-list 123 permit tcp any host 123.123.123.123 eq www
access-list 123 permit tcp any host 123.123.123.123 eq 3389

ip nat inside source static tcp [wwwSERVERip] www
ip nat inside source static tcp [termsrvIP] 3389 123.123.123.123 3389
 
Upvote 0 Downvote
you know what, you can port forward with a dynamic ip on the outside interface

XXXXXX-rtr(config)#ip nat inside source static tcp 172.16.2.1 3389 ?
A.B.C.D Inside global IP address
interface Specify interface for global address

use the interface directive
adcen-rtr(config)#ip nat inside source static tcp 172.17.101.7 21 interface e0
 
Upvote 0 Downvote
You CAN do port forward on an interface with a dynamic address. Take a look at this example.

NOTE ! this is not a UBR router !

!
interface Ethernet1
description WAN Interface
ip nat outside
!
interface Ethernet0
description LAN Interface
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255

This, or something like it, will work.

Simon
 
Upvote 0 Downvote
Thank you. It now works. After some effort(contacting the admin to turn the webserver on, and then talking him through it... dumb red tape) I got it working. Thank you again(gconnect your posts were especially helpful). The admin mentioned that the key ip nat inside is used for both WANtoLAN and LANtoWAN translations. Is that true? If so, why do they even have a outside keyword?
 
Upvote 0 Downvote
Please Help me if you can.
my image file is currupted. if you have a ubr920 cable router image version 12.0 or later please send it to eyoung2897@verizon.net thanks for any help you can give me.the image file i need is UBR920-K1V4Y5-MZ.121-7.bin or something close to it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
335
Zero6
Zero6
Gartech
  • Locked
  • Question
LAN Port Test Device
Replies
3
Views
336
ipohead
ipohead
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
252
BleuBell
BleuBell
MoJHK
  • Locked
  • Question
Metro Ethernet trouble shootin
Replies
0
Views
240
MoJHK
MoJHK
amelamel
  • Locked
  • Question
port has faulty link
Replies
2
Views
613
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top