Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Port Forwarding
- Thread starter jmandiaz
- Start date
bierhunter
IS-IT--Management
Well, if you're using NAT and you only have one public IP, you need to tell the packet what internal address to go to according to the port it is seeking (such as 25, 80, etc).
Such as:
pretend internal subnet is 10.1.1.0 /24
Single public address is 205.45.8.130
ip nat inside source tcp 10.1.1.5 80 205.45.6.130 80 extendable
and
ip nat inside source tcp 10.1.1.7 25 205.45.6.130 25 extendable
Port 80 traffic goes to 10.1.1.5 and port 25 traffic goes to 10.1.1.7 although they both share the same public IP.
This can also be useful even if you have multiple public IP address, but only want to allow specific ports through instead of just assigning a fully opened static public ip to a server.
Such as...instead of:
ip nat inside source 10.1.1.8 205.45.6.130 (which opens that server up completely to the outside world)
You can use the above extendable format to only permit specific ports.
Firewalls, ACLs, etc should still be used for stronger security.
Such as:
pretend internal subnet is 10.1.1.0 /24
Single public address is 205.45.8.130
ip nat inside source tcp 10.1.1.5 80 205.45.6.130 80 extendable
and
ip nat inside source tcp 10.1.1.7 25 205.45.6.130 25 extendable
Port 80 traffic goes to 10.1.1.5 and port 25 traffic goes to 10.1.1.7 although they both share the same public IP.
This can also be useful even if you have multiple public IP address, but only want to allow specific ports through instead of just assigning a fully opened static public ip to a server.
Such as...instead of:
ip nat inside source 10.1.1.8 205.45.6.130 (which opens that server up completely to the outside world)
You can use the above extendable format to only permit specific ports.
Firewalls, ACLs, etc should still be used for stronger security.
CCIEcandidate
MIS
Most Cable or DSL routers have a feature called "port-fowarding" or "virtual server". This enables devices on the private side of your cable/dsl router to recieve traffic from the internet on specific ports.
Imagine you have a cisco router plugged into the private side of your cable/dsl router and that cisco router has an ip of 192.168.1.1/24. This IP is not routable on the internet. This is where port-forwarding on the cable/dsl router comes into play. You can telnet to the cable/dsl router's external IP and have the cable/dsl router "forward" this port to the internal private IP of your cisco router (192.168.1.1). By default this port would be TCP 23.
You could set it up where you telnet to the external public IP of your cable/dsl router on port 5678 (random high port) and have the cable/dsl router forward this traffic to 192.168.1.1 on port 23.
This is basically it.
HTH,
Nick
Imagine you have a cisco router plugged into the private side of your cable/dsl router and that cisco router has an ip of 192.168.1.1/24. This IP is not routable on the internet. This is where port-forwarding on the cable/dsl router comes into play. You can telnet to the cable/dsl router's external IP and have the cable/dsl router "forward" this port to the internal private IP of your cisco router (192.168.1.1). By default this port would be TCP 23.
You could set it up where you telnet to the external public IP of your cable/dsl router on port 5678 (random high port) and have the cable/dsl router forward this traffic to 192.168.1.1 on port 23.
This is basically it.
HTH,
Nick
- Status
