Results 1 to 19 of 19

Thread: Port Forwarding w/Cisco/Windows Help

  1. #1
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150

    Port Forwarding w/Cisco/Windows Help

    I need some help here. Im new to the whole line of cisco configuring as well.

    I need help port forwarding some ports for example (remote desktop) so I can remote in from home to my office workstation.

    We have a T1, cisco router that is wide open (and configured with NAT & DHCP). We also have a 2003 Server that is a domain controller.

    I know you can use ACL's to apply port forwarding, but being that Im new to ACL's Id rather use something Im more familiar with, (Routing and Remote Access)

    How do I specificlly go about opening open ports with RAS? I know how to do it, but I dont know how to tell the cisco to forward on the packets to the 2003 server. I have 1 nic in the server, but I just added another one. HOw do I configure all of this?

    Anyone lend a hand?

  2. #2
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,895
    You say the router is wide open, but say the router is also configured with NAT.

    Is the server multi-homed with the WAN NIC pulling a public IP?

    I'd much rather take the single homed server approach, using NAT on the router.

    But for filtering on Windows, if you right click your area connection, select properties, bring up the properties of TCP/IP, click the advanced button, click the options tab, you'll see TCP/IP filtering under options settings, click the properties button for that...you'll see TCP, UDP, and IP columns there that you can manually edit.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  3. #3
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150
    Your right in a sense. The router isnt wide open to a point because it has NAT on it, which in theory is a basic firewall.

    Our basic setup is...

    T1 line goes into the Cisco Router, and from there the router connects to a DELL powerconnect 24 port switch. The server is plugged into the switch as well.

    I know how to open up ports in RAS, but its not working. I still cant remote desktop from home into work. The packet is probably still dropping at the router Im assuming. It needs to be forwarded on to the servers NAT somehow.

    Also, dont I need to NICS in the server for the RAS to work? or..?

  4. #4
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,895
    Lets get the details...
    Your router is pulling some public IP address, and is your servers (and networks) IP address a private IP range? Something like 10.1.1.XXX or 192.168.XXX.XXX?

    If so, then NAT is running, and I'd assume that all incoming ports are blocked. You're have to forward ports to your servers LAN IP, such as Remote Desktop, forward port 3389 to your servers private IP address.

    Router is running DHCP, not the server? What DNS is being handed out to the network? If it's the router, then probably your bandwidth providers DNS servers, which is not what you want, you want your DCs IP to be the one and only DNS handed out. (unless you have a larger WAN setup)
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  5. #5
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150
    Here is my router config. Our private scheme is 192.168.0.1 etc, Class C. Serial 0 Interface is the WAN (internet). FasteEthernet0 is our LAN (local).
    The Cisco runs the DHCP. The server runs a local DNS, (192.168.0.2) and a domain controller. Thats really about it

    pathwaysouthfield>en
    Password:
    pathwaysouthfield#sh run
    Building configuration...

    Current configuration : 1370 bytes
    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname pathwaysouthfield
    !
    aaa new-model
    !
    !
    !
    !
    memory-size iomem 25
    clock timezone Eastern -5
    clock summer-time EDT recurring
    ip subnet-zero
    ip name-server 192.168.0.2
    ip name-server 63.209.135.*
    no ip dhcp conflict logging
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    !
    ip dhcp pool pathwaysfld
    network 192.168.0.0 255.255.255.0
    domain-name pathway.com
    default-router 192.168.0.1
    dns-server 192.168.0.2 63.209.135.*
    lease 5
    !
    !
    !
    !
    interface Serial0
    description CONNECTION TO GRID4
    ip address 63.209.135.* 255.255.255.252
    no ip redirects
    ip nat outside
    no ip route-cache
    no fair-queue
    service-module t1 remote-alarm-enable
    no cdp enable
    !
    interface FastEthernet0
    description PATHWAY SOUTHFIELD LAN
    ip address 192.168.0.1 255.255.255.0
    no ip unreachables
    ip nat inside
    speed auto
    full-duplex
    no cdp enable
    !
    ip nat inside source list 7 interface Serial0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 63.209.135.*
    no ip http server
    !
    access-list 7 permit 192.168.0.0 0.0.0.255
    no cdp run
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    no scheduler allocate
    end

  6. #6
    Regular Member objohn's Avatar
    Join Date
    Jul 2002
    Location
    UK
    Posts
    304
    In your access list you need to permit the ports that you require - for RDP you need port 3389.
    Something like this should do the trick

    access-list 101 permit udp any host <YOUR IP> eq 3389 log
    access-list 101 deny ip any any

    then apply the list to your interface

    hope this helps

    OJ
    OJ
    Those who fail to prepare, must prepare to fail

  7. #7
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,895
    Not being a Cisco expert, it does appear that you're running pure NAT. Assuming that, no need for RRAS at all, just simple port forwarding, as objohn posted.

    I would however remove the secondary DNS server you have DHCP handing out, I prefer to have the local DC be the one and only DNS server for a single LAN. Have its properties set to forward to your ISP's DNS servers in the DNS server objects properties, forwarding tab. Also the server itself, in its TCP properties, should look to its own IP as its one and only DNS server.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  8. #8
    SG Enthusiast yikes's Avatar
    Join Date
    Sep 2000
    Location
    Toronto
    Posts
    1,216
    Yeah you are doing a 1 - MANY NAT, the "overload" sets this up otherwise its a 1-1. Now for port forwarding its super simple here is the syntax and an example;

    router# ip nat inside source static "protocol" "inside IP" "inside port#" interface "interface type and #" "outsideport#"

    So if you wanted to forward port 80 to your internal web server with 192.168.0.100. YOur syntax would be as follows;

    ip nat inside source static tcp 192.168.0.100 80 interface serial0 80

    Thats it your done, its super simple give it a try!

    YiKeS

  9. #9
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150
    Right, Ive just always wondered if its possible to forward packets from NAT devices to other NAT devices. Lets say if Im too nervous to mess with Cisco stuff right now, instead, have the packets from the cisco be forwarded onto the 2003 server NAT, and then from there to the LAN. Opening up ports in RAS instead...

  10. #10
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150
    Yikes: That worked flawlessly!!

    Someone else in another forum said u had to do additional commands like

    access-list 101 permit tcp any any eq 3389
    And
    ip access-group 101 in


    However just your command worked perfectly.

  11. #11
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,895
    Quote Originally Posted by chugger93
    Right, Ive just always wondered if its possible to forward packets from NAT devices to other NAT devices. Lets say if Im too nervous to mess with Cisco stuff right now, instead, have the packets from the cisco be forwarded onto the 2003 server NAT, and then from there to the LAN. Opening up ports in RAS instead...
    If you're having the packets from the cisco be forwarded to the server...then you've already forwarded the ports. And the server is single homed, right? So no RRAS.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  12. #12
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150
    How have I already forwarded the ports? Im not sure if I even have too. I just figured Id rather be opening up ports on RAS, then making access lists. So I wanna run RAS, but not sure how the NAT on the cisco is going to forward trafffic to the NAT on the Server 2003

  13. #13
    SG Enthusiast yikes's Avatar
    Join Date
    Sep 2000
    Location
    Toronto
    Posts
    1,216
    chugger93,

    congrats on getting it to work, im glad the config samples i posted above worked, and that I could help you out. If you ever need assistance with cisco gear, dont hesitate to ask.

    There should be no need for access-lists to forward ports as you reqeusted. Access-lists are used to block/permit, specific ip ranges, ports, networks, or packets.

    Regards,
    YiKeS

  14. #14
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,895
    Quote Originally Posted by chugger93
    How have I already forwarded the ports? Im not sure if I even have too.
    You did by following what Yikes posted. If your server is single NIC, RRAS doesnt even come into play.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  15. #15
    Regular Member chugger93's Avatar
    Join Date
    Aug 2002
    Location
    MI
    Posts
    150
    The server is dual nic'd, becuase I just added another network card. So technically I could use RAS. However Im getting the impression that either noone understands what I wanna do, or I dont understand that Im just supposed to use NAT on the server instead of CISCO to achieve what I wanna do.

    Thanks YeOldeStonecat, I'll prob need cisco help in the future

  16. #16
    Junior Member
    Join Date
    Feb 2005
    Posts
    11
    Please Please Please change the port number you are using for Terminal Services. Everyone and their brother know what port that is and if it's open, you're just begging for trouble. Also, you would be better suited to setup an ACL here. Lock it down! Force anyone coming from the outside to meet certain criteria. Deploy a VPN, but do something that requires some sort of authentication or verification of location. Otherwise you've only weakened your network. You want to be allowed to remote in and then authenticate, while everyone else gets stopped at the door.

    Think of your network security setup as a building by itself. The front door would be the router. You wouldn't leave the front door open and unlocked to your office. That would let anyone in late at night without knowing who they are hoping that every other door that is supposed to be locked actually is.
    Last edited by Tekmazter; 02-10-05 at 12:26 PM.

  17. #17
    Junior Member
    Join Date
    May 2007
    Posts
    2

    change of nat rules?

    Hello I have a cisco router, CISCO C828 (with non-working web-interface im sure this would be so much easier with that)

    And i was hoping some one could give me a quick point in the right direction, i have about 10 nat rules, that i need to change the IP on, since i bought another machine and now want that particular port to point to the new machine instead of the old one

    So im looking to do the following

    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.10 1723 interface Dialer0 1723
    ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.10 79 interface Dialer0 79
    ip nat inside source static tcp 192.168.1.10 6543 interface Dialer0 6543
    ip nat inside source static tcp 192.168.1.10 110 interface Dialer0 110
    ip nat inside source static tcp 192.168.1.10 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.10 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23023
    ip nat inside source static tcp 192.168.1.10 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.11 88 interface Dialer0 88
    ip nat inside source static tcp 192.168.1.11 1234 interface Dialer0 1234
    ip nat inside source static tcp 192.168.1.10 20 interface Dialer0 20

    into
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.13 1723 interface Dialer0 1723
    ip nat inside source static tcp 192.168.1.13 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.13 79 interface Dialer0 79
    ip nat inside source static tcp 192.168.1.13 6543 interface Dialer0 6543
    ip nat inside source static tcp 192.168.1.13 110 interface Dialer0 110
    ip nat inside source static tcp 192.168.1.13 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.13 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23023
    ip nat inside source static tcp 192.168.1.13 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.11 88 interface Dialer0 88
    ip nat inside source static tcp 192.168.1.11 1234 interface Dialer0 1234
    ip nat inside source static tcp 192.168.1.13 20 interface Dialer0 20

    in my attemps to do this, i am frequently told the following:

    Static entry in use, cannot change.

    And this is all fine and dandy, now i've read that one can disable NAT (this is however, not an option for me, as i wont have access to it anymore). Another option is to block traffic on that port, and this i would like to do, but i cant for the life of me figure out how to block on this cisco.

    and i have yet to find anyway of doing this

    Any help is appreciated. thanks
    Last edited by tbell; 05-10-07 at 08:24 AM.

  18. #18
    Quote Originally Posted by tbell View Post
    Hello I have a cisco router, CISCO C828 (with non-working web-interface im sure this would be so much easier with that)

    And i was hoping some one could give me a quick point in the right direction, i have about 10 nat rules, that i need to change the IP on, since i bought another machine and now want that particular port to point to the new machine instead of the old one

    So im looking to do the following

    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.10 1723 interface Dialer0 1723
    ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.10 79 interface Dialer0 79
    ip nat inside source static tcp 192.168.1.10 6543 interface Dialer0 6543
    ip nat inside source static tcp 192.168.1.10 110 interface Dialer0 110
    ip nat inside source static tcp 192.168.1.10 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.10 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23023
    ip nat inside source static tcp 192.168.1.10 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.11 88 interface Dialer0 88
    ip nat inside source static tcp 192.168.1.11 1234 interface Dialer0 1234
    ip nat inside source static tcp 192.168.1.10 20 interface Dialer0 20

    into
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.13 1723 interface Dialer0 1723
    ip nat inside source static tcp 192.168.1.13 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.13 79 interface Dialer0 79
    ip nat inside source static tcp 192.168.1.13 6543 interface Dialer0 6543
    ip nat inside source static tcp 192.168.1.13 110 interface Dialer0 110
    ip nat inside source static tcp 192.168.1.13 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.13 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23023
    ip nat inside source static tcp 192.168.1.13 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.11 88 interface Dialer0 88
    ip nat inside source static tcp 192.168.1.11 1234 interface Dialer0 1234
    ip nat inside source static tcp 192.168.1.13 20 interface Dialer0 20

    in my attemps to do this, i am frequently told the following:

    Static entry in use, cannot change.

    And this is all fine and dandy, now i've read that one can disable NAT (this is however, not an option for me, as i wont have access to it anymore). Another option is to block traffic on that port, and this i would like to do, but i cant for the life of me figure out how to block on this cisco.

    and i have yet to find anyway of doing this

    Any help is appreciated. thanks
    First you have to remove the previous entries like this:

    Code:
    no ip nat inside source static tcp 192.168.1.10 1723 interface Dialer0 1723
    or you could just get a tftp server (available for free if you do a quick google search) then copy your config to a text file make your changes then upload the file to the startup-config like so:
    Code:
    Router#copy tftp: startup-config
    Address or name of remote host [xx.xx.xx]? 
    Source filename [backup_cfg_for_router]? 
    Destination filename [running-config]? 
    Accessing ftp://xx.xx.xx/backup_cfg_for_router...
    Loading backup_cfg_for_router !
    [OK - 1030/4096 bytes]
    1030 bytes copied in 13.213 secs (78 bytes/sec)
    Got it?

    ~ Mike

  19. #19
    Junior Member
    Join Date
    Jan 2008
    Posts
    1
    "Static entry in use, cannot change"

    This is because there is active NAT translation.
    To modify existing NAT rules, you first need to clear the translations.

    "clear ip nat translations *"

    This will clear all translations, then you should be able to make the changes. If you get the same error, disable your LAN interface, clear the NAT translations and try again. This will prevent any further translations from happening after clearing them.

Similar Threads

  1. How do I close my open ports?
    By EvilAngel in forum Network Security
    Replies: 20
    Last Post: 07-06-06, 01:04 PM
  2. Filtered Ports?
    By §I€MFKR™ in forum Network Security
    Replies: 3
    Last Post: 10-05-03, 01:42 PM
  3. At a loss with open ports with router
    By TTSAN in forum Network Security
    Replies: 6
    Last Post: 06-08-03, 11:15 AM
  4. sg port scanner??? HELP, INPUT ??????
    By Mopwr2u1 in forum Network Security
    Replies: 7
    Last Post: 05-12-03, 04:56 PM
  5. Port List (in case you ever wondered)
    By FunK in forum Networking Forum
    Replies: 1
    Last Post: 05-20-01, 02:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •