Results 1 to 4 of 4

Thread: Cisco and Port Forwarding

  1. #1
    Junior Member
    Join Date
    Feb 2007
    Posts
    2

    Cisco and Port Forwarding

    I have a unique situation that I have never encountered, but I think I am heading in the right direction. So anyone with some Cisco background please check me on this.

    I want to do some port forwarding on a Cisco 1800W (Wireless) router. But I need to forward the ports to all IP's inside my network. Let me explain.

    We have a DVR system that handles our security cameras, and I need to allow multiple pc's access to those cameras within our corporate headquarters. So I need to be able to forward that port to all my PC's. But I am not 100% sure how this will work.

    If it were just one port I could use something like

    ip nat inside source static tcp 192.168.100.X 3389 interface BVI1 3389

    But how do I get it to go to any address?

    Would I use something like

    ip nat inside source tcp any 3389 interface BVI1 3389
    or
    ip nat inside source dynamic tcp any 3389 interface BVI1 3389

    or do I need to setup some access list to try and work from?

    Thanks for any help.

  2. #2
    Junior Member
    Join Date
    Feb 2007
    Posts
    2
    Right now, I can get out to the DVR systems, but it will not allow traffic to pass back thru the router to the local PC.

    Here are the relevant portions of my config file:

    interface FastEthernet1
    description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
    ip address 208.180.138.254 255.255.255.0
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect SDM_HIGH out
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    service-policy input sdmappfwp2p_SDM_HIGH
    service-policy output sdmappfwp2p_SDM_HIGH

    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 192.168.123.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !
    ip route 0.0.0.0 0.0.0.0 208.180.138.1
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat source list 150 interface FastEthernet1 overload
    ip nat inside source list 1 interface FastEthernet1 overload
    ip nat inside source static tcp 192.168.123.5 100 208.180.138.254 100 extendable
    ip nat inside source static tcp 192.168.123.5 4503 208.180.138.254 4503 extendable
    ip nat inside source static tcp 192.168.123.5 5800 208.180.138.254 5800 extendable
    ip nat inside source static tcp 192.168.123.56 5801 208.180.138.254 5801 extendable
    ip nat inside source static tcp 192.168.123.5 5900 208.180.138.254 5900 extendable
    ip nat inside source static tcp 192.168.123.56 5901 208.180.138.254 5901 extendable
    ip nat inside source static tcp 192.168.123.50 10051 208.180.138.254 10070 extendable
    ip nat inside source static tcp 192.168.123.5 10884 208.180.138.254 10884 extendable
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.123.0 0.0.0.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 208.180.138.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 100 permit tcp any any eq 2000
    access-list 100 permit udp any any eq 2000
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit udp any any eq 2000
    access-list 101 permit tcp any any eq 2000
    access-list 101 permit tcp any host 208.180.138.254 eq 10884
    access-list 101 permit tcp any host 208.180.138.254 eq 10070
    access-list 101 permit tcp any host 208.180.138.254 eq 5900
    access-list 101 permit tcp any host 208.180.138.254 eq 5800
    access-list 101 permit tcp any host 208.180.138.254 eq 4503
    access-list 101 permit tcp any host 208.180.138.254 eq 100
    access-list 101 permit udp host 208.180.42.100 eq domain host 208.180.138.254
    access-list 101 permit udp host 208.180.42.68 eq domain host 208.180.138.254
    access-list 101 deny ip 192.168.123.0 0.0.0.255 any
    access-list 101 permit icmp any host 208.180.138.254 echo-reply
    access-list 101 permit icmp any host 208.180.138.254 time-exceeded
    access-list 101 permit icmp any host 208.180.138.254 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 101 permit tcp any host 208.180.138.254 eq 2000
    access-list 101 permit udp any host 208.180.138.254 eq 2000
    access-list 150 permit tcp any host 208.180.138.254 eq 2000
    access-list 150 permit udp any host 208.180.138.254 eq 2000
    access-list 150 permit tcp any any eq 2000
    access-list 150 permit udp any any eq 2000
    no cdp run

  3. #3
    It has been a while since I configed a Cisco ACL, but I think this maybe a problem.

    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 208.180.138.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 100 permit tcp any any eq 2000
    access-list 100 permit udp any any eq 2000


    It appears you have this applied to the interface that is connected to your internal network (192.168.123/24) and is filtering traffic as it comes from the said network into the router.

    From what I remember Cisco ACLs are processed from from the top to the bottom. Once it finds a match, it filters/sends the traffic accordingly. Since there is a sweeping statement of "permit ip any any" before the more granular "permit tcp any any eq 2000" and "permit udp any any eq 2000" I believe those last two statements will not be utilized.

    The other thing that struck me as odd was "deny ip 208.180.138.0 0.0.0.255 any". It appears this is blocking traffic with a destination addresses in 208.180.138.0/24. While this would be fine if this network is just a "link" type network, but if there are hosts within that network it may cause some issues.

    Am I understanding your ACLs correctly?

  4. #4
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688
    That shouldn't make a difference as they are both permit statements. If you had a deny that caught some traffic and then a permit you would be correct on the order. But the permits are ok.

    If you want to forward something to all PCs (IPs) on a network it needs to be a broadcast or multicast. Then you can just setup a rule based on source address and port to allow that traffic.

Similar Threads

  1. Port Forwarding w/Cisco/Windows Help
    By chugger93 in forum Networking Forum
    Replies: 18
    Last Post: 01-16-08, 09:50 PM
  2. How to connect to a console port on a cisco router
    By Rossw in forum Networking Forum
    Replies: 3
    Last Post: 01-10-06, 05:43 PM
  3. Port forwarding with Cisco 678
    By pkropp in forum Wireless Networks & Routers
    Replies: 1
    Last Post: 05-19-05, 11:58 PM
  4. Cisco VPN 3000 can it do Port Forwarding?
    By pumpupthebass in forum Wireless Networks & Routers
    Replies: 5
    Last Post: 04-11-05, 08:54 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •