Port Forwarding w/Cisco/Windows Help

chugger93 · Post by **chugger93** » Fri Jan 14, 2005 9:19 am

I need some help here. Im new to the whole line of cisco configuring as well.

I need help port forwarding some ports for example (remote desktop) so I can remote in from home to my office workstation.

We have a T1, cisco router that is wide open (and configured with NAT & DHCP). We also have a 2003 Server that is a domain controller.

I know you can use ACL's to apply port forwarding, but being that Im new to ACL's Id rather use something Im more familiar with, (Routing and Remote Access)

How do I specificlly go about opening open ports with RAS? I know how to do it, but I dont know how to tell the cisco to forward on the packets to the 2003 server. I have 1 nic in the server, but I just added another one. HOw do I configure all of this?

Anyone lend a hand?

Post by **YeOldeStonecat** » Fri Jan 14, 2005 9:41 am

You say the router is wide open, but say the router is also configured with NAT.

Is the server multi-homed with the WAN NIC pulling a public IP?

I'd much rather take the single homed server approach, using NAT on the router.

But for filtering on Windows, if you right click your area connection, select properties, bring up the properties of TCP/IP, click the advanced button, click the options tab, you'll see TCP/IP filtering under options settings, click the properties button for that...you'll see TCP, UDP, and IP columns there that you can manually edit.

chugger93 · Post by **chugger93** » Fri Jan 14, 2005 9:49 am

Your right in a sense. The router isnt wide open to a point because it has NAT on it, which in theory is a basic firewall.

Our basic setup is...

T1 line goes into the Cisco Router, and from there the router connects to a DELL powerconnect 24 port switch. The server is plugged into the switch as well.

I know how to open up ports in RAS, but its not working. I still cant remote desktop from home into work. The packet is probably still dropping at the router Im assuming. It needs to be forwarded on to the servers NAT somehow.

Also, dont I need to NICS in the server for the RAS to work? or..?

Post by **YeOldeStonecat** » Fri Jan 14, 2005 9:54 am

Lets get the details...
Your router is pulling some public IP address, and is your servers (and networks) IP address a private IP range? Something like 10.1.1.XXX or 192.168.XXX.XXX?

If so, then NAT is running, and I'd assume that all incoming ports are blocked. You're have to forward ports to your servers LAN IP, such as Remote Desktop, forward port 3389 to your servers private IP address.

Router is running DHCP, not the server? What DNS is being handed out to the network? If it's the router, then probably your bandwidth providers DNS servers, which is not what you want, you want your DCs IP to be the one and only DNS handed out. (unless you have a larger WAN setup)

chugger93 · Post by **chugger93** » Fri Jan 14, 2005 10:36 am

Here is my router config. Our private scheme is 192.168.0.1 etc, Class C. Serial 0 Interface is the WAN (internet). FasteEthernet0 is our LAN (local).
The Cisco runs the DHCP. The server runs a local DNS, (192.168.0.2) and a domain controller. Thats really about it

pathwaysouthfield>en
Password:
pathwaysouthfield#sh run
Building configuration...

Current configuration : 1370 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname pathwaysouthfield
!
aaa new-model
!
!
!
!
memory-size iomem 25
clock timezone Eastern -5
clock summer-time EDT recurring
ip subnet-zero
ip name-server 192.168.0.2
ip name-server 63.209.135.*
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool pathwaysfld
network 192.168.0.0 255.255.255.0
domain-name pathway.com
default-router 192.168.0.1
dns-server 192.168.0.2 63.209.135.*
lease 5
!
!
!
!
interface Serial0
description CONNECTION TO GRID4
ip address 63.209.135.* 255.255.255.252
no ip redirects
ip nat outside
no ip route-cache
no fair-queue
service-module t1 remote-alarm-enable
no cdp enable
!
interface FastEthernet0
description PATHWAY SOUTHFIELD LAN
ip address 192.168.0.1 255.255.255.0
no ip unreachables
ip nat inside
speed auto
full-duplex
no cdp enable
!
ip nat inside source list 7 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 63.209.135.*
no ip http server
!
access-list 7 permit 192.168.0.0 0.0.0.255
no cdp run
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
end

objohn · Post by **objohn** » Fri Jan 14, 2005 2:27 pm

In your access list you need to permit the ports that you require - for RDP you need port 3389.
Something like this should do the trick

access-list 101 permit udp any host <YOUR IP> eq 3389 log
access-list 101 deny ip any any

then apply the list to your interface

hope this helps

OJ

Post by **YeOldeStonecat** » Fri Jan 14, 2005 4:39 pm

Not being a Cisco expert, it does appear that you're running pure NAT. Assuming that, no need for RRAS at all, just simple port forwarding, as objohn posted.

I would however remove the secondary DNS server you have DHCP handing out, I prefer to have the local DC be the one and only DNS server for a single LAN. Have its properties set to forward to your ISP's DNS servers in the DNS server objects properties, forwarding tab. Also the server itself, in its TCP properties, should look to its own IP as its one and only DNS server.

yikes · Post by **yikes** » Sat Jan 15, 2005 7:01 pm

Yeah you are doing a 1 - MANY NAT, the "overload" sets this up otherwise its a 1-1. Now for port forwarding its super simple here is the syntax and an example;

router# ip nat inside source static "protocol" "inside IP" "inside port#" interface "interface type and #" "outsideport#"

So if you wanted to forward port 80 to your internal web server with 192.168.0.100. YOur syntax would be as follows;

ip nat inside source static tcp 192.168.0.100 80 interface serial0 80

Thats it your done, its super simple give it a try!

YiKeS

chugger93 · Post by **chugger93** » Sat Jan 15, 2005 7:08 pm

Right, Ive just always wondered if its possible to forward packets from NAT devices to other NAT devices. Lets say if Im too nervous to mess with Cisco stuff right now, instead, have the packets from the cisco be forwarded onto the 2003 server NAT, and then from there to the LAN. Opening up ports in RAS instead...

chugger93 · Post by **chugger93** » Tue Jan 18, 2005 7:43 am

Yikes: That worked flawlessly!!

Someone else in another forum said u had to do additional commands like

access-list 101 permit tcp any any eq 3389
And
ip access-group 101 in

However just your command worked perfectly.

Post by **YeOldeStonecat** » Tue Jan 18, 2005 9:20 am

chugger93 wrote:Right, Ive just always wondered if its possible to forward packets from NAT devices to other NAT devices. Lets say if Im too nervous to mess with Cisco stuff right now, instead, have the packets from the cisco be forwarded onto the 2003 server NAT, and then from there to the LAN. Opening up ports in RAS instead...

If you're having the packets from the cisco be forwarded to the server...then you've already forwarded the ports. And the server is single homed, right? So no RRAS.

chugger93 · Post by **chugger93** » Tue Jan 18, 2005 9:49 am

How have I already forwarded the ports? Im not sure if I even have too. I just figured Id rather be opening up ports on RAS, then making access lists. So I wanna run RAS, but not sure how the NAT on the cisco is going to forward trafffic to the NAT on the Server 2003

yikes · Post by **yikes** » Tue Jan 18, 2005 1:24 pm

chugger93,

congrats on getting it to work, im glad the config samples i posted above worked, and that I could help you out. If you ever need assistance with cisco gear, dont hesitate to ask.

There should be no need for access-lists to forward ports as you reqeusted. Access-lists are used to block/permit, specific ip ranges, ports, networks, or packets.

Regards,
YiKeS

Post by **YeOldeStonecat** » Tue Jan 18, 2005 3:22 pm

chugger93 wrote:How have I already forwarded the ports? Im not sure if I even have too.

You did by following what Yikes posted. If your server is single NIC, RRAS doesnt even come into play.

chugger93 · Post by **chugger93** » Wed Jan 19, 2005 7:18 pm

The server is dual nic'd, becuase I just added another network card. So technically I could use RAS. However Im getting the impression that either noone understands what I wanna do, or I dont understand that Im just supposed to use NAT on the server instead of CISCO to achieve what I wanna do.

Thanks YeOldeStonecat, I'll prob need cisco help in the future

Tekmazter · Post by **Tekmazter** » Thu Feb 10, 2005 12:19 pm

Please Please Please change the port number you are using for Terminal Services. Everyone and their brother know what port that is and if it's open, you're just begging for trouble. Also, you would be better suited to setup an ACL here. Lock it down! Force anyone coming from the outside to meet certain criteria. Deploy a VPN, but do something that requires some sort of authentication or verification of location. Otherwise you've only weakened your network. You want to be allowed to remote in and then authenticate, while everyone else gets stopped at the door.

Think of your network security setup as a building by itself. The front door would be the router. You wouldn't leave the front door open and unlocked to your office. That would let anyone in late at night without knowing who they are hoping that every other door that is supposed to be locked actually is.

archangel163 · Post by **archangel163** » Thu May 10, 2007 6:31 pm

tbell wrote:Hello I have a cisco router, CISCO C828 (with non-working web-interface im sure this would be so much easier with that)

And i was hoping some one could give me a quick point in the right direction, i have about 10 nat rules, that i need to change the IP on, since i bought another machine and now want that particular port to point to the new machine instead of the old one

So im looking to do the following

ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.10 79 interface Dialer0 79
ip nat inside source static tcp 192.168.1.10 6543 interface Dialer0 6543
ip nat inside source static tcp 192.168.1.10 110 interface Dialer0 110
ip nat inside source static tcp 192.168.1.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23023
ip nat inside source static tcp 192.168.1.10 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.11 88 interface Dialer0 88
ip nat inside source static tcp 192.168.1.11 1234 interface Dialer0 1234
ip nat inside source static tcp 192.168.1.10 20 interface Dialer0 20

into
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.13 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.1.13 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.13 79 interface Dialer0 79
ip nat inside source static tcp 192.168.1.13 6543 interface Dialer0 6543
ip nat inside source static tcp 192.168.1.13 110 interface Dialer0 110
ip nat inside source static tcp 192.168.1.13 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.13 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23023
ip nat inside source static tcp 192.168.1.13 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.11 88 interface Dialer0 88
ip nat inside source static tcp 192.168.1.11 1234 interface Dialer0 1234
ip nat inside source static tcp 192.168.1.13 20 interface Dialer0 20

in my attemps to do this, i am frequently told the following:

Static entry in use, cannot change.

And this is all fine and dandy, now i've read that one can disable NAT (this is however, not an option for me, as i wont have access to it anymore). Another option is to block traffic on that port, and this i would like to do, but i cant for the life of me figure out how to block on this cisco.

and i have yet to find anyway of doing this

Any help is appreciated. thanks

First you have to remove the previous entries like this:

Code: Select all

no ip nat inside source static tcp 192.168.1.10 1723 interface Dialer0 1723

or you could just get a tftp server (available for free if you do a quick google search) then copy your config to a text file make your changes then upload the file to the startup-config like so:

Code: Select all

Router#copy tftp: startup-config
Address or name of remote host [xx.xx.xx]? 
Source filename [backup_cfg_for_router]? 
Destination filename [running-config]? 
Accessing ftp://xx.xx.xx/backup_cfg_for_router...
Loading backup_cfg_for_router !
[OK - 1030/4096 bytes]
1030 bytes copied in 13.213 secs (78 bytes/sec)

Got it?

~ Mike

AlanF · Post by **AlanF** » Wed Jan 16, 2008 10:50 pm

"Static entry in use, cannot change"

This is because there is active NAT translation.
To modify existing NAT rules, you first need to clear the translations.

"clear ip nat translations *"

This will clear all translations, then you should be able to make the changes. If you get the same error, disable your LAN interface, clear the NAT translations and try again. This will prevent any further translations from happening after clearing them.