How to Configure Port Forwarding in Cisco Router

cisco

Today i was trying to configure port forwarding in one of my client's office. They wanted me to forward ports like 5000 and 6000. I was given the GUI access of the cisco router 2900 series. I could not see any options for NAT or ACL there. I doubt we can't forward ports from that particular router. Help me if there is any way we can do that via CLI.

My private ip is 172.16.32.250 and my private is 5.6.7.8. When someone does 5.6.7.8:5000 from their browser outside the office, i want them to have the interface of my biometric devices. I want TCP 5000 to be opened/forwarded.

Is it not called port forwarding? Please help me understand this concept better.
Please help

Best Answer

You can absolutely do Network Address Translation on the 2900.

Cisco has a public document here: http://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12905-827spat.html

I'm not certain what you would be doing with forwarding 5000 and 6000 into the network, but I suppose that's their business. However it might be helpful if we knew what they are trying to accomplish.

I've never used the GUI to configure a IOS router. I suggest using the CLI. The command:

router #sh ip int br

will list your interfaces and help you determine that is inside vs outside.

Edit your inside interface, adding the line ip nat inside

router #conf t
router (config)#int gi0/1
router (config-if)#ip nat inside
router (config-if)#

Do the same with your outside interface but make sure you tell the router this is the outside NAT interface.

router (config-if)#int gi0/0
router (config-if)#ip nat outside
router (config-if)#end
router (config)#

Tell the router what you want to NAT with an access list

router (config)#ip nat inside source list 101 interface gi0/0 overload

Build the access list. An extended access list is required if you want to specify the port.

router (config)#ip access-list extended 101 
router (config-ext-nacl)#permit tcp any eq 6000 host 1.2.3.4 eq 6000

EDIT

I'll use 1.2.3.4 as the public IP the server on the internet side of the router. Make sure you identify what the IP reaching out to the biometric device is... I put "any" in the above example, but it's just an example. I prefer not to use "any" if at all possible.

If TCP:

router #permit tcp host 172.16.32.250 eq 5000 host 1.2.3.4 eq 5000
router #permit tcp host 172.16.32.250 eq 6000 host 1.2.3.4 eq 6000

If UDP:

router #permit udp host 172.16.32.250 eq 5000 host 1.2.3.4 eq 5000
router #permit udp host 172.16.32.250 eq 6000 host 1.2.3.4 eq 6000

END OF EDIT

After the Permit, you can specify the protocol (TCP, UDP, ICMP, ESP, etc) or everything with IP. You can use host and an IP or IP address + subnet mask.

router (config-if)#end
router #copy run start

Related Solutions

Cisco NAT – Troubleshooting Port Forwarding to the Wrong Machine

Is there somehow a second port 80 rule? (shouldn't be possible, but I've seen it happen)

show ip nat translations | include ---

Is the arp cache on the router somehow wrong -- i.e. it thinks 2.15 is at a different machine?

show ip arp <inside interface>

And lastly, IOS has, in the past, had significant issues with NAT and dynamic interface addresses. On my cablemodem-feed router, I have to replace the NAT rules with full IP addresses (every time the address changes!) to make it work; the rules won't apply correctly if dhcp is setting the address, or if the address later changes with the interface up. I've never used "interface nat" on the DSL line with a static address.

[UPDATE]

ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp

That is what's causing the error. As you can see in the firewall output, the DST is 2.5, not 2.15. And there's no port 80 translation in the table.

[Further Update]

There is no way to make a Cisco IOS device NAT a UDP port range. It'll work perfectly for TCP, but completely ignores UDP. (nice of Cisco to do that.) If you attempt to use route-maps with an acl that specifies ports, it generates an error matching the acl. (turn on various debug's to see it) Inside destination NAT ignores the UDP part.

Cisco RV042 Port Forwarding

It doesn't look like you're doing any complex port forwarding with this setup. All you need to do is specify a private IP address for inbound requests to port 9001 to head to.

  2.2.2.2:9001 --------> 192.168.1.25:9001

You can access the port forwarding options on the RV042, under Setup > Forwarding

Check out the full RV042 Manual for more information, page 14 has more info on Port Forwarding.

Best Answer

Related Solutions

Cisco NAT – Troubleshooting Port Forwarding to the Wrong Machine

Cisco RV042 Port Forwarding

Related Topic