port forwarding within a subnet

Unanswered Question
Nov 28th, 2007

Hi,

I am somewhat green with switch configuration so please bear with me.

I am trying to set up port forwarding within a particular subnet and to limit it in that subnet.

The subnet is 172.16.120.0 subnet mask 255.255.248.0.

We recently had three catalyst 2960 installed to replace the 3com swicthes.

We have a vendor setting up a camera surveillance system that would be accessed from an application console on a pC over the network. They would like to have ports 999 and 995 forwarded to the address 172.16.120.49 and ports 998 and 994 to ip 172.16.120.50. I assume this is so that if the application uses these ports and would then be directed to the devices at these static ip numbers.

With some research I have found that I first have to create the appropriate access list entries to permit the traffic - this is what I have so

far:

1) access list 101 permit tcp 172.16.120.0 0.0.0.7 999 172.16.120.49 999

2) access list 102 permit tcp 172.16.120.0 0.0.0.7 995 172.16.120.49 999

3) access list 103 permit tcp 172.16.120.0 0.0.0.7 998 172.16.120.50 998

4) access list 104 permit tcp 172.16.120.0 0.0.0.7 994 172.16.120.50 994

(The intention with the above for items is to permit for those ports within that subnet only. Fell free to correct if wrong and explain as much as possible).

I gather that now I have to set up the corresponding port forwarding commands - this is where I am stuck. I think I have to create a port forwarding rule for each of the access lists I created above. An example of what I am playing with;

1) ip nat inside source static tcp 172.16.120.49 999 172.16.120.0 0.0.0.7

quesions;

1) The ports all seem to be in spanning-tree mode (on all three switches) which I understand to be a "self-discovery" mode - are the access lists alone sufficient? Does spanning-tree mode negate the need for port forwarding?

1) How would I set up the port forwarding rules to forward all traffic for the ports listed to the listed ip/port destinations?

2) the "ip nat" command has an "extendable" option that I have seen used in some examples online. What does it mean?

3) Th switch does not have an internal or external connection declared in the config file shown above. Do I still have to declare the "inside"

and 'outside" points on each switch?

4) I have tried to find documentation on a template to the running-config and startup-config files with no success. I would like to see where acess-list commands would be inserted and port forwarding commands would be inserted. If anyone can point me to one or send me one I would appreciate.

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Wed, 11/28/2007 - 13:16

1a. Spanning-Tree is designed to avoid Layer2 loops in your network. It's not going to affect any NAT translation which is Layer3.

_________________

1b. If you are planning to re-use the same IP address on different ports, you need to extendable option on the NAT.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

__________________

2. see #1b.

___________________

3. What type of switch are you working with ?

Only 6500 supports NAT. Lower-end switches do not support NAT, you need a router.

___________________

4. What kind of templates are you looking for ?

lgijssel Wed, 11/28/2007 - 13:18

You seem to have done quite some research on the subject!

Still you must have been mislead by the terminology. Port forwarding is only applicable in situations where NAT or PAT is used. This always requires a router. You will not be able to use port forwarding on a single subnet. In fact there is little use for it also. Just connect the equipment and give it a go!

regards,

Leo

Actions

This Discussion