Forwarding a Port to a LAN Machine

Unanswered Question
Mar 4th, 2010

Hi,


I have a 1711 router with IOS v. 12.3, and I need to place a web server in the


same LAN where users' PCs are connected to the internet and forward the ports


80 and 1433 from internet to the web server (address 192.168.1.177).


FastEthernet0 has an address 99.99.99.99 and is connected to the internet.
FastEthernet1 is tied to vlan10 and has an address 192.168.1.1. It is


connected to the LAN.


I have this NAT configuration for th LAN PCs to access the internet, and it


works ok:


access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool overld1 99.99.99.99 99.99.99.99 prefix-length 24
ip nat inside source list 1 pool overld1 overload
ip route 0.0.0.0 0.0.0.0 99.99.99.1


This is how I tried to forward port 80 but it had no effect:


ip nat inside source static tcp 192.168.1.177 80 79.132.95.228 80 extendable


I read somewhere that when there are access lists, they should include the


port to forward. I tried to do that but either my syntax was wrong or I don't


still understand how it works.


So, how do I forward a port to a LAN machine when there are already other user


PCs in the same LAN using an internet connection?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 03/04/2010 - 13:17

Hi,


The syntax for the command is correct:


ip nat inside source static tcp 192.168.1.177 80 79.132.95.228 80 extendable


This means that all traffic that comes on port 80 to IP 79.132.95.228 is going to be forwarded to the internal IP 192.168.1.177


My question is:

Is this public IP 79.132.95.228 part of your public IP address space?

I ask you this because I see the public NAT range is a total different one.


So, the syntax is correct, and if you try from a computer on the Internet to telnet 79.132.95.228 80, assuming your router knows how to handle this IP.


The only other thing is to make sure that if there's an ACL applied to the interfaces on the router, it should allow the traffic to pass through.


Federico.

WeidmannsHeil Thu, 03/04/2010 - 14:48

Thank you, Federico, for the reply.


Yes, the address beginning with 79 is the actual address...

I just wanted to replace it with 99 everywhere for reasons of security but failed to in one place.


As concerns the ACL, that's exactly the part I wanted to ask you. I only have what I posted here and I don't know how to extend the ACL (or add another?) so that it not only permits all hosts in the LAN to access internet but also permits all hosts from internet acess 192.168.1.177 on port 80. A NAT statement for it alone doesn't work. Somehow the existing ACL interferes with it.

Federico Coto F... Thu, 03/04/2010 - 15:03

You only need an ACL, if you already have an ACL applied to the outside interface of the Router.


If there's no ACL, by default the router permits all traffic thorugh it.


What is the result from doing the following from the command promtp:


telnet 79.132.95.228 80


If it does not work and there's no ACL applied to the outside interface, as a test do the following:


access-list 199 permit tcp any host 79.132.95.228 eq 80

access-list 199 permit ip any any


interface outside

ip access-group 199 in


Then check the hitcounts, doing a ''sh access-list 199'' to make sure the hitcounts on the first line is incrementing.....

This will let us know if the traffic is indeed reaching the router.


Federico.

WeidmannsHeil Thu, 03/04/2010 - 15:29

1. telnet seems to work: it blanks

the screen and does not complain about anythin

g. But I cannot actually browse the web page at the server

I connected to the inside address.


2. The ACL that refers to 99... address is the actual ACL I have but it's for LAN PCs connecting to the internet.


3. I tried what you suggested as the test. I could enter:


access-list 199 permit tcp any host 79.132.95.228 eq 80

access-list 199 permit ip any any


But:


interface outside

ip access-group 199 in


was rejected as incorrect syntax. And nothing really changed.

WeidmannsHeil Fri, 03/05/2010 - 05:48

Ok, I found a confirmation that static and dynamic NATs really have to

work simultaneously, i.e., I can use an ACL and a static NAT simultaneously, and I don't have to change anything to the ACL:


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml


So I checked once more all the cables, walked through the configuration, removed anything that I did not need, and now it works. Thank you, Federico, for the support.

Actions

This Discussion

Related Content