Port forwarding in Cisco 1841

Answered Question
Aug 10th, 2010

Hi, I have an Apple Time Capsule gateway and port mapping is configured. However, I have to  replace the Time Capsule with a Cisco 1841 router. I am stuck with how to transfer  the current port mappings on the Time Capsule to the Cisco router.

At the moment, my current ACL & PAT configuration on the router are as below:

ip nat pool office 212.xxx.xxx.2x0 212.xxx.xxx.2x0 netmask 255.255.255.252

access-list 10 permit 10.0.1.0 0.0.0.255

access-list 10 permit 172.16.1.0 0.0.0.255

access-list 10 permit 192.168.2.0 0.0.0.255

ip nat inside source list 10 interface fa0/0

!!int fa0/0 is configured with 212.xxx.xxx.2x0

Grateful for any response.

Regards,

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 6 years 3 months ago

Hello Boniface,

A few comments to your config.

Your interface VLAN10 is currently configured with the IP address 172.168.1.1/24. That is probably an error: correctly, it should be 172.16.1.1/24.

As the NAT configuration refers directly to the outgoing Fa0/0 interface, you do not need the NAT pool created with the ip nat pool office command. It can be removed, as it is currently unused.

The NAT, however, will need to be configured using a single ACL. In your case, you are combining static NAT translations with dynamic PAT. In the ACL, the static translations will need to be exempted so that they do not conflict with the dynamic PAT. You have basically done that with the ACL 100 and the second ip nat inside source list 100 command. We will continue using the ACL 100, and the ACL 10 should be removed together with the ip nat inside source list 10 command that refers to it.

The ACL 100 needs a slight correction, however. You have correctly indicated the source ports in the ACL but the external ports refer to the TCP/UDP ports on clients that are connecting to the server ports 137-139, 445 and 3389 on 10.0.1.100. They can be arbitrary so the ACL should not specify them. Also, the ACL 100 should permit all internal networks to be translated.

The correct form of the ACL 100 would be as follows:

access-list 100 deny tcp host 10.0.1.100 eq 139 any
access-list 100 deny udp host 10.0.1.100 eq 137 any
access-list 100 deny udp host 10.0.1.100 eq 138 any
access-list 100 deny tcp host 10.0.1.100 eq 445 any
access-list 100 deny tcp host 10.0.1.100 eq 3389 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

You have the RIPv2 routing protocol running. Are there any other routers connected to your router? If not then it makes no sense to run a routing protocol because you do not have any peer to exchange the routing tables with. In that case, remove the RIP protocol by simply writing no router rip

Also, you have currently allowed only the directly connected networks to access the Internet thanks to NAT/PAT. Are there perhaps other networks aside from 10.0.1.0/24, 172.16.1.0/24 and 192.168.1.0/24 that will also be accessing the internet through your router? If yes then the ACL 100 will need to permit those networks as well.

Otherwise, the config looks fine.

Best regards,

Peter

Correct Answer by Peter Paluch about 6 years 3 months ago

Hi Boniface,

I will make the backup of the current config and try out the modified configuration.

Looking forward to hearing whether it worked!

Regarding the DNS, I have an external DNS server address (given by the
ISP) as noted in my config. Will the router point to it after
activating caching on it and this information transfer to the clients
on the different vlans whose gateway is the respective router
interfaces?

Correctly. The router starts behaving as a DNS proxy. Clients ask the router to make a DNS lookup, the router either answers from its cache (if the lookup has been performed before) or asks the preconfigured the DNS servers and passes the original client the reply.

I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is
still currently disabled but when I activate it, won't it affect the
routing on the other interfaces?

The router itself will not be affected by any DHCP server because it does not make use of any DHCP server in its current configuration. Also, a DHCP server will not affect your router's routing table. However, depending on information the DHCP server provides to clients, the clients may have problems using the default gateway (if the DHCP server assigns incorrect default gateway IP address) or talking to DNS server (if the DHCP assigns an incorrect DNS server). Make sure you assign correct IP configuration to clients via the DHCP.

Best regards,

Peter

Correct Answer by Peter Paluch about 6 years 3 months ago

Hello Boniface,

What you want to do is establishing a static mapping between an outside IP address/port and its internal counterpart. This configuration does not need to use ACLs, and can be performed, according to your input, as follows:

ip nat inside source static tcp 10.0.1.103 139 212.xxx.xxx.xxx 139

ip nat inside source static udp 10.0.1.103 137 212.xxx.xxx.xxx 137

ip nat inside source static udp 10.0.1.103 138 212.xxx.xxx.xxx 138

Note that for today's Windows filesharing services, you should also map the TCP port 445:

ip nat inside source static tcp 10.0.1.103 445 212.xxx.xxx.xxx 445

You will still need to designate your interfaces with ip nat inside and ip nat outside but you do not need other NAT commands for these translations to work. Of course, if you want to perform other NAT/PAT, you can add the commands in addition to these here. I assume that you will want to perform an ordinary PAT on the entire internal network 10.0.1.0/24 (?). In this case, you have to pay attention to explicitely exclude the already statically set translations from the PAT. The configuration would be as follows:

access-list 100 deny tcp host 10.0.1.103 eq 139 any eq 139

access-list 100 deny udp host 10.0.1.103 eq 137 any eq 137

access-list 100 deny udp host 10.0.1.103 eq 138 any eq 138

access-list 100 deny tcp host 10.0.1.103 eq 445 any eq 445

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

ip nat pool NATPOOL 212.xxx.xxx.xxx 212.xxx.xxx.xxx netmask 255.255.255.0

ip nat inside source list 100 pool NATPOOL overload

Instead of the NAT pool, you could also use the outgoing interface's address - I assume you know how to do that but in case you are not familiar with that, feel free to ask further.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Peter Paluch Sat, 08/14/2010 - 18:40

Hello,

Please be specific as to how your static mappings should look like, i.e. what internal IP and port should be mapped to which external IP and port. This information is necessary to help you further.

Best regards,

Peter

bonnyface Sun, 08/15/2010 - 23:03

Hi Peter,

Thanks alot for the reply.

I like to use Windows Sharing service. Details below:

External ip address is 212.xxx.xxx.xxx

TCP: 139

UDP: 137 - 138

Internal ip address is 10.0.1.103

TCP: 139

UDP: 137-138

How I can I write an acl on the cisco router that would permit this?

Regards,

Boniface

Correct Answer
Peter Paluch Mon, 08/16/2010 - 00:59

Hello Boniface,

What you want to do is establishing a static mapping between an outside IP address/port and its internal counterpart. This configuration does not need to use ACLs, and can be performed, according to your input, as follows:

ip nat inside source static tcp 10.0.1.103 139 212.xxx.xxx.xxx 139

ip nat inside source static udp 10.0.1.103 137 212.xxx.xxx.xxx 137

ip nat inside source static udp 10.0.1.103 138 212.xxx.xxx.xxx 138

Note that for today's Windows filesharing services, you should also map the TCP port 445:

ip nat inside source static tcp 10.0.1.103 445 212.xxx.xxx.xxx 445

You will still need to designate your interfaces with ip nat inside and ip nat outside but you do not need other NAT commands for these translations to work. Of course, if you want to perform other NAT/PAT, you can add the commands in addition to these here. I assume that you will want to perform an ordinary PAT on the entire internal network 10.0.1.0/24 (?). In this case, you have to pay attention to explicitely exclude the already statically set translations from the PAT. The configuration would be as follows:

access-list 100 deny tcp host 10.0.1.103 eq 139 any eq 139

access-list 100 deny udp host 10.0.1.103 eq 137 any eq 137

access-list 100 deny udp host 10.0.1.103 eq 138 any eq 138

access-list 100 deny tcp host 10.0.1.103 eq 445 any eq 445

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

ip nat pool NATPOOL 212.xxx.xxx.xxx 212.xxx.xxx.xxx netmask 255.255.255.0

ip nat inside source list 100 pool NATPOOL overload

Instead of the NAT pool, you could also use the outgoing interface's address - I assume you know how to do that but in case you are not familiar with that, feel free to ask further.

Best regards,

Peter

bonnyface Mon, 08/16/2010 - 03:20

Hi Peter,

Thanks for the tips. I will modify the current config, test and update you.

In the meantime, I thought you could look at my current running config and advice (attached).

I also had problem with the DNS. I point the router interface as the client's dns address, it wouldn't work yet I have defined a name server on the router and PAT is active.

Note that I have 4 active interfaces and yet the 1841 has only 2 L3 ports so I added an HWIC-4ESW and worked with vlans. I set one port on the HWIC as a trunk and looped a cable to one of the in-built L3 ports, with sub-interfaces.

Kind regards,

Boniface

Peter Paluch Mon, 08/16/2010 - 06:49

Hello Boniface,

I have had a look on your configuration.

Regarding the DNS functionality, the Cisco router does not provide a caching DNS server by default. In order to make the Cisco router also work as a caching DNS server, you need to add these commands to the running-config:

ip dns server ! Activates the DNS caching server

no ip domain lookup nsap ! Deactivates lookups for ISO CLNS addresses

Regarding your solution with the interconnection of the trunk Fa0/0/3 with the built-in interface Fa0/1 - it's very original! However, it is not how things are done. The HWIC-4ESW carries data through internal bus to the router and no external interconnections like you did are necessary. The correct configuration, in your case, would be as follows:

no interface Fa0/1.10

no interface Fa0/1.20

no interface Fa0/1.30

interface FastEthernet 0/1

! Unused, can be deactivated

shutdown

interface FastEthernet 0/0/0

switchport mode access

switchport access vlan 10

interface FastEthernet 0/0/1

switchport mode access

switchport access vlan 20

interface FastEthernet 0/0/2

switchport mode access

switchport access vlan 30

interface FastEthernet 0/0/3

! Unused, can be put to default config and deactivated

switchport mode access

switchport access vlan 1

shutdown

interface Vlan1

! Unused, can be deactivated

shutdown

interface Vlan10

description ***RESIDENCES & STTA***

ip address 172.16.1.1 255.255.255.0

ip nat inside

interface Vlan20

description ***WAN TO SUB-OFFICES***

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Vlan30

description ***MAIN LAN***

ip address 10.0.1.1 255.255.255.0

ip nat inside

After entering these commands, you can completely remove the interconnection between Fa0/0/3 and Fa0/1. This configuration removes all subinterfaces from Fa0/1, shuts down Fa0/0/3 and Fa0/1 and creates virtual interfaces of the router into VLANs 10, 20 and 30. The interfaces Vlan10, Vlan20 and Vlan30 are virtual interfaces that the router uses to talk to individual VLANs created on the HWIC module. Back up your current configuration and give this a try!

Otherwise, your config looks good.

Best regards,

Peter

bonnyface Mon, 08/16/2010 - 14:31

Hi Peter,

Thanks alot for opening up further my understanding.

I will make the backup of the current config and try out the modified configuration.

Regarding the DNS, I have an external DNS server address (given by the ISP) as noted in my config. Will the router point to it after activating caching on it and this information transfer to the clients on the different vlans whose gateway is the respective router interfaces?

I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is still currently disabled but when I activate it, won't it affect the routing on the other interfaces?

Will keep you posted.

Regards,

Boniface

Correct Answer
Peter Paluch Tue, 08/17/2010 - 04:51

Hi Boniface,

I will make the backup of the current config and try out the modified configuration.

Looking forward to hearing whether it worked!

Regarding the DNS, I have an external DNS server address (given by the
ISP) as noted in my config. Will the router point to it after
activating caching on it and this information transfer to the clients
on the different vlans whose gateway is the respective router
interfaces?

Correctly. The router starts behaving as a DNS proxy. Clients ask the router to make a DNS lookup, the router either answers from its cache (if the lookup has been performed before) or asks the preconfigured the DNS servers and passes the original client the reply.

I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is
still currently disabled but when I activate it, won't it affect the
routing on the other interfaces?

The router itself will not be affected by any DHCP server because it does not make use of any DHCP server in its current configuration. Also, a DHCP server will not affect your router's routing table. However, depending on information the DHCP server provides to clients, the clients may have problems using the default gateway (if the DHCP server assigns incorrect default gateway IP address) or talking to DNS server (if the DHCP assigns an incorrect DNS server). Make sure you assign correct IP configuration to clients via the DHCP.

Best regards,

Peter

bonnyface Tue, 08/17/2010 - 14:02

Hi Peter,

Thanks alot for the help with configuring my router.

I have made the writeup but haven't put it on the router. Please find it attached.

Looking forward to your comments. Users in the 192.168.1.0 and 172.16.1.0 networks have to access the 10.0.1.100 host as well and I was wondering if the acl (100) won't block them.

Also, is it okay to have both standard and extended acls in the same config? As in the sample config, does the order matter as well?

When adding the DHCP role on the server, should I enter the DNS address as that on the router's interface - 10.0.1.1 or the address(es) given by my ISP?, which will then be distributed to the clients in the 10.0.1.0 network.

Grateful for your help.

Kind regards,

Boniface

Correct Answer
Peter Paluch Wed, 08/18/2010 - 01:26

Hello Boniface,

A few comments to your config.

Your interface VLAN10 is currently configured with the IP address 172.168.1.1/24. That is probably an error: correctly, it should be 172.16.1.1/24.

As the NAT configuration refers directly to the outgoing Fa0/0 interface, you do not need the NAT pool created with the ip nat pool office command. It can be removed, as it is currently unused.

The NAT, however, will need to be configured using a single ACL. In your case, you are combining static NAT translations with dynamic PAT. In the ACL, the static translations will need to be exempted so that they do not conflict with the dynamic PAT. You have basically done that with the ACL 100 and the second ip nat inside source list 100 command. We will continue using the ACL 100, and the ACL 10 should be removed together with the ip nat inside source list 10 command that refers to it.

The ACL 100 needs a slight correction, however. You have correctly indicated the source ports in the ACL but the external ports refer to the TCP/UDP ports on clients that are connecting to the server ports 137-139, 445 and 3389 on 10.0.1.100. They can be arbitrary so the ACL should not specify them. Also, the ACL 100 should permit all internal networks to be translated.

The correct form of the ACL 100 would be as follows:

access-list 100 deny tcp host 10.0.1.100 eq 139 any
access-list 100 deny udp host 10.0.1.100 eq 137 any
access-list 100 deny udp host 10.0.1.100 eq 138 any
access-list 100 deny tcp host 10.0.1.100 eq 445 any
access-list 100 deny tcp host 10.0.1.100 eq 3389 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

You have the RIPv2 routing protocol running. Are there any other routers connected to your router? If not then it makes no sense to run a routing protocol because you do not have any peer to exchange the routing tables with. In that case, remove the RIP protocol by simply writing no router rip

Also, you have currently allowed only the directly connected networks to access the Internet thanks to NAT/PAT. Are there perhaps other networks aside from 10.0.1.0/24, 172.16.1.0/24 and 192.168.1.0/24 that will also be accessing the internet through your router? If yes then the ACL 100 will need to permit those networks as well.

Otherwise, the config looks fine.

Best regards,

Peter

Actions

This Discussion

Related Content