2

I'm trying to forward a port to an inside server. I have tried using static nat to forward it and I have opened it up in the access list as far as I know but I can't seem to get it to open.

Anonymous
  • 21
  • 1
  • 1
  • 3

1 Answers1

3

The command is 

ip nat inside source static <internal address> <public address>

for NATing the an entire IP, or 

ip nat inside source static tcp <internal address> <port> <public address> <port>
ip nat inside source static udp <internal address> <port> <public address> <port>

For specifc udp or tcp ports.

Then you need to have an access list on the outside interface that permits access to the port on the public address.

Also, make sure you have ip nat inside on the inside interface and ip nat outside on the outside interface

Update 1

The access-list bound to the external interface needs to include a rule to allow the incoming connection. Lets say you have port 80 is the port you want to forward. Lets also say that Dialer0 is your outside interface and FastEthernet0 is your inside, and 10.1.1.1 is the internal IP address:

interface FastEthernet 0
    ip nat inside
!
interface Dialer 0
    ip nat outside
    ip access-group outside-in in
!
ip nat inside source static tcp 10.1.1.1 80 interface Dialer0 80

ip access-list extended outside-in
    permit tcp any any eq 80
    deny ip any any

Note that with this example, I have bound the NAT to the Dialer0 interface so that we don't need to hard code the IP address into the config - it will take whatever address the D0 interface has as the public address.

Also note that the permit command in the access-list allows access to any IP on port 80. Only use this method if the router does not route other addresses than the one used for the outside interface. Otherwise, hardcode host <ip address> where the IP address is that of the outside interface in place of the second "any"

Paul
  • 1,288
  • 13
  • 25
  • I have tried that and it won't seem to open it up. It shows up as in the nat translations as `tcp 192.168.1.254:445 192.168.1.1:445 --- ---` Now what do I have to put in the ip nat outside to get it to be open to all hosts outside the network – Anonymous Sep 28 '11 at 01:35
  • I have all this as you do and it still will not let me connect on the port I am trying to. We have a shared network drive we would like to access out of network so I am trying to allow port 445 through and I cannot seem to get it to work properly. I will post my running-config tomorrow when I get the chance. Whats also interesting is that I can connect out of network to the router it self via telnet if I want but I cannot seem to get it to allow 445 – Anonymous Sep 28 '11 at 06:25
  • Ok so this is the mess of a configuration I have inherited when I took this over: http://pastebin.com/wWJa8zGk – Anonymous Sep 28 '11 at 20:21
  • The config looks right - are none of the port forwards working, or just the specific 445 one? Also, could you paste a ```sh access-list 105``` and a ```sh ip route```. The first will confirm that attempts are getting to the router, and the second will check nothing is funky with the route your isp is giving you. – Paul Sep 28 '11 at 23:40
  • Ok here you go http://pastebin.com/MtQGBJFn – Anonymous Sep 29 '11 at 04:11
  • Hmm. The routing is right, as expected. My mistake with the 105 access-list, it should have been 106 - the incoming one. It would be worth moving the 445 rule to the top of the access-list to make sure we see any hits. My other question was whether it was just 445 that wasn't working or all of the port forwards. – Paul Sep 29 '11 at 05:35
  • Well this is the ACL 106 http://pastebin.com/TcFqUxrK 445 is still not working which I don't understand because I can get to the router through telnet off site just fine. I dunno if this helps at all: http://pastebin.com/emKCkd4J So now I'm just really confused as to why I would be able to get to telnet and ssh but can't connect to the Share server – Anonymous Sep 29 '11 at 18:12
  • So 445 is being matched which means nothing external is blocking it. Telnet and ssh will work because they are not NATting, they are direct to the router. Something must be missing still. Do you know what these are for? ```ip route 192.168.1.1 255.255.255.255 Null0``` ```ip route 216.18.237.18 255.255.255.255 Null0``` Also, the ```sh ip nat trans``` line doesn't look right, can you post the whole thing? – Paul Sep 29 '11 at 23:51
  • I actually do not know what they are for they were there when I got access to the system. I dont know why there is the 192.168.1.1 one but the 216.... is most likely something that we wanted to block or something I can take them off if need be. As for nat trans this is what comes up however, I don't know why they are all there again this was inherited I did not make any of these except for the ones about 445 trying to get it to work. http://pastebin.com/X3Ptbj4E – Anonymous Sep 30 '11 at 01:49
  • So for whatever reason when I took off the 192.168.1.1 route we couldn't get out to the rest of the internet anymore.... So I guess thats just a work around for something. – Anonymous Sep 30 '11 at 06:23
  • ok, when you connect to port 445 you get an immediate RST packet back. Just so we are not missing the obvious, when you are on the router can you ```telnet 192.168.1.254 445``` and confirm you get a connection? Could you try it with ```telnet 192.168.1.254 445 /source-interface FastEthernet4``` too. – Paul Sep 30 '11 at 06:45
  • I can telnet to the network share with my computer however i can't get to it from the router it either times out when not using /source-interface FastEthernet4 or it gets refused altogether when I do use it. – Anonymous Sep 30 '11 at 15:49
  • Ok cool, so NAT and ACLs aren't the issue maybe. The connection refused from the outside interface suggests that the server is blocking anything from a non-local address. Could it be the firewall on the server itself? – Paul Oct 01 '11 at 03:37
  • There isn't anything on the network drive to limit any connections at all, and wouldn't it then list the port as open in the control-plane host open-ports even if it couldn't connect – Anonymous Oct 04 '11 at 03:56
  • Sorry, I am not sure how control-plane fits into this. Does the server have a default route pointing at this router? – Paul Oct 04 '11 at 12:45
  • Yes the default route is pointing to the router – Anonymous Oct 06 '11 at 21:32
  • Well at this stage I would be looking to check where the packets are going. Wireshark on the server to see if they get through or port spanning and a packet sniffer on the switchport the router is plugged into. Perhaps someone will be along with better ideas. – Paul Oct 06 '11 at 22:57