Cisco 1720 Question

Hi!

If the router is doing the NAT'ing then you should be able to setup a NAT/PAT translation on the box.

"show run" will print out the configuration. If the config shows up "ip nat inside/outside" on the relevant interfaces then the router is doing the NAT;ing.

A generic example of setting up a translation for TCP port 5000: "ip nat inside source static tcp INT-SERVER-IP 5000 EXT-ROUTER-IP 5000 extendable"

The other thing to check would be if there is any access-list in place (inbound on the external interface):

Check to see if there are any "access-group" commands under any of the interfaces in the config and make of the access-group name.

This will relate to an access-list that is either blocking/permitting specific traffic. It will have to be edited to include port 5000 for the traffic that you want to permit.

Post your config if you get stuck.

Rob

Or you can use Cisco SDM (Security Device Manager) a web based (GUI) tool for configuring Cisco routers.

You just need to check whether you run compatible Cisco IOS release on your router...You can discover IOS version using 'show version' command. This command must be used in privilege ("enable") mode....

Tell me which IOS version of IOS do you have on your router and I will instruct you how to change IOS version if needed...

B.R. Igor

Thanks for the quick response. I tried this earlier today and it caused their internet to stop responding (?). Could that have something to do with the access lists?

Anyway, here is their current run configuration.

Building configuration...

Current configuration : 1235 bytes

version 12.2

no parser cache

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname Router

logging rate-limit console 10 except errors

enable secret 5 $1$JAC4$JimvcKDrpFPl7vLW5k.1G.

enable password ********

username Exec

memory-size iomem 25

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip dhcp-client network-discovery

interface Ethernet0

ip address 172.16.2.210 255.255.0.0

ip nat outside

half-duplex

interface FastEthernet0

ip address 130.100.0.222 255.255.255.0 secondary

ip address 100.75.0.23 255.0.0.0

ip broadcast-address 0.0.0.0

ip nat inside

no ip route-cache

speed auto

half-duplex

ip nat inside source list 101 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.2.207

no ip http server

access-list 101 deny ip 100.0.0.0 0.0.0.255 130.100.0.0 0.0.0.255

access-list 101 deny ip 130.100.0.0 0.0.0.255 100.0.0.0 0.255.255.255

access-list 101 permit ip 100.0.0.0 0.255.255.255 any

access-list 101 permit ip 130.100.0.0 0.0.0.255 any

snmp-server community public RO

line con 0

line aux 0

line vty 0 4

password ********

login

end

The server we are trying to get to is at 130.100.0.100 and the firewall the traffic will becoming in through is at 172.16.2.207. It then sends anything coming in on port 5000 to 172.16.2.210, which it the IP of the 1720 on the

The command I ran was 'ip nat inside source static tcp 130.100.0.100 5000

Was this correct?

Thanks aga>> Please forgive my ignorance, but I'm a total noob at Cisco and this >> fell

Hi Thomas,

The static static NAT command is incorrect, it should reference the external IP address of the router itself and not the firewall that you mention. So this would be:

"ip nat inside source static tcp 130.100.0.100 5000 172.16.2.210 5000 extendable"

Because all the NAT'ing is done on the ethernet0 interface on IP

this is called PAT(Port Address Translation) where all NAT'ed traffic is assigned a dynamic port for translation using the external IP of

Hope this helps and let us know.

Rob