Cisco 1720 Question

Please forgive my ignorance, but I'm a total noob at Cisco and this fell into my lap. We have a location that has a Cisco 1720 that connects three networks to a firewall. One of the clients, who had a server on one of the networks, wants to setup a VPN into their server on port 5000. I can get this forwarded through our firewall and have pointed it at the gateway address of the destination network (on the Cisco 1720).

I had nothing to do with the setup of this router and I do know that the guy who did set it up only did so with the help of Cisco's tech support. I don't believe this is an option this time, as the router was installed in

2001 and, as far as I know we have no service agreement on it. I do know how to into the router via Telnet and how to get it into configure mode, but after that I'm lost. Can this router forward port 5000 (or any other port) to another network? If so, how would I do this?


Reply to
Thomas E Petersen
Loading thread data ...


If the router is doing the NAT'ing then you should be able to setup a NAT/PAT translation on the box.

"show run" will print out the configuration. If the config shows up "ip nat inside/outside" on the relevant interfaces then the router is doing the NAT;ing.

A generic example of setting up a translation for TCP port 5000: "ip nat inside source static tcp INT-SERVER-IP 5000 EXT-ROUTER-IP 5000 extendable"

The other thing to check would be if there is any access-list in place (inbound on the external interface):

Check to see if there are any "access-group" commands under any of the interfaces in the config and make of the access-group name.

This will relate to an access-list that is either blocking/permitting specific traffic. It will have to be edited to include port 5000 for the traffic that you want to permit.

Post your config if you get stuck.


Reply to

Or you can use Cisco SDM (Security Device Manager) a web based (GUI) tool for configuring Cisco routers.

formatting link
It's great for beginners in the world of Cisco and I think it's supported by

1720 routers.

You just need to check whether you run compatible Cisco IOS release on your router...You can discover IOS version using 'show version' command. This command must be used in privilege ("enable") mode....

Tell me which IOS version of IOS do you have on your router and I will instruct you how to change IOS version if needed...

B.R. Igor

Reply to
Igor Mamuzic

Thanks for the quick response. I tried this earlier today and it caused their internet to stop responding (?). Could that have something to do with the access lists?

Anyway, here is their current run configuration.

Building configuration...

Current configuration : 1235 bytes


version 12.2

no parser cache

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption


hostname Router


logging rate-limit console 10 except errors

enable secret 5 $1$JAC4$JimvcKDrpFPl7vLW5k.1G.

enable password ********


username Exec

memory-size iomem 25

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero


no ip dhcp-client network-discovery

! ! !

interface Ethernet0

ip address

ip nat outside



interface FastEthernet0

ip address secondary

ip address

ip broadcast-address

ip nat inside

no ip route-cache

speed auto



ip nat inside source list 101 interface Ethernet0 overload

ip classless

ip route

no ip http server


access-list 101 deny ip

access-list 101 deny ip

access-list 101 permit ip any

access-list 101 permit ip any

snmp-server community public RO


line con 0

line aux 0

line vty 0 4

password ********




The server we are trying to get to is at and the firewall the traffic will becoming in through is at It then sends anything coming in on port 5000 to, which it the IP of the 1720 on the subnet.

The command I ran was 'ip nat inside source static tcp 5000 5000 extendable'

Was this correct?

Thanks aga>> Please forgive my ignorance, but I'm a total noob at Cisco and this >> fell

Reply to
Thomas E Petersen

Hi Thomas,

The static static NAT command is incorrect, it should reference the external IP address of the router itself and not the firewall that you mention. So this would be:

"ip nat inside source static tcp 5000 5000 extendable"

Because all the NAT'ing is done on the ethernet0 interface on IP "ip nat inside source list 101 interface Ethernet0 overload"

this is called PAT(Port Address Translation) where all NAT'ed traffic is assigned a dynamic port for translation using the external IP of

Hope this helps and let us know.


Reply to
RobO Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.