Please forgive my ignorance, but I'm a total noob at Cisco and this fell into my lap. We have a location that has a Cisco 1720 that connects three networks to a firewall. One of the clients, who had a server on one of the networks, wants to setup a VPN into their server on port 5000. I can get this forwarded through our firewall and have pointed it at the gateway address of the destination network (on the Cisco 1720).
I had nothing to do with the setup of this router and I do know that the guy who did set it up only did so with the help of Cisco's tech support. I don't believe this is an option this time, as the router was installed in
2001 and, as far as I know we have no service agreement on it. I do know how to into the router via Telnet and how to get it into configure mode, but after that I'm lost. Can this router forward port 5000 (or any other port) to another network? If so, how would I do this?
If the router is doing the NAT'ing then you should be able to setup a NAT/PAT translation on the box.
"show run" will print out the configuration. If the config shows up "ip nat inside/outside" on the relevant interfaces then the router is doing the NAT;ing.
A generic example of setting up a translation for TCP port 5000: "ip nat inside source static tcp INT-SERVER-IP 5000 EXT-ROUTER-IP 5000 extendable"
The other thing to check would be if there is any access-list in place (inbound on the external interface):
Check to see if there are any "access-group" commands under any of the interfaces in the config and make of the access-group name.
This will relate to an access-list that is either blocking/permitting specific traffic. It will have to be edited to include port 5000 for the traffic that you want to permit.
Or you can use Cisco SDM (Security Device Manager) a web based (GUI) tool for configuring Cisco routers.
formatting link
It's great for beginners in the world of Cisco and I think it's supported by
1720 routers.
You just need to check whether you run compatible Cisco IOS release on your router...You can discover IOS version using 'show version' command. This command must be used in privilege ("enable") mode....
Tell me which IOS version of IOS do you have on your router and I will instruct you how to change IOS version if needed...
Thanks for the quick response. I tried this earlier today and it caused their internet to stop responding (?). Could that have something to do with the access lists?
Anyway, here is their current run configuration.
Building configuration...
Current configuration : 1235 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
enable secret 5 $1$JAC4$JimvcKDrpFPl7vLW5k.1G.
enable password ********
!
username Exec
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
ip address 172.16.2.210 255.255.0.0
ip nat outside
half-duplex
!
interface FastEthernet0
ip address 130.100.0.222 255.255.255.0 secondary
ip address 100.75.0.23 255.0.0.0
ip broadcast-address 0.0.0.0
ip nat inside
no ip route-cache
speed auto
half-duplex
!
ip nat inside source list 101 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.2.207
no ip http server
!
access-list 101 deny ip 100.0.0.0 0.0.0.255 130.100.0.0 0.0.0.255
access-list 101 deny ip 130.100.0.0 0.0.0.255 100.0.0.0 0.255.255.255
access-list 101 permit ip 100.0.0.0 0.255.255.255 any
access-list 101 permit ip 130.100.0.0 0.0.0.255 any
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
password ********
login
!
end
The server we are trying to get to is at 130.100.0.100 and the firewall the traffic will becoming in through is at 172.16.2.207. It then sends anything coming in on port 5000 to 172.16.2.210, which it the IP of the 1720 on the
172.16.xxx.xxx subnet.
The command I ran was 'ip nat inside source static tcp 130.100.0.100 5000
172.16.2.207 5000 extendable'
Was this correct?
Thanks aga>> Please forgive my ignorance, but I'm a total noob at Cisco and this >> fell
The static static NAT command is incorrect, it should reference the external IP address of the router itself and not the firewall that you mention. So this would be:
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.