Port forwarding versus 'permit'

We have a Cisco Router 831 and it's working fine. I have a question regarding the difference between what I commonly think of as 'port forwarding' versus a simple 'permit' applied within an access-list to an interface, ie: 'access-list xxx permit tcp any any eq telnet'.

With port-forwarding a packet arrives at the WAN interface and gets forwarded to a specific machine address on the internal LAN. Let's say it's SMTP port 25 on TCP being forwarded to an e-mail server on the inside LAN. Besides a 'permit' for SMTP against the WAN interface how does the actual forwarding take place? We set this port-forwarding on via SDM but are just getting familiar now with the SHOW RUN and command line interface.

For example, if I just go into an access-list that gets applied to the WAN interface and permit SMTP how will it know which internal machine to send to?

Or to put it another way, if you permit certain ports such as SMTP, Telnet, FTP, etc on the WAN interface but don't specifically tell them to go anywhere is there any risk that they can actually arrive at a machine on the internal LAN? (Wouldn't they just stop at the router because they don't know which specific machine on the inside LAN to go to?)

Thanks in advance for help,

Tom

Reply to
Tom Edelbrok
Loading thread data ...

In article , Tom Edelbrok wrote: :We have a Cisco Router 831 and it's working fine. I have a question :regarding the difference between what I commonly think of as 'port :forwarding' versus a simple 'permit' applied within an access-list to an :interface, ie: 'access-list xxx permit tcp any any eq telnet'.

:With port-forwarding a packet arrives at the WAN interface and gets :forwarded to a specific machine address on the internal LAN. Let's say it's :SMTP port 25 on TCP being forwarded to an e-mail server on the inside LAN. :Besides a 'permit' for SMTP against the WAN interface how does the actual :forwarding take place? We set this port-forwarding on via SDM but are just :getting familiar now with the SHOW RUN and command line interface.

SDM is creating a 'ip nat static' statements on your behalf.

:Or to put it another way, if you permit certain ports such as SMTP, Telnet, :FTP, etc on the WAN interface but don't specifically tell them to go :anywhere is there any risk that they can actually arrive at a machine on the :internal LAN? (Wouldn't they just stop at the router because they don't know :which specific machine on the inside LAN to go to?)

If the packets arrive with a destination IP and port for which there happens to be an active translation to an inside machine (possibly because the entire IP is translated), then the packets will be forwarded onwards if the access list permits and if any active stateful packet inspection approves.

The 831 has stateful packet inspection in all software releases, but that is not generally true for all Cisco devices -- and you might not happen to have the stateful inspection turned on. Also, there are some packets that could validly come from "anywhere", and the stateful inspection might pass those on; an example would be ICMP "no route" packets.

If you are not using NAT to map between internal IPs and external IPs (i.e., you are using public IPs internally), then there is a translation of the IP to itself; that translation is always active if the identity translation was handled by a static mapping, or intermittently active if the identity translation is handled by dynamic mappings. [I don't know the exact IOS equivilent; in PIX this would be "nat (inside) 0 IPNET IPMASK"]

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.