Cisco router forwarding

[ryanak]

It has been about 7 years since I have worked with Cisco, so I am forgetting how to make the necessary change in this case.
I am trying to forward 2 ports to the client's web server. They have a Cisco router and a separate firewall. I have already forwarded the ports on the firewall. The firewall is setup on a seperate VLAN than the Cisco (i think this is where i am getting lost). What follows in an edited version of the running config. all identifiable information has been removed. I need to forward HTTP/HTTPS to the webserver.
the firewall is on the 172 network and the Router and Webserver are on the 192 network. The 10. network is a separeate unrelated VLAN. Clearly I need to refresh my Cisco knowledge.

CONFIG START

Building configuration...

Current configuration : 5460 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 informational
logging console informational
enable secret 5 ***
enable password ***
!
no aaa new-model
!
resource policy
!
!
--More--  !
ip cef
!
!
no ip domain lookup
ip domain name ***.com
ip name-server 192.168.1.x
!
!
crypto pki trustpoint TP-self-signed-3660895060
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-*
revocation-check none
rsakeypair TP-self-signed-3660895060
!
!
crypto pki certificate chain TP-self-signed-*
certificate self-signed 01
*SSL CERT IS HERE*
quit
username **** privilege 15 secret 5 ****
username **** privilege 15 secret 5 ****
!
!
!
!
!
!
--More--  interface Loopback0
no ip address
!
interface Vif1
no ip address
!
interface FastEthernet0
ip address 172.16.x.x 255.255.x.x
duplex auto
speed auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan x1
!
interface FastEthernet3
!
interface FastEthernet4
!
--More--  interface FastEthernet5
!
interface FastEthernet6
switchport access vlan x2
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description ****
no ip address
ip tcp adjust-mss 1452
shutdown
!
interface Vlan x1
description COMPANY Network
ip address 192.168.1.x 255.255.255.0
ip access-group ACL1 in
ip access-group ACL1 out
!
*****


ip access-list extended ACL1-in
permit tcp 10.X.X.X 0.X.X.X host 192.168.1.X eq * <UNRELATED INFO>
permit tcp 10.X.X.X 0.X.X.X host 192.168.1.X eq * <UNRELATED INFO>
permit ip 10.X.X.X 0.X.X.X host 192.168.1.X
permit ip 10.X.X.X 0.X.X.X host 192.168.1.X
permit ip 10.X.X.X 0.X.X.X host 192.168.1.X
deny icmp 10.X.X.X 0.X.X.X 192.168.1.0 0.0.0.255
deny ip 10.X.X.X 0.X.X.X 192.168.1.0 0.0.0.255 log
permit ip any any
!
!
!
!
!
!
!
--More--  control-plane
!
^C
--More--  !
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty * *
privilege level *
password ****
login local
transport input telnet ssh
line vty * *
privilege level *
password ****
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
--More--   !
no inservice
!
end

CONFIG END


thank you for any assistance you can provide

 

[North323]

sounds like you could NAT that traffic, like
example:
ip nat inside source static tcp 192.168.1.200 22 209.247.228.201 22 extendable

forwards ssh traffic from 192.(inside) to 209.(outside)

 

[ryanak]

Ok I think I have this. so i need to
ip nat inside source static tcp 192.168.1.x <My Destination> <PortNumber> 172.16.x.x <my firewall> <PortNumber> extendable


My firewall is already forwarding the necessary ports.
Am I understanding this correctly?

-Ryan

 

[unclerico]

Is there any particular reason why you are filtering traffic at the router and at the firewall?? Also, I'm assuming that the firewall is performing NAT?? What model router is this??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ryanak]

I could certainly be overthinking this. This is an inherited network, so i do not know anything about why it was setup in this fashion.
The firewall is on the 172.16.x.x network.
The server is on the 192.168.1.x network.
The Cisco 1811 has the FastEthernet0 port on the 172.16.x.x network and has a vlan setup on the FastEthernet2 port which connects to the 192.168.1.x network.
so instead of routing this network, like i would have expected, it is vlaned.
the firewall is configured to forward the necessary port to the router (since it is on a different network) then the router should need to take that packet and forward it to the necassary server. am I correct or have i overthought this issue?

-ryan

 

[North323]

is the router and firewall on the same network? you mentioned 172.16.x.x, what is the 3rd octet? if its the same, you could NAT on the firewall

 

[ryanak]

The server and firewall are on different subnets. the firewall is on the 172.16.0.0 /24 the server is on the 192.168.0.0 /24 subnet. the router is controlling traffic for that. the router has 1 interface on one subnet and another interface on the second subnet.

-Ryan

 

[unclerico]

Is this your topology?? Sorry, I'm still a little confused at how all of this is laid out:

http://www.box.net/shared/l17ftp8vzu

If it's not, please draw one up and upload it somewhere for us to see.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ryanak]

correction the server is on the 192.168.1.0 /24 subnet.
the router controls the flow of data from the 172.16.0.0 to the 192.168.1.0

 

[unclerico]

can you repost your entire router config again, but this time only scrub your public IP info and any username/passwords??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ryanak]

Consider this issue closed. I was overthinking the issue. I entered a routing statement into the firewall and forwarded the port from there.

Thank you for all the assistance.

-Ryan