help me understand open ports/mappings, on NAT

[kaizer]

hello

we have frac T1 internet access thru a router (NAT)cisco 1700
one of our market services is upgrading the software. It will run on mysql and requires port 3306. I called isp to ask whether that port is already open on the router. I was told that since we use NAT, i have to ask for a port mapping to each individual worksta ip address (private addresses) for it to work.
I wanted to know, why we can't just allow the mysql traffic on 3306 to be "open" in a general way.
I don't know routers, just seeking a lilttle clarification on how things happen

thx much

 

[mattclarke]

i may not have the correct answer, but could you not use an access list to grant access on port 3306. if it is applied to both inbound and outbound interfaces, all users should be able to access it no probmem.

hope that helps.

 

[kaizer]

thx for your reply
when u say "access list" does it imply a list of the internal ip addresses mapped somehow or, is there a way to config the access with just 2-3 lines ?

 

[bierhunter]

Does the ISP control the router or do you control the router? I'm just curious, because the ISP said you have to "ask" for a port mapping.

To answer the question of opening port 3306 inbound to the whole network, Yes it can be done without specifying it for each workstation.

Something like this:
ip nat inside source static tcp <inside address of mySql server> 3306 <outside address of external router interface> 3306

For example:

If your outside interface on the router is:

interface e0
ip address 1.2.3.4 255.255.255.0
ip nat outside

And your mySql server is 10.10.20.5

Use this:
ip nat inside source static tcp 10.10.20.5 3306 1.2.3.4 3306

That will tell NAT to pass all port 3306 traffic to your mySql server.

Any access lists/firewall settings will need to be changed to allow port 3306 inbound as well.





BierHunter
CNE, MCSE, CCNP

 

[kaizer]

thanks beerhunter
i'm all clear