Port Forwarding

[davidbooher]

What is the exact command to foward ip and udp ports to an internal interface? The router is a 2600 IOS ver 12.

 

[KiscoKid]

I'm assuming the following: Internal host's real address is 10.10.10.1; you want to forward any traffic on UDP port X destined for the routers external interface address to this inside host; inside interface on router is fa0/0; outside interface on router is is fa0/1. Commands you need are as follows:

interface fa0/0
ip nat inside
interface fa0/1
ip nat outside

ip nat inside source static udp 10.10.10.1 X interface fa0/1 X

 

[davidbooher]

Just so I have all the facts out, the outside interface on the router is(S0/0) 166.82.105.130, internal is(E0/0)192.168.1.1. I have a firewall with external ip of 192.168.1.5 and internal of 10.10.10.1. I need to make sure that IP 50 & IP 51, UDP 500 and UDP 4500 goes to the firewall 192.168.1.5. This is so my vpn software will hit the firewall. So will the command you shown me above work?

 

[KiscoKid]

Yes it will. Based on your feedback, your config may look something as follows:

interface e0/0
ip nat inside
interface s0/0
ip nat outside

ip nat inside source static udp 192.168.1.5 500 interface s0/0 500
ip nat inside source static udp 192.168.1.5 4500 interface s0/0 4500

I'm not sure you can port forward ESP (IP 50) and AH (IP 51) - may depend on your IOS version.

If you can, the command will be something as follows:

ip nat inside source static esp 192.168.1.5 interface s0/0
ip nat inside source static ah 192.168.1.5 interface s0/0

 

[davidbooher]

i have IOS version 12, I tried your commands and they did not work.

 

[davidbooher]

My curent config....

User Access Verification

Password:
Password:
rtr-tristate>en
Password:
rtr-tristate#show config
Using 1372 out of 29688 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rtr-tristate
!
enable secret 5 $1$lNt5$zRpfkMAWVVttMWSd.dJ.C1
!
ip subnet-zero
no ip domain-lookup
ip domain-name tristatetrading.com
!
!
!
!
interface Ethernet0/0
description connected to EthernetLAN
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/0
description Serial connection to Internet
ip address 166.82.110.50 255.255.255.252
no ip directed-broadcast
ip nat outside
encapsulation ppp
!
ip nat pool rtr-tristate-natpool-0 166.82.105.142 166.82.105.142 netmask 255.255
.255.240
ip nat inside source list 1 pool rtr-tristate-natpool-0 overload
ip nat inside source static 192.168.1.6 166.82.105.131
ip nat inside source static 192.168.1.1 166.82.105.129
ip nat inside source static 192.168.1.5 166.82.105.130
ip classless
ip route 0.0.0.0 0.0.0.0 166.82.110.49
ip route 166.82.0.0 255.255.0.0 Serial0/0
ip route 166.82.0.0 255.255.0.0 166.82.110.49
no ip http server
!
logging 208.150.108.86
access-list 1 permit 192.168.0.0 0.0.255.255
snmp-server engineID local 000000090200000196EFFE60
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 1306161C041C1D
login
transport input none
line aux 0
line vty 0 4
password 7 06050E2F435E10
login
!
no scheduler allocate
end

 

[MartinR82]

sounds like you need to upgrade the IOS. For your own safety I would change your telnet password and perhaps think about changing your SNMP community string as from your config anyone whos a little bit dodgy could telnet on to your router and perhaps run DDoS attacks from it, or at least try and crash it, so be careful which bits of your config you paste in here.