Equipment Support > Hardware By Brand > Cisco > Port forward Cisco Router

Port forward Cisco Router

Current configuration : 1142 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-3745-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXX
!
no aaa new-model
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.1.1.2 80 PUB_IP extendable
!
access-list 10 permit 10.1.1.0 0.0.0.255
!
control-plane
!
alias exec s show ip int br
alias exec sr show run
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
 
 

The web server on Cisco routers is very basic, and almost entirely used for management of the device. If your device is going to be publicly accessible, putting a web page on your router is asking for trouble. As far as connectivity goes, being behind the Pix can certainly cause trouble for getting to the router, especially if the PIX is doing NAT, rendering the router redundant.

The web server will be behind the router/firewall, not ON the router. I have no intentions of running the http/https server on the router at any point.

Here is the firewall config:

PIX Version 7.2(4)
!
hostname pix-515e-01
domain-name DOMAIN
enable password PASSWORDencrypted
passwd PASSWORD encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAIN
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:de56a0200ef833165976936a5d611f6b
: end
 
 

reply to amclay
If the PIX is in front of the 3745, which is infront of your webserver, yes you're going to have to open
something up on the PIX to allow unsolicited inbound traffic to traverse the PIX.

Also, I think you're going to have to redesign your network as you have both the PIX and the 3745
doing NAT.

It may be better to put the 3745 as the headend / NAT device, and have the PIX in transparent mode,
though I forget off the top of my head which revision of PIX / ASA code was transparent mode introduced.

Regards

In this setup (Internet>PIX>Router>(L2 Switch)>Web Server, is the same command going to work for passing traffic to the Router from the PIX?

(I believe it does support transparent)

It really depends on how much traffic your looking at pushing. I know for our office we have the router in front of the firewall (for better or worse) due to the router performing the routing and NAT functions. The PIX does basic routing and NAT functions so the question is, is the 3745 really necessary? What kind of bandwidth are we looking at?

100Mb/s fully duplexed.

reply to amclay
Two things... in this setup, you wouldn't use PUB_IP, but the routers address (192.168.1.2). A similar nat rule would be required on the Pix as well, since it the thing with a real IP.

And in this case, there's no apparent need for double nat. Let the router be a router. Although, I'm left wondering why the router is there at all.

At 100Mbps, you definitely want the pix doing nat and filtering. The 3745 is a good router, but it's nowhere near what a pix can do. (as primitive as the pix may seem.)

Gotcha, I'd be reading some conflicting information there. What's the point of a router versus a firewall then besides modules?

A router is for, well, routing. A firewall is a policy and security device. Depending on what you need done, both have their place.

reply to amclay
The router routes traffic and connects various networks at a high level with reasonable speed. The firewall sorts traffic and acts as a policy device. Firewalls also do NAT and basic routing.

Simply put, unless your peering, have a leased line, use BGP, or need modules, then a firewall is the way to go. Many enterprises use firewalls exclusively for policy and security, and leave NAT, routing, etc., up to the Catalyst 650X or Cisco routers.

reply to amclay

On the PIX, is adding the command

static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255

correct, to forward port 80 traffic from outside interface to the inside? I had tried static (inside,outside) PUB_IP 192.168.1.1 netmask 255.255.255.255, but it mentioned that the command was outdated.

Do I need to make an access list? and what does that command look like?

Yes, that is correct. The other command maps an outside IP to an inside IP -- all ports. (it's only of value where you have several addresses, but even then it's not necessary.)

You will most likely need to adjust an access list. (or add a "conduit" depending on your configuration.)

reply to amclay
Depending on config, I suspect the performance delta between the 3745 and the PIX is negligible.
Only time where I've seen the ISR performance crater is crypto and IPS, not sure if you plan
to run either on your setup or not.

What version of code is running on the 3745 if you don't mind my asking? If you have one of the later
12.4T trains, 3745 should be able to do CBAC and/or ZBFW, which is (nearly) as good as PIX.

The likely ACL needed on the PIX would be

access-list HTTP_INBOUND permit tcp any any eq 80
 

reply to amclay
Router:
ip nat inside source static tcp 10.1.1.2 80 192.168.1.2 80 extendable

PIX:
static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255
access-list HTTP_INBOUND permit tcp any any eq 80

The port does NOT seem to be open here. For reference the topology is (I may change this):

ISP>
PIX(DHCP),PIX(192.168.1.1)>
Router(192.168.1.2),Router(10.1.1.1)>
Server(10.1.1.2)

Configs are above.

reply to amclay
From the PIX, are you even seeing hits on the ACL? Think the command is 'show access-list '
If you do, then you can debug the rest of the path, or just to keep it simple for now, keep the 3745 out
of the equation until you know the PIX is setup right.

You're going to need someone outside of your network to generate test traffic to see if this
is open or not, or use an online port scanner.

Regards