Cisco router simple port forwarding

[brachy33]

Hey people!

Looking for some help on forwarding all ports from public IP to an inside DHCP IP. I am trying to run my BF2 server behind an 851W router and I can't seem to find the simple IOS command that allows me to forward all traffic from all ports to a specified IP.

What I have tried is the following:

Public IP: 172.11.2.1 (on int BVI1)
Private IP: 172.11.2.4 (on fa0)

I have tried going through and setting each IP Nat separately doing:

enable
config
ip nat inside source static tcp 172.11.2.4 80 interface BVI1 80
...
...

And so on until I have most TCP and UDP ports entered in.

What I would like to do is for the time being when I power up my server and a bunch of friends want to drop in from around the area, I would like to be able to forward all ports from my public IP to the private server IP.

I did this:

enable
config
ip nat inside source static 172.11.2.4 172.11.2.1 (172.11.2.1 being my gateway IP)

All that did was shut down my internet connection from the server machine and I'm sure someone knows why the command I entered did that, but I don't understand it.

Could someone provide the correct IOS command with which I could get this situation corrected? Please?

 

[Arch]

This is how I forward the necessary ports to my Xbox 360:

ip nat inside source static udp 192.168.1.202 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.1.202 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.1.202 3074 interface FastEthernet4 3074

Note, I have an 871, not an 851. My cable modem is plugged into port FastEthernet4. I'm not sure why you are using a BVI interface for your connection, or why your internal and external IP addresses are so close together.

In any case, the above is what you want to do. If you have the IOS firewall turned on (CBAC), you'll also need to statically allow these ports through the firewall.

 

[xphil3]

Hey people!

Looking for some help on forwarding all ports from public IP to an inside DHCP IP. I am trying to run my BF2 server behind an 851W router and I can't seem to find the simple IOS command that allows me to forward all traffic from all ports to a specified IP.

What I have tried is the following:

Public IP: 172.11.2.1 (on int BVI1)
Private IP: 172.11.2.4 (on fa0)

Both of these IP addresses are globally routeable addresses. I don't see why you are setting static translations. Is your game server off port fa/0?

All that did was shut down my internet connection from the server machine and I'm sure someone knows why the command I entered did that, but I don't understand it.

Could someone provide the correct IOS command with which I could get this situation corrected? Please?

Not sure why that command didn't work, its documented on Ciscos knowledgebase as a working statement. You could always create a range of addresses using pools and ACL's. This is how I always did it.

ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.255 type rotary # .10 being the IP address you wish to translate all port to.
ip nat inside destination list 110 pool serverports
access-list 110 permit tcp any any range 0 65535
^ if memory servers me correctly

 

[brachy33]

This is how I forward the necessary ports to my Xbox 360:

ip nat inside source static udp 192.168.1.202 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.1.202 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.1.202 3074 interface FastEthernet4 3074

This is what I was doing originally but I couldn't figure out how to allow a range of ports per entry (ie. ip nat inside source static tcp 172.11.2.10 1024-1124 interface FastEthernet4 1024-1124).

Note, I have an 871, not an 851. My cable modem is plugged into port FastEthernet4. I'm not sure why you are using a BVI interface for your connection, or why your internal and external IP addresses are so close together.
In any case, the above is what you want to do. If you have the IOS firewall turned on (CBAC), you'll also need to statically allow these ports through the firewall.

I'm sorry about that. I meant to type FastEthernet4, not BVI1. My modem is plugged into fa4. In any case, since I couldn't figure out how to setup port ranges for all the ports necessary for the server to operate correctly, I just went ahead and got lazy and decided to try to find out how to allow all UDP/TCP traffic to get through to the local inside IP.

I suppose my question now is do you know how to setup port ranges when entering in new IP Nat translations?

 

[brachy33]

Both of these IP addresses are globally routeable addresses. I don't see why you are setting static translations. Is your game server off port fa/0?

Again, I am confusing myself and you with my post. The local IP I am trying to forward traffic to is 172.11.2.10. My gateway IP is therefore set as 172.11.2.1. I meant to say fa/4 and not my gateway IP. You are correct in that I have my game server running off of port FastEthernet0, or fa0. I thought that by doing the nat translation from port fa4 (my WAN port) to the internal IP of the server off of fa0, I would be able to get all UDP/TCP traffic to route to my server. Was this way incorrect?

Not sure why that command didn't work, its documented on Ciscos knowledgebase as a working statement. You could always create a range of addresses using pools and ACL's. This is how I always did it.

ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.255 type rotary # .10 being the IP address you wish to translate all port to.
ip nat inside destination list 110 pool serverports
access-list 110 permit tcp any any range 0 65535
^ if memory servers me correctly

The statement did work, in that the command "show ip nat translations" showed the translation correctly. However, it still isn't allowing people to connect to my server.

If you don't mind, how about I just start over.

Behind my 851W is a server running BF2. Before the 851W, I had a D-Link router port forwarding only the appropriate ports needed for the BF2 server to function behind the router and allow clietns to connect without being blocked.

With the 851W in place, I have the firewall enabled and would like to enable only (what I know as) port forwarding on the router to allow the server to function properly.

My cable modem is plugged into FastEthernet4 and my game server is plugged into FastEthernet0. My gateway IP is 172.11.2.1. I have my server IP set to static 172.11.2.10. Based on this information, what would you recommend is the best way to get this to work?

I am going to keep trying different options as I really want to learn this. I am getting some great practice with the CLI and it's many different options.

Thanks for the help!

 

[xphil3]

This is what I was doing originally but I couldn't figure out how to allow a range of ports per entry (ie. ip nat inside source static tcp 172.11.2.10 1024-1124 interface FastEthernet4 1024-1124).

I suppose my question now is do you know how to setup port ranges when entering in new IP Nat translations?

Did you see my post above? Its laid out pretty clear

I don't understand your second question, You would set up new translations the same way you normally would with a rotary pool specifying an exact address within your range of useable. Also, I pointed out that both of your addresses in your nat translation are public external addresses.. afaik that wouldn't work unless you have a private IP statically set on your game server and are 1:1 Nat'ing.

 

[brachy33]

Did you see my post above? Its laid out pretty clear

Yes I am trying hard to understand your post. Sorry man, the terminology is new to me.

"Both of these IP addresses are globally routeable addresses. I don't see why you are setting static translations. Is your game server off port fa/0?"

What are globally routeable addresses? I am only using the whole "ip nat inside source static" command b/c someone on the Cisco forums had recommended that as an option to setup my server for what I am trying to do with it.

I don't understand your second question, You would set up new translations the same way you normally would with a rotary pool specifying an exact address within your range of useable. Also, I pointed out that both of your addresses in your nat translation are public external addresses.. afaik that wouldn't work unless you have a private IP statically set on your game server and are 1:1 Nat'ing.

The IP addresses I have are my internal IP addresses, right? They are my DHCP addresses. I thought an external address would be the actual IP I'm being given by my cable provider, such as 67.123.XX.XXX. Isn't that the external public IP?

I do have my game server set statically to 172.11.2.10 via DHCP. So based on that, by typing in the following:

p nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.255 type rotary #
ip nat inside destination list 110 pool serverports
access-list 110 permit tcp any any range 0 65535
access-list 110 permit udp any any range 0 65535

And that should do it??

 

[xphil3]

Again, I am confusing myself and you with my post. The local IP I am trying to forward traffic to is 172.11.2.10. My gateway IP is therefore set as 172.11.2.1. I meant to say fa/4 and not my gateway IP. You are correct in that I have my game server running off of port FastEthernet0, or fa0. I thought that by doing the nat translation from port fa4 (my WAN port) to the internal IP of the server off of fa0, I would be able to get all UDP/TCP traffic to route to my server. Was this way incorrect?

Okay, lets make this very easy. Your fa0/4 IP should be set to DHCP if you are getting an IP address from your ISP. Gateway can be forwarded out of fa0/4. Your Internal network should be something other than the IP address that you are getting from your ISP... so stick with the standard and use something along the lines of 192.168.x.x or 172.16.x.x... etc.

The statement did work, in that the command "show ip nat translations" showed the translation correctly. However, it still isn't allowing people to connect to my server.

If you don't mind, how about I just start over.

Behind my 851W is a server running BF2. Before the 851W, I had a D-Link router port forwarding only the appropriate ports needed for the BF2 server to function behind the router and allow clietns to connect without being blocked.

With the 851W in place, I have the firewall enabled and would like to enable only (what I know as) port forwarding on the router to allow the server to function properly.

My cable modem is plugged into FastEthernet4 and my game server is plugged into FastEthernet0. My gateway IP is 172.11.2.1. I have my server IP set to static 172.11.2.10. Based on this information, what would you recommend is the best way to get this to work?

I am going to keep trying different options as I really want to learn this. I am getting some great practice with the CLI and it's many different options.

Thanks for the help!

I think your problem lies within your original config, use what I recommended above.

Yes I am trying hard to understand your post. Sorry man, the terminology is new to me.

"Both of these IP addresses are globally routeable addresses. I don't see why you are setting static translations. Is your game server off port fa/0?"

What are globally routeable addresses? I am only using the whole "ip nat inside source static" command b/c someone on the Cisco forums had recommended that as an option to setup my server for what I am trying to do with it.



The IP addresses I have are my internal IP addresses, right? They are my DHCP addresses. I thought an external address would be the actual IP I'm being given by my cable provider, such as 67.123.XX.XXX. Isn't that the external public IP?

I do have my game server set statically to 172.11.2.10 via DHCP. So based on that, by typing in the following:

p nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.255 type rotary #
ip nat inside destination list 110 pool serverports
access-list 110 permit tcp any any range 0 65535
access-list 110 permit udp any any range 0 65535

And that should do it??

No worries man, lets just get this sorted out. What does your setup look like?

Modem---Cisco----Game server ?

If so, I would assume that your ISP is giving you an IP address via DHCP? If not then you must manually set your IP address to the port(on the cisco) that your modem plugs directly into. If you want, throw up your entire config.... blank out IPs that you deem necessary

EDIT: Remeber, you have to have your modem plugged into your WAN port, not a standard switching port. VLAN 1 should be set to your particular subnet... Also, since this is an ISR(integrated service router) you have to have all your ip inspects set properly

 

[brachy33]

No worries man, lets just get this sorted out. What does your setup look like?

Modem---Cisco----Game server ?

If so, I would assume that your ISP is giving you an IP address via DHCP? If not then you must manually set your IP address to the port(on the cisco) that your modem plugs directly into. If you want, throw up your entire config.... blank out IPs that you deem necessary

EDIT: Remeber, you have to have your modem plugged into your WAN port, not a standard switching port. VLAN 1 should be set to your particular subnet...

Cool. I appreciate the help. The router has been performing great since I installed it a while back. I was able to configure most of the settings via the CLI and very little through the SDM Express software. I did configure the wireless settings and encryption via the Wireless Tool, however.

My ISP is Comcast and yes, I am obtaining my IP via DHCP and it is a typical Comcast IP (71.192.XX.XXX). I am obtaining that IP from my WAN port or fa4. Now, I set my gateway IP for DHCP to 172.11.2.1. I like using something different other than the usual DHCP LAN IP's (192.168.0.1, etc). My server is connected to fa0, or FastEthernet0.

I have 3 machines behind the router. My laptop which connects and obtains it's IP via DHCP. I then have my gaming machine's IP set statically as 172.11.2.9. My Linux server's IP is set statically to 172.11.2.10. All three machines always connect just fine and are able to pretty much do whatever I need them to do.

So, the setup we are concerned about is the Modem-->Router-->Server. Modem is connected to fa4 and server is connected to fa0.

A Battlefield2 server (you may already know this) requires the following ports to be opened on a gateway in order for outside clients to connect to the server:

TCP: 80, 4711, 18060, 28910, 29900-29901, 29920, 1024-1124
UDP: 1500-4999, 16567, 18060, 27900-27901, 55123-55125

All I am trying to do is allow any outside traffic (in this case my BF2 playing people) connecting to my public IP to be able to connect to my server by forwarding the necessary ports, as listed above.

From what I read, the best way to accomplish this was to use IP Nat Translations to forward all necessary traffic from my WAN to a specific static internal IP, in this case 172.11.2.10, or my server's local IP.

How would you recommend I go about setting up this "port forwarding"? Again, thank you for your help. You have been patient and I really appreciate that.

 

[xphil3]

okay, much better post... I understand how you have things setup now. Your translations are going to look exactly like what you had in your OP

ip nat inside source static tcp 172.11.2.4 80 interface F0/4 80 - where BV1 is your EXTERNAL interface or IP address...

when you have something like that enabled, does it work correctly?

 

[brachy33]

okay, much better post... I understand how you have things setup now. Your translations are going to look exactly like what you had in your OP

ip nat inside source static tcp 172.11.2.4 80 interface F0/4 80 - where BV1 is your EXTERNAL interface or IP address...
when you have something like that enabled, does it work correctly?

Well, I started going through each necessary ip nat configuration but then couldn't figure out how to enter in port ranges. So, yes, the following worked OK:

ip nat inside source static tcp 172.11.2.10 80 interface fastethernet4 80

But then I tried to enter in one of the entries that was a port range, such as:

ip nat inside source static tcp 172.11.2.10 1024-1124 interface fastethernet4 1024-1124

Apparently, my syntax for using the CLI is incorrect, as my attempt at entering a port range as in the above example just kept giving me syntax errors.

Do you know how one would enter in a range of ports when entering in a new nat translation, and not just the single port?

 

[xphil3]

Apparently, my syntax for using the CLI is incorrect, as my attempt at entering a port range as in the above example just kept giving me syntax errors.

Do you know how one would enter in a range of ports when entering in a new nat translation, and not just the single port?

Thats correct, to do a range of ports you do exactly what I said in my first post I believe.
Try this:

ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.0 type rotary
ip nat inside destination list 110 pool serverports
ip access-list 110 permit tcp any any range 0 65535
ip access-list 110 permit udp any any range 0 65535


Apply your ACL to your FA0/4 Interface with the "ip access-group 110 in" . If the in doesn't work... just use the out

This SHOULD work, If not try using the newer ACL commands


ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.0 type rotary
ip access-list extended PORTS
permit tcp any any range 0 65535
permit upd any any range 0 65535
ip nat inside destination list PORTS pool serverports

and apply the PORTS access list to the f0/4 interface.

 

[brachy33]

ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.0 type rotary
ip access-list extended PORTS
permit tcp any any range 0 65535
permit upd any any range 0 65535
ip nat inside destination list PORTS pool serverports

This worked as far as I can tell.

and apply the PORTS access list to the f0/4 interface.

So for this...

enable
config
ip access-list PORTS in
ctrl^z
wr me


And that's it?? How do I apply this to FastEthernet4? Thanks again dude.

 

[archivalbackup]

This worked as far as I can tell.



So for this...

enable
config
ip access-list PORTS in
ctrl^z
wr me


And that's it?? How do I apply this to FastEthernet4? Thanks again dude.

I think the 851 has a built in switch, so you end up applying it to Fa0/0.

post the output of 'sh ip int brief'

 

[brachy33]

Thanks for the reply!

C851W#sh ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Dot11Radio0                unassigned      YES TFTP   up                    up

FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  down                  down

FastEthernet2              unassigned      YES unset  up                    down

FastEthernet3              unassigned      YES unset  up                    down

FastEthernet4              Comcast IP     YES DHCP   up                    up

Vlan1                      unassigned      YES NVRAM  up                    up

NVI0                       unassigned      YES unset  up                    up

BVI1                       172.11.2.1      YES NVRAM  up                    up

Virtual-Dot11Radio0        unassigned      YES TFTP   down                  down

Also, how would I delete a Nat Translation that was set up via the CLI? For example, I set up a Nat translation like the following:

enable
config
ip nat inside source static 172.11.2.10 interface FastEthernet4
crtl^z
wr me

How would I delete that entry after I wrote it to memory?

Thank you.

Update: For some reason I cannot find a CLI command that clears a static ip nat translation. I have only been able to find the command for clearing a dynamic ip nat translation. Good god.

Update2: Found correct command to apply access-list to fa4:

1. enable

2. configure terminal

3. interface type number

4. ip access-group {access-list-number | access-list-name} {in | out}

 

[brachy33]

OK, everything is working and people have been able to connect to the server without hassle.

So, the steps I took were:

enable
config
ip nat inside source static 172.11.2.10 interface fastethernet4

(Where 172.11.2.10 is the local IP for my server, and fa4 is the port acting as my WAN on the router.

enable
config
ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.0 type rotary 
ip access-list extended PORTS
permit tcp any any range 0 65535
permit upd any any range 0 65535
ip nat inside destination list PORTS pool serverports

And finally...

config
interface fastethernet4
ip access-group PORTS in

And all is well! Thanks for everyones' help.

 

[xphil3]

OK, everything is working and people have been able to connect to the server without hassle.

So, the steps I took were:

enable
config
ip nat inside source static 172.11.2.10 interface fastethernet4

(Where 172.11.2.10 is the local IP for my server, and fa4 is the port acting as my WAN on the router.

enable
config
ip nat pool serverports 172.11.2.10 172.11.2.10 netmask 255.255.255.0 type rotary 
ip access-list extended PORTS
permit tcp any any range 0 65535
permit upd any any range 0 65535
ip nat inside destination list PORTS pool serverports

And finally...

config
interface fastethernet4
ip access-group PORTS in

And all is well! Thanks for everyones' help.

ahhh... I was just about to reply to this. Glad you got things sorted out... no problem man