[CLUE-Tech] Port Forwarding / routing w/ cisco 678

skipworthy at realivetech.com skipworthy at realivetech.com
Wed Apr 14 12:58:57 MDT 2004 

Dave-

I'm not precisely sure what your' trying to accomplish, (you don't say what
you are trying to use the 65.~ address to connect to, and you say the
machines from inside can get out just fine...) but here's what I think...

first thing I would do is make sure you're hitting the 65.~ address from the
onside- I bet you aren't. try a ping and/or a traceroute and see what comes
back.

For one thing,  you have some static NAT mappings, which iirc means that any
other routing is dropped- so if your hitting 65.~ trying to get it to
forward ssh to the outside world,  it doesn't know where to send it, so it
gets dropped.


My first guess is that you need to use the *inside interface*  as the
gateway for your inside network, which should have as *it's * gateway the
exterior interface. Not sure about the 678 specifically, but in addition to
it not being  an  incorrect routing I would bet that the outside interface
is set to not accept packets from a private IP address ( This is how that
kind of router works: it takes packets in on one side,  figures out where it
should go, and passes it on based on a fairly simple set of rules. ) Even if
you can hit the opposite interface , I doubt very much that it would *know*
how to route your data.

Hope that's helpful.

Glen

----- Original Message -----
From: "Dave Price" <dp_kinaole at yahoo.com>
To: <clue-tech at clue.denver.co.us>
Sent: Wednesday, April 14, 2004 9:08 AM
Subject: [CLUE-Tech] Port Forwarding / routing w/ cisco 678


> Hello,
>
> I am trying to use port-forwarding with a cisco 678 DSL router.
>
> I have a static IP address assigned to the device of 64.65.162.63
>
> We are using the device's NAT and onboard DHCP to connect a LAN the
> Internet.  Local devices work fine with addresses in the 10.0.0.0/24
> range.
>
> The device is configured to pass ports 80 (http) and 22 (ssh) on to
> local IP address 10.0.0.2.
>
> I can call up web pages and login via ssh from 'outside' the LAN just
> fine, but when I am 'inside' I cannot use the 64.65.162.63 address to
> connect, although the 10.0.0.2 address works fine for http and ssh.
>
> Below is the (I think) relevant config info from the 678.  Am I mistaken
> in my belief that the 'outside' address should work the same whether we
> are inside or out?  Any hints as to what I need to change to get this to
> work right?
>
> aloha,
> dave
>
> <paste>
>
> cbos#sho int
>            IP Address         Mask
> eth0       10.0.0.1           255.255.255.0
> vip0       0.0.0.0            255.255.255.0
> vip1       0.0.0.0            255.255.255.0
> vip2       0.0.0.0            255.255.255.0
> wan0       Physical Port: Trained
>
>            Dest IP Address    Mask
> wan0-0     209.150.192.10     255.255.255.255
>
> cbos#sho route
> [TARGET]         [MASK]           [GATEWAY]       [M][P] [TYPE]    [IF]
> [AGE]
> 0.0.0.0          0.0.0.0          0.0.0.0          1     SA
> WAN0-0   0
> 10.0.0.0         255.255.255.0    0.0.0.0          1     LA        ETH0
> 0
> 209.150.192.0    255.255.255.0    0.0.0.0          1     AR
> WAN0-0   0
>
> WAN Interfaces...
> 209.150.192.10   255.255.255.255  0.0.0.0          1     HA
> WAN0-0   0
>
> IP NAT = enabled
> IP Multicast Forwarding = disabled
> IP Port RIP Send Responses = 00, disabled
> IP Port RIPv2 Send Type = 00, donotsend
> IP Port RIPv2 Receive Type = 00, donotreceive
> IP Port RIP Send Responses = 01, disabled
> IP Port RIPv2 Send Type = 01, donotsend
> IP Port RIPv2 Receive Type = 01, donotreceive
> IP NAT Entry = 10.0.0.2, 22, 64.65.162.63, 22, tcp;10.0.0.2, 80,
> 64.65.162.63, 80, tcp;
>
> cbos#show nat
>
> NAT is currently enabled
>
> Port      Network        Global
> eth0      Inside
> wan0-0    Outside      64.65.162.63
> vip0      Outside
> vip1      Outside
> vip2      Outside
>
>       Local IP : Port      Global IP : Port      Timer Flags    Proto
> Interface
>        10.0.0.2:22       64.65.162.63:22           0   0x00041  tcp
> eth0 wan0-0
>        10.0.0.2:80       64.65.162.63:80           0   0x00041  tcp
> eth0 wan0-0
>        10.0.0.2:631      64.65.162.63:631         90   0x00046  udp
> eth0 wan0-0
>        10.0.0.2:42864    64.65.162.63:21505    86340   0x00046  tcp
> eth0 wan0-0
>        10.0.0.2:42865    64.65.162.63:21507    86250   0x00046  tcp
> eth0 wan0-0
>        10.0.0.5:138      64.65.162.63:21779       30   0x00046  udp
> eth0 wan0-0
>
> cbos#
> </paste>
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>

More information about the clue-tech mailing list