[CLUE-Tech] Port Forwarding / routing w/ cisco 678

Wed Apr 14 18:45:45 MDT 2004

----- Original Message ----- 
From: "Dave Price" <dp_kinaole at yahoo.com>
To: <clue-tech at clue.denver.co.us>
Sent: Wednesday, April 14, 2004 09:08
Subject: [CLUE-Tech] Port Forwarding / routing w/ cisco 678

> Hello,
>
> I am trying to use port-forwarding with a cisco 678 DSL router.
>
> I have a static IP address assigned to the device of 64.65.162.63
>
> We are using the device's NAT and onboard DHCP to connect a LAN the
> Internet.  Local devices work fine with addresses in the 10.0.0.0/24
> range.
>
> The device is configured to pass ports 80 (http) and 22 (ssh) on to
> local IP address 10.0.0.2.
>
> I can call up web pages and login via ssh from 'outside' the LAN just
> fine, but when I am 'inside' I cannot use the 64.65.162.63 address to
> connect, although the 10.0.0.2 address works fine for http and ssh.
>
> Below is the (I think) relevant config info from the 678.  Am I mistaken
> in my belief that the 'outside' address should work the same whether we
> are inside or out?  Any hints as to what I need to change to get this to
> work right?
>
> aloha,
> dave
>
> <paste>
>
> cbos#sho int
>            IP Address         Mask
> eth0       10.0.0.1           255.255.255.0
> vip0       0.0.0.0            255.255.255.0
> vip1       0.0.0.0            255.255.255.0
> vip2       0.0.0.0            255.255.255.0
> wan0       Physical Port: Trained
>
>            Dest IP Address    Mask
> wan0-0     209.150.192.10     255.255.255.255
>
> cbos#sho route
> [TARGET]         [MASK]           [GATEWAY]       [M][P] [TYPE]    [IF]
> [AGE]
> 0.0.0.0          0.0.0.0          0.0.0.0          1     SA
> WAN0-0   0
> 10.0.0.0         255.255.255.0    0.0.0.0          1     LA        ETH0
> 0
> 209.150.192.0    255.255.255.0    0.0.0.0          1     AR
> WAN0-0   0
>
> WAN Interfaces...
> 209.150.192.10   255.255.255.255  0.0.0.0          1     HA
> WAN0-0   0
>
> IP NAT = enabled
> IP Multicast Forwarding = disabled
> IP Port RIP Send Responses = 00, disabled
> IP Port RIPv2 Send Type = 00, donotsend
> IP Port RIPv2 Receive Type = 00, donotreceive
> IP Port RIP Send Responses = 01, disabled
> IP Port RIPv2 Send Type = 01, donotsend
> IP Port RIPv2 Receive Type = 01, donotreceive
> IP NAT Entry = 10.0.0.2, 22, 64.65.162.63, 22, tcp;10.0.0.2, 80,
> 64.65.162.63, 80, tcp;
>
> cbos#show nat
>
> NAT is currently enabled
>
> Port      Network        Global
> eth0      Inside
> wan0-0    Outside      64.65.162.63
> vip0      Outside
> vip1      Outside
> vip2      Outside
>
>       Local IP : Port      Global IP : Port      Timer Flags    Proto
> Interface
>        10.0.0.2:22       64.65.162.63:22           0   0x00041  tcp
> eth0 wan0-0
>        10.0.0.2:80       64.65.162.63:80           0   0x00041  tcp
> eth0 wan0-0
>        10.0.0.2:631      64.65.162.63:631         90   0x00046  udp
> eth0 wan0-0
>        10.0.0.2:42864    64.65.162.63:21505    86340   0x00046  tcp
> eth0 wan0-0
>        10.0.0.2:42865    64.65.162.63:21507    86250   0x00046  tcp
> eth0 wan0-0
>        10.0.0.5:138      64.65.162.63:21779       30   0x00046  udp
> eth0 wan0-0
>
> cbos#
> </paste>
Can't recall if IP NAT Outside IP shows without adding it specifically.

Try

ena
show nvram

And see if your static IP is listed as
IP NAT Outside IP = 64.65.162.63

If not, it should be.

There are a couple of NAT/subnet routing issues with public/private IP space
that are solved by this

ena
set int wan0-0 outside-ip 64.65.162.63
write
reboot

Then try checking again and the line will be there.

Although I'm not currently doing any port forwarding on my particular setup,
until I issued the above, I had other issues with NATing RFC 1918 subnets in
parallel with public IPs and seeing public IPs on the subnet.  Now I can
access the router or subnet from private LAN side boxes via public WAN
static IP, 3x private IP subnet gateways, or public VIP gateway IP.  This
worked natively on the C675, but not on my C678's.

HTH,

Frank Whiteley
Greeley