[CLUE-Tech] Port Forwarding / routing w/ cisco 678
Frank Whiteley
techzone at greeleynet.com
Thu Apr 15 11:40:58 MDT 2004
----- Original Message -----
From: "Frank Whiteley" <techzone at greeleynet.com>
To: <clue-tech at clue.denver.co.us>
Sent: Wednesday, April 14, 2004 18:45
Subject: Re: [CLUE-Tech] Port Forwarding / routing w/ cisco 678
> ----- Original Message -----
> From: "Dave Price" <dp_kinaole at yahoo.com>
> To: <clue-tech at clue.denver.co.us>
> Sent: Wednesday, April 14, 2004 09:08
> Subject: [CLUE-Tech] Port Forwarding / routing w/ cisco 678
>
>
> > Hello,
> >
> > I am trying to use port-forwarding with a cisco 678 DSL router.
> >
> > I have a static IP address assigned to the device of 64.65.162.63
> >
> > We are using the device's NAT and onboard DHCP to connect a LAN the
> > Internet. Local devices work fine with addresses in the 10.0.0.0/24
> > range.
> >
> > The device is configured to pass ports 80 (http) and 22 (ssh) on to
> > local IP address 10.0.0.2.
> >
> > I can call up web pages and login via ssh from 'outside' the LAN just
> > fine, but when I am 'inside' I cannot use the 64.65.162.63 address to
> > connect, although the 10.0.0.2 address works fine for http and ssh.
> >
> > Below is the (I think) relevant config info from the 678. Am I mistaken
> > in my belief that the 'outside' address should work the same whether we
> > are inside or out? Any hints as to what I need to change to get this to
> > work right?
> >
> > aloha,
> > dave
> >
> > <paste>
> >
> > cbos#sho int
> > IP Address Mask
> > eth0 10.0.0.1 255.255.255.0
> > vip0 0.0.0.0 255.255.255.0
> > vip1 0.0.0.0 255.255.255.0
> > vip2 0.0.0.0 255.255.255.0
> > wan0 Physical Port: Trained
> >
> > Dest IP Address Mask
> > wan0-0 209.150.192.10 255.255.255.255
> >
> > cbos#sho route
> > [TARGET] [MASK] [GATEWAY] [M][P] [TYPE] [IF]
> > [AGE]
> > 0.0.0.0 0.0.0.0 0.0.0.0 1 SA
> > WAN0-0 0
> > 10.0.0.0 255.255.255.0 0.0.0.0 1 LA ETH0
> > 0
> > 209.150.192.0 255.255.255.0 0.0.0.0 1 AR
> > WAN0-0 0
> >
> > WAN Interfaces...
> > 209.150.192.10 255.255.255.255 0.0.0.0 1 HA
> > WAN0-0 0
> >
> > IP NAT = enabled
> > IP Multicast Forwarding = disabled
> > IP Port RIP Send Responses = 00, disabled
> > IP Port RIPv2 Send Type = 00, donotsend
> > IP Port RIPv2 Receive Type = 00, donotreceive
> > IP Port RIP Send Responses = 01, disabled
> > IP Port RIPv2 Send Type = 01, donotsend
> > IP Port RIPv2 Receive Type = 01, donotreceive
> > IP NAT Entry = 10.0.0.2, 22, 64.65.162.63, 22, tcp;10.0.0.2, 80,
> > 64.65.162.63, 80, tcp;
> >
> > cbos#show nat
> >
> > NAT is currently enabled
> >
> > Port Network Global
> > eth0 Inside
> > wan0-0 Outside 64.65.162.63
> > vip0 Outside
> > vip1 Outside
> > vip2 Outside
> >
> > Local IP : Port Global IP : Port Timer Flags Proto
> > Interface
> > 10.0.0.2:22 64.65.162.63:22 0 0x00041 tcp
> > eth0 wan0-0
> > 10.0.0.2:80 64.65.162.63:80 0 0x00041 tcp
> > eth0 wan0-0
> > 10.0.0.2:631 64.65.162.63:631 90 0x00046 udp
> > eth0 wan0-0
> > 10.0.0.2:42864 64.65.162.63:21505 86340 0x00046 tcp
> > eth0 wan0-0
> > 10.0.0.2:42865 64.65.162.63:21507 86250 0x00046 tcp
> > eth0 wan0-0
> > 10.0.0.5:138 64.65.162.63:21779 30 0x00046 udp
> > eth0 wan0-0
> >
> > cbos#
> > </paste>
> Can't recall if IP NAT Outside IP shows without adding it specifically.
>
> Try
>
> ena
> show nvram
>
> And see if your static IP is listed as
> IP NAT Outside IP = 64.65.162.63
>
> If not, it should be.
>
> There are a couple of NAT/subnet routing issues with public/private IP
space
> that are solved by this
>
> ena
> set int wan0-0 outside-ip 64.65.162.63
> write
> reboot
>
> Then try checking again and the line will be there.
>
> Although I'm not currently doing any port forwarding on my particular
setup,
> until I issued the above, I had other issues with NATing RFC 1918 subnets
in
> parallel with public IPs and seeing public IPs on the subnet. Now I can
> access the router or subnet from private LAN side boxes via public WAN
> static IP, 3x private IP subnet gateways, or public VIP gateway IP. This
> worked natively on the C675, but not on my C678's.
>
BTW, I just noticed there's also a similar command for NAT
set nat outside-ip xxx.xxx.xxx.xxx
Though I don't recall ever having to set this, but no telling how port
forwarding might affect things. Might have a chance to check this out next
week.
Frank
More information about the clue-tech
mailing list