[CLUE-Tech] Port Forwarding / routing w/ cisco 678

Frank Whiteley techzone at greeleynet.com
Thu Apr 15 11:40:58 MDT 2004 

----- Original Message ----- 
From: "Frank Whiteley" <techzone at greeleynet.com>
To: <clue-tech at clue.denver.co.us>
Sent: Wednesday, April 14, 2004 18:45
Subject: Re: [CLUE-Tech] Port Forwarding / routing w/ cisco 678


> ----- Original Message ----- 
> From: "Dave Price" <dp_kinaole at yahoo.com>
> To: <clue-tech at clue.denver.co.us>
> Sent: Wednesday, April 14, 2004 09:08
> Subject: [CLUE-Tech] Port Forwarding / routing w/ cisco 678
>
>
> > Hello,
> >
> > I am trying to use port-forwarding with a cisco 678 DSL router.
> >
> > I have a static IP address assigned to the device of 64.65.162.63
> >
> > We are using the device's NAT and onboard DHCP to connect a LAN the
> > Internet.  Local devices work fine with addresses in the 10.0.0.0/24
> > range.
> >
> > The device is configured to pass ports 80 (http) and 22 (ssh) on to
> > local IP address 10.0.0.2.
> >
> > I can call up web pages and login via ssh from 'outside' the LAN just
> > fine, but when I am 'inside' I cannot use the 64.65.162.63 address to
> > connect, although the 10.0.0.2 address works fine for http and ssh.
> >
> > Below is the (I think) relevant config info from the 678.  Am I mistaken
> > in my belief that the 'outside' address should work the same whether we
> > are inside or out?  Any hints as to what I need to change to get this to
> > work right?
> >
> > aloha,
> > dave
> >
> > <paste>
> >
> > cbos#sho int
> >            IP Address         Mask
> > eth0       10.0.0.1           255.255.255.0
> > vip0       0.0.0.0            255.255.255.0
> > vip1       0.0.0.0            255.255.255.0
> > vip2       0.0.0.0            255.255.255.0
> > wan0       Physical Port: Trained
> >
> >            Dest IP Address    Mask
> > wan0-0     209.150.192.10     255.255.255.255
> >
> > cbos#sho route
> > [TARGET]         [MASK]           [GATEWAY]       [M][P] [TYPE]    [IF]
> > [AGE]
> > 0.0.0.0          0.0.0.0          0.0.0.0          1     SA
> > WAN0-0   0
> > 10.0.0.0         255.255.255.0    0.0.0.0          1     LA        ETH0
> > 0
> > 209.150.192.0    255.255.255.0    0.0.0.0          1     AR
> > WAN0-0   0
> >
> > WAN Interfaces...
> > 209.150.192.10   255.255.255.255  0.0.0.0          1     HA
> > WAN0-0   0
> >
> > IP NAT = enabled
> > IP Multicast Forwarding = disabled
> > IP Port RIP Send Responses = 00, disabled
> > IP Port RIPv2 Send Type = 00, donotsend
> > IP Port RIPv2 Receive Type = 00, donotreceive
> > IP Port RIP Send Responses = 01, disabled
> > IP Port RIPv2 Send Type = 01, donotsend
> > IP Port RIPv2 Receive Type = 01, donotreceive
> > IP NAT Entry = 10.0.0.2, 22, 64.65.162.63, 22, tcp;10.0.0.2, 80,
> > 64.65.162.63, 80, tcp;
> >
> > cbos#show nat
> >
> > NAT is currently enabled
> >
> > Port      Network        Global
> > eth0      Inside
> > wan0-0    Outside      64.65.162.63
> > vip0      Outside
> > vip1      Outside
> > vip2      Outside
> >
> >       Local IP : Port      Global IP : Port      Timer Flags    Proto
> > Interface
> >        10.0.0.2:22       64.65.162.63:22           0   0x00041  tcp
> > eth0 wan0-0
> >        10.0.0.2:80       64.65.162.63:80           0   0x00041  tcp
> > eth0 wan0-0
> >        10.0.0.2:631      64.65.162.63:631         90   0x00046  udp
> > eth0 wan0-0
> >        10.0.0.2:42864    64.65.162.63:21505    86340   0x00046  tcp
> > eth0 wan0-0
> >        10.0.0.2:42865    64.65.162.63:21507    86250   0x00046  tcp
> > eth0 wan0-0
> >        10.0.0.5:138      64.65.162.63:21779       30   0x00046  udp
> > eth0 wan0-0
> >
> > cbos#
> > </paste>
> Can't recall if IP NAT Outside IP shows without adding it specifically.
>
> Try
>
> ena
> show nvram
>
> And see if your static IP is listed as
> IP NAT Outside IP = 64.65.162.63
>
> If not, it should be.
>
> There are a couple of NAT/subnet routing issues with public/private IP
space
> that are solved by this
>
> ena
> set int wan0-0 outside-ip 64.65.162.63
> write
> reboot
>
> Then try checking again and the line will be there.
>
> Although I'm not currently doing any port forwarding on my particular
setup,
> until I issued the above, I had other issues with NATing RFC 1918 subnets
in
> parallel with public IPs and seeing public IPs on the subnet.  Now I can
> access the router or subnet from private LAN side boxes via public WAN
> static IP, 3x private IP subnet gateways, or public VIP gateway IP.  This
> worked natively on the C675, but not on my C678's.
>
BTW, I just noticed there's also a similar command for NAT

set nat outside-ip xxx.xxx.xxx.xxx

Though I don't recall ever having to set this, but no telling how port
forwarding might affect things.  Might have a chance to check this out next
week.

Frank

More information about the clue-tech mailing list