Monday 21 October 2019

Configure Cisco Port Forwarding with Cisco IOS Router

Configure Cisco Port Forwarding with Cisco IOS Router

In this article you will understand what is port forwarding and how to Configure Cisco Port Forwarding with Cisco router.
Port forwarding is used to forward traffic directed to a specific network port from one network node to another. This technique allows an external user to reach a port on a private IPv4 address (within a LAN) from outside through a router with NAT enabled.
In general, peer-to-peer operations and programs for file sharing, such as outgoing web server applications and FTP, require router ports to be forwarded or opened to allow these applications to function, as shown in Image 1. Because NAT hides internal addresses, peer-to-peer communication only works from the inside out where NAT can assign outgoing requests to incoming responses.

The problem is that NAT does not allow requests initiated from abroad. This situation can be resolved manually. Port forwarding can be configured to identify specific ports that can be forwarded to internal hosts.

What is Port Forwarding ?

Remember that Internet software applications interact with the user ports that need to be open or available for those applications. Different applications use different ports. This makes applications and routers identify network services predictably. For example, HTTP works through the well-known port 80. When someone enters the address  http://cisco.com , the browser displays the Cisco Systems, Inc. website. Note that it is not necessary to specify the port number HTTP for the page request, since the application assumes that it is port 80.
In Image 2, the owner of a small business that uses a point of sale (PoS) server is shown to track sales and inventories in the store. The server can be accessed from the store but, because it has a private IPv4 address, it is not possible to access it publicly from the Internet. Enabling the local router for port forwarding would allow the owner to access the point of sale server anywhere from the Internet. Port forwarding on the router is configured with the destination port number and the private IPv4 address of the point of sale server. To access the server, the client software would use the public IPv4 address of the router and the destination port of the server.

EXAMPLE OF WIRELESS ROUTER

Image 3 shows the configuration window of the simple assigned port forwarding corresponding to a Packet Tracer wireless router. By default, port forwarding is not enabled on the router.

If you specify the internal local address to which requests should be forwarded, it is possible to enable port forwarding for applications. In the figure, requests for HTTP services that come from the wireless router are forwarded to the web server with the following internal local address: 192.168.1.254. If the IPv4 address of the external WAN of the wireless router is 209.165.200.225, the user can enter  http://www.example.com  and the wireless router will redirect the HTTP request to the internal web server of the IPv4 address 192.168.1.254, by middle of the default port number: 80.
A port other than the default port 80 can be specified. However, the external user would have to know the specific port number to use. To specify a different port, the value of the External Port field is modified in the Single Port Forwarding window.

Configure Port Forwarding with Cisco iOS

The Cisco IOS commands used to implement port forwarding are similar to those used to configure static NAT . Basically, port forwarding is a static NAT translation with a specific TCP or UDP port number.

The static NAT command that is used to configure port forwarding with IOS is shown below.

ip nat inside source { static { tcp | udp local-ip local-port global-ip global-port} [ extendable ]
Parameter
Description
tcp or udp
Indicates whether this is a TCP or UDP port number.
ip-local
This is the IPv4 address assigned to the host in the internal network, generally, of the private address space defined in RFC 1918.
local port
Set the local TCP / UDP port in a range of 1 to 65,535. This is the port number on which the server listens.
global ip
This is the globally unique IPv4 address of an internal host. This is the IP address used by external clients to reach the internal server.
global port
Set the global TCP / UDP port in the range of 1 to 65,535. This is the port number used by external clients to reach the internal server.
extendable
The extendable option is applied automatically. The extendable keyword allows the user to configure several ambiguous static translations; that is, translations with the same local or global address. It allows the router to extend the translation to more than one port, if necessary.
Command table for port forwarding with IOS.

Port Forwarding CONFIGURATION EXAMPLE

In following figure, an example of port forwarding configuration with IOS commands on router R2 is shown.

Sets the static translation between an internal local address and a local port, and between an internal global address and a global port:
R2 (config) # ip nat inside source static 
tcp 192.168.10.254 80 209.165.200.225 8080
Identify the 0/0/0 serial interface as an internal NAT interface:
R2 (config) # interface Serial0 / 0/0
R2 (config-if) # ip nat inside
Identify the serial interface 0/1/0 as an external NAT interface:
R2 (config) # interface Serial0 / 1/0
R2 (config-if) # ip nat outside
The 192.168.10.254 address is the internal local IPv4 address of the web server listening on port 80. Users will access this internal web server with the global IPv4 address 209.165.200.225, a unique public IPv4 address globally. In this case, it is the address of the Serial interface 0/1/0 of R2. The global port is configured as 8080. This is the destination port that is used together with the global IPv4 address 209.165.200.225 to access the internal web server. Observe the following command parameters within the NAT configuration:

  • ip-local = 192.168.10.254
  • local port = 80
  • ip-global = 209.165.200.225
  • global port = 8080

When a well-known port number is not used, the client must specify the application's port number.
Like other types of NAT, port forwarding requires that internal and external NAT interfaces be configured.

VERIFICATION OF PORT FORWARDING

As in the case of static NAT, the show ip nat translations command can be used to verify port forwarding:

R2 # show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 209.165.200.225:8080 192.168.10.254:80 209.165.200.254:46088 209.165.200.254:46088
tcp 209.165.200.225:8080 192.168.10.254:80 --- ---
R2 #
In the example, when the router receives the packet with the internal global IPv4 address 209.165.200.225 and a destination TCP port 8080, the router performs a search in the NAT table with the destination IPv4 address and the destination port as keys . Next, the router translates the address to the internal local address of host 192.168.10.254 and destination port 80. Then, the R2 forwards the packet to the web server. In the case of return packages from the web server to the client, this process is reversed.
on
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)