Cisco 2901 router static route

[EvilGrin]

Hi guys, I'm a complete Cisco newb, and need some help if you'd be so kind! I've got an internal ESET server that I need to allow an external cloud hosted Labtech server to connect directly to it along with endpoint agents, the ports this communicate on are TCP 2222 and 2223. So ideally I need a static route that says all traffic on ports 2222 and 2223 be directed to the internal IP of the ESET server.

From looking at an old ASA5510 I've used before, we had something similar configured, and so I've taken lines from that and modified, if I add the following, do you think it'll work?:

permit tcp any any eq 2222
permit tcp any any eq 2223

static (inside,outside) tcp ext_IP_of_Router 2222 internal_ESET_IP 2222 netmask 255.255.255.255 tcp 512 256
static (inside,outside) tcp ext_IP_of_Router 2223 internal_ESET_IP 2223 netmask 255.255.255.255 tcp 512 256

If I'm on the right track... how do I go and add then go and add this to the running config?

Thanks guys

 

[DJMK4]

IP route on a cisco router would be formatted along the lines of

CiscoRTR1#
conf t
ip route address (or network) subnet mask gateway metric

so for instance if you wanted to create a route to the 172.20.30.0 /24 network say through an interface on your router 172.16.0.1 with a metric 1 you would write something like



CiscoRTR1#
conf t
ip route 172.20.30.0 255.255.255.0 172.16.0.1 1
exit

show ip route to clarify


static routes on Cisco firewalls look a bit different to static routes on cisco routers/layer3 switches.



Not quite clear on the question your asking

 

[EvilGrin]

Thanks for the reply:

Basically I have a server in the cloud that I have pointed to the public facing external IP of our in-house router, I need to configure a static route/port forward that will allow any external traffic that hits our router on ports 2222 and 2223 to flow through to a server sitting behind the router on an internal IP address. I only want this to happen for those specific ports, and I'm not sure how to go about it on the router.

Cheers

 

[EvilGrin]

Would this do it?

ip nat inside source static tcp internal_Server_IP 2222 Router_Public_IP 2222 extendable

Or should the Router_Public_IP above be the IP address of the external cloud server trying to connect in? In which case, is there a way to allow all traffic to port 2222 to route to the internal server IP instead of locking it down to a single external IP?

 

[Xez]

From what you are describing you do not need any static routes only a NAT rule to allow inbound traffic to an internal host. You only want a route if you have a tunnel interface to your external server and are using IPsec tunnels rather than a crypto map. Or your gateway is not set to that of the router you are going on about.

Object-group network ESET-Server
Description "Internal ESET Server"
Host internalIPhere

object-group service ESET-svc
description "Ports for ESET"
tcp eq 2222
tcp eq 2223

Amend your ACL's on your external interface to allow traffic inbound so what you have said here:

permit tcp any any eq 2222
permit tcp any any eq 2223

You may want to secure this if the external hosted server has a static IP address by creating an object group and referencing it in the ACL. As the rule pasted you are allowing anything inbound to that internal host.

Amend any internal ACL also to allow the internal server to communicate outbound.

100 permit object-group ESET-svc object-group ESET-Server any

depending on your security you can also restrict to inbound on this interface too:

110 permit object-group ESET-svc any object-group ESET-Server

These rules all depend on your current ACL's though so the rules 100 and 110 may be wrong for you but hopefully you can understand this.

Your NAT rule should be fine although you can set it to the external interface or external IP.

ip nat inside source static tcp internalIP 2222 interface Ethernet0/1 2222
ip nat inside source static tcp internalIP 2223 interface Ethernet0/1 2223

Remember to save your configuration by entering wr or copy run start

This should work although I'm a little rusty after not touching Cisco anymore!

 

[EvilGrin]

Thanks for that, very helpful. The internal subnet that the ESET server sits on is VLANed, and looking at the config it's configured under interface GigabitEthernet0/1.100, should I change the NAT rule above to reflect that too?

 

[Xez]

You shouldn't need to as with it being a router it will route to correct interface (providing it has an IP assigned to it). The NAT rule is your external interface where I have put Ethernet0/1.

It may be or sounds like GigabitEthernet0/0 is your external interface if you have sub-interfaces on 0/1.

If it is then the NAT rule wants to be.

ip nat inside source static tcp internalIP 2222 interface GigabitEthernet0/0 2222
ip nat inside source static tcp internalIP 2223 interface GigabitEthernet0/0 2223