Port Forwarding on a Cisco Router (In 4K Resolution)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody this is Kevin Wallace cc CA and Cisco press author and in this video we want to take a look at how to set up port redirection on a Cisco router and we're gonna do that using the command line interface yes I know we could use a graphical interface like Cisco configuration professional but I'm a CLI guy we're gonna take a look at doing it that way I actually had to do this the other day a network that I supported they had their router go down and I ordered a new one to come in the next day from Amazon but in the meantime I thought they need to be up now so I went and I grabbed a 29:11 router out of my rack and I installed that and I thought this will serve as their internet router and what it needed to do was well first of all it needed to get an IP address via DHCP from the service provider so they all had one and globally routable IP address they were connected via a cable modem but that router had also served as a DHCP server for their network so it was handing out IP addresses to all the inside clients and beyond that they had a server on the inside of the network that needed to be accessed by accountants it was the access to via remote desktop protocol the accounting company did and they needed the accounting people to be able to come in and access that so that required a port redirection configuration and it occurred to me as I was setting all that up you know I don't think I've ever done a video on port redirection so that's what we're gonna do here specifically we're gonna have a really basic topology we'll go out to a live interface in just a moment and we're gonna have a Cisco router acting as a server and I've got secure shell setup on that so we should be able to SSH into that quote unquote server again it's just a a Cisco router but what we want to do is configure port redirection on the customer router the router sitting at the internet boundary so that we can then go out to the internet do a secure shell into the inside global address that's the IP address that the customer router will have learned from the ISP via DHCP and if we secure shell to that one and only one a publicly routable IP address that the customer router has learned it should redirect us it should redirect that ssh attempt to that internal server and we should get a login prompt from that internal server so let's go out to a live interface and set up port redirection and also we're going to be setting up port address translation and we'll also set up the router to act as a DHCP server here's what we want to do on this configuration I've got a customer router we're pretending this is a newly installed router so if I do a show IP interface brief command we're gonna see that it doesn't have any IP addresses assigned and we've got an internal server with an IP address of ten ten dot one dot one hundred and it's going to be accessible via secure shell what we want to be able to do at the end of this demo is to go out to the internet got to a device on what we're calling the Internet and do a secure shell to whatever IP address is assigned to this customer router via DHCP this customer router is going to learn its IP address via DHCP from the Internet service provider we want to be able to do a secure shell to that IP address that we call the inside global address because it represents a device on the inside of the network and global means that it's globally routable it's a good address it's not a private IP address and we want the customer router to see that incoming secure shell request and say oh somebody wants to talk with me a secure shell on port 22 specifically TCP port 22 what we're going to do is forward that port on to port 22 of the server that's running secure shell now in this topology the server is actually another Cisco router I'll show it to you we've got it set up to use secure shell but it's just another Cisco router and as part of the configuration we'll want to set up port address translation where the inside devices on the inside of my network that have private IP addresses they can be translated into that one inside global address that we're going to be assigned from the ISP and we'll also want to set up a DHCP pool so that they can obtain IP addresses let's get started we see that the customer router currently has no IP addresses let's change that let's go into global configuration mode and we'll say gigabit zero / - this is my internet facing interface by the way and we'll say IP address DHCP and we'll do a no shutdown to bring that administrative Lea let's go into interface gigabit as 0/1 and will statically set its IP address oh look at this we just learned an IP address on our internet facing interface here is the IP address so again at the end of this demo we want to be able to go to the Internet do a secure shell to that IP address and have that secure shell session redirected to the inside device that's acting as a secure shell server but here we're still on the inside interface let's assign an IP address will say IP address and it's gonna be 10.10 dot one dot one with a 16-bit subnet mask let's do a no shut to bring it up now let's take a look and see if we have any IP address assignment so I'll do once again a show IP interface brief command great news we've got an IP address for our ensign interface and for the outside interface and the outside interface was learned via DHCP excellent now let's set up the customer router to be a DHCP server for this inside network so it can hand out IP addresses first before I create the pool of IP addresses I want to exclude a couple of addresses for one thing I don't want to hand out the routers IP address I don't want to hand this out and I also don't want to hand that at the IP address of my secure shell server 10.10 dot one dot 100 so I'm going to exclude those IP addresses from being handed out here's how we would set that up let's go back in a global configuration mode and I'll say IP dhcp excluded - address and we can give a range I could give a starting IP address a space and then an ending IP address and every IP address in that range will be excluded but if I just want to exclude a single IP address I can just put in that single IP address I want to exclude 10.10 dot one dot one and I also want to exclude 10.10 dot one dot 100 now let's create that a DHCP pool I'll call it site 1 let's say IP dhcp pool i'll give it a name of site 1 and now i can specify what network we're going to be using to hand out IP addresses I'll say network 10.10 0 0 and we've got a 16-bit subnet mask whose the default router or the default Gateway will say default - router and it's going to be me the customer router with an IP address of 10 10 dot one dot one of the DNS server I like to specify the Google DNS servers the publicly available servers of 8.8.8.8 and 8.8.4.4 and we've now configured this customer router as a DHCP server now let's set up port address translation where can translate these private IP addresses in the 10 10 0.0 / 16 Network we want to be able to translate those into that one publicly routable address of 2 0 3 0.1 13.1 0 1 and the way we can keep all those different sessions separate using port address translation is we keep track of the port numbers so the first thing we need to do to set up port address translation is to define these interfaces as being inside interfaces or outside interfaces I'm gonna go into interface Gigabit 0 / 1 and I'm gonna say IP NAT inside its my inside interface let's go into interface Gigabit 0 / 2 now and we'll say IP NAT outside now that I've defined the inside of the outside let's create an access control list an ACL that is going to match we're not using this ACL to permit or deny traffic we're using it to match traffic let's create an ACL to match every IP address on this inside network every IP address in the 10 1000 special 16 Network to do that I'll just create a standard access list I'll say access - list 1 and I'm gonna say permit but remember this is not permitting or denying traffic we can also use an access list to match traffic that's what we're doing here I want to permit or match 10 1000 and with an ACL we don't specify the subnet mask we specify the wildcard mask which would be 0 0 to 5 5 to 5 5 we've now matched all of our inside IP addresses what we want to do now is to give an instruction that we want to translate those are called inside the local addresses they represent devices on the inside of the network and local means that the IP addresses are a locally significant they're not globally routable let's translate those inside local addresses to our one and only inside global address again inside global means that it represents a device on the inside of a network but it's globally routable to do that with only a single IP address that we're using for the inside global address we have to do what's called NAT overloading or port address translation here's how we set that up I can say IP NAT inside source this is gonna specify the IP addresses on the inside of my network it's gonna be all IP addresses matching list one in other words access control list number one and we're gonna translate that into whatever the IP address is of interface Gigabit 0/2 and we'll say overload to allow multiple inside local addresses to be translated into the single inside global address we've now set up port address translation we've set up a DHCP server there's one thing left to do though and that is to set up port redirection which was the main purpose of this video I want to say any secure shell connection coming into this customer router from the Internet I want to redirect that over to my server that's running secure shell which is at IP address 1010 dot one dot one ID inside command I'm gonna say IP NAT inside source but this time the source is not an access control list it's gonna be a static IP address that I specify using a static port number I'm gonna say static instead of list and I want to send a secure shell traffic to TCP port 22 for IP address 1010 dot 1.10 so I'll say TCP I'll give the IP address of 1010 dot one dot one hundred that's my server running secure shell I'll say 22 that's the TCP port that secure shell uses so that's the inside host and port for the outside information I'll specify interface gigabit zero size two again on port 22 we're saying if I get a secure shell connection in other words TCP port 22 coming in on interface gigabit 0/2 I'm going to redirect that to port 22 I'm not going to change the port numbers I'm going to redirect that to port - and send it to 10.10 dot one dot 100 which is my server running secure shell let's see if it works first let's just double-check our configuration I'll do a show IP nat translations command and we can see that i've got a static translation in place notice this is an inside global address it represents the device on the inside of my network my server but this is a globally routable IP address that's a reason it says inside global that corresponds to my inside local of ten ten dot one dot one hundred inside means it's a device on the inside my network local means that it's locally significant it's not globally routable this is a private IP address but if we come in on this port number the port number used by secure shell we're gonna forward it to this inside local address on the same port number let's go to a device out on the internet let's go to my ISP router as an example and here's how I can do a secure shell by the way from a Cisco router I can say SSH space - L and after that I give the username that I'm using to log in I've got a username password combination on my server of Cisco Cisco so I'll say a user name is Cisco and I want to go to the inside global address this is the IP address that was learned via DHCP I want to go to two zero three zero dot one 13.10 one let's the IP address that I learned via DHCP and when I try to secure shell there it's gonna do a port redirection and it says what's your password my password is Cisco and look at that I'm sitting on the secure shell server and that's how we can set up port redirection and with doing a couple of bonuses there we showed you how to get an IP address from a DHCP server how to set up a DHCP pool and how to configure port address translation I hope you enjoyed this video and if you did please click on subscribe below so you don't miss any of our future content
Info
Channel: Kevin Wallace Training, LLC
Views: 29,537
Rating: undefined out of 5
Keywords: cisco, nat, network address translation, port redirection, ccna, icnd1, icnd2, 200-125, 100-105, 200-105, #kwtrain
Id: 5_9DaAcZqtY
Channel Id: undefined
Length: 13min 0sec (780 seconds)
Published: Sun Jun 03 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.