Although I’ve been working in IT for many years, networking hasn’t been my central focus. The places I worked with more complex networks tended to have dedicated network people. In other places where I have been responsible for the network, the setup has been relatively simple, or has had kit that has nice friendly GUI management tools. As such, although I understand subnets, VLANs, routing, switching and port forwarding, I haven’t ever had to do nitty-gritty things in the command line of Cisco kit. Until now. Now, I’m in at the deep end.
This week I had to enable a new port on a new external IP, passing it through to a different port on a new internal IP. This is on a very old Cisco router (a model 1921), whose config has been managed on a just-what-we-need-now basis by multiple people over the years. I did get it working, and learned a lot on the way. I’ll summarise here what was needing changed. I am perfectly aware that there are probably several better ways of doing this,
First, the needed numbers – changed from the real ones for obvious reasons:
- External IP address: 220.127.116.11
- External Port: 44440
- Internal IP address: 10.1.120.150
- Internal Port: 1215
I’ve also called the name of this project project-saturn, again changed from the original.
First there were some object groups defined, so I added a new one:
object-group service og-project-saturn
udp eq 44440
tcp eq 44440
udp eq 1215
tcp eq 1215
Then there were some Access Control Lists (ACLs) defined, so here are the new ones:
ip access-list extended acl-project-saturn-in
permit object-group og-project-saturn any host 10.1.120.150
ip access-list extended acl-project-saturn-out
permit ip host 10.1.120.150 any
There is then a class-map for allowed inbound traffic, needing a new match to be added:
match access-group name acl-project-saturn-in
And likewise a class-map for allowed outbound traffic, needing the following new match:
match access-group name acl-project-saturn-out
So what I learned from all that is that we have to define our ports, define a group of ports, then apply those to ACLs to allow the traffic, then allow the ACLs in and out.
That’s fine, we just need the NAT translation to be defined, like so:
ip nat inside source static tcp 10.1.120.150 1215 18.104.22.168 44440 extendable
ip nat inside source static udp 10.1.120.150 1215 22.214.171.124 44440 extendable
This took me a while to understand, as it seemed to be the wrong way round to my non-cisco brain. The NAT way it seems to be is it’s TO the internal address and FROM the external address, not the other way around.
The other bit that I did wrong first time round was that on the firewall part (the ACL), we’re allowing the internal port internal IP-bound traffic, not the traffic arriving from the outside on the outside port. This to me is unintuitive – it seems it does the NAT and then it applies the firewall rules.
The important thing is that the combination above does work. I look forward to replacing the router in question in early 2019, but at least I learned a bit about configuring Cisco firewalls.