Ive been using my pc and playstation for a while behind the 857 router i have at home, but have been annoyed by the lack of upnp for cisco.
upnp automatically maps ports on the outside of the router to the device inside, and opens the firewall. Cisco devices despite being the most powerful (obviously this is debateable) routers and firewalls known do not have this feature. This is annoying as consoles and gaming devices need to have ports forward for lots of games (i have had annoying disconnects from call of duty and left 4 dead and many others). This is also of use for voip servers/proxy's which do not work well with nat yet.
I have known a way of mapping an external ip to an internal ip for a while but have never tested. This weekend i had a chance to play after being prompted by some annoying problems whilst playing left 4 dead.
By default you use a nat translation with a nat overload to provide internet access on a cisco device. You configure a rule to determine what traffic is translated and then choose whether to translate over the external interface or a pool of ip addresses.
In parallel you create a static translation (otherwise known as a port forward) for internal services e.g. for internally hosted email or web services.
It is possible to do this on an individual basis or alternatively you can forward an entire external address and all related ports to an internal address. The nice point i found out is that crucially if you forward all ports then you appear from that chosen external ip.
Normally if you forward an individual port e.g. http or smtp, your traffic is translated so that it appears to have come from the default external ip assigned to the router/firewall.
If you translate all ports then your traffic e.g. for your ps3/xbox/pc/whatever then the source address is translated automatically. This is really good as otherwise incoming traffic arrives at the ps3, but the remote server is unable to tell your device from any other device behind the firewall, indeed it appears to come from a different ip from that which is port forwarded.
Obviously to work successfully this needs to be combined with a static dhcp reservation (or just a simple static ip address). I have now tested for 3 days (1 ip for my laptop, 1 ip for my ps3, and 1 ip for my media center) and every application works fine - in particular i no longer get problems when migrating hosts on call of duty!
Please note an alternative way of doing this would be to have only live ip addresses (and disable nat), but as my wireless is shared and i only have 8 ip addresses this is a better solution.
I should also note that i am able to use stateful firewall and access list to restrict traffic as required.
ip nat inside source static 10.1.2.3 4.22.33.33 extendable
Sunday, 26 April 2009
Friday, 3 April 2009
update
i've been a bit quiet in the last couple of weeks as i've been revising for new Cisco Field Engineer Exam(642-383) required for the cisco foundation express partner specialisation. I passed with 94% which was good, although not surprised as its very similar to the previous incarnation. When i did it previously i had to do lifecycle services which was a horrible exam, but is now integrated with the field engineer exam. Lifecycle services related questions were not too bad and overall its pretty easy. There are some horrible questions which are debateable and its already a dated exam as it refers regularly to SDM which has been superceded by professional. Quite a lot on wireless provisioning, but nothing too difficult. Looking forward to doing some updates on the cisco wiki now that i have some free time. My express communications retake is looming soon though - very confident as its more focussed on what i do!
Subscribe to:
Posts (Atom)
