Solved

Forward range of UDP Ports, Cisco 870 Router

Posted on 2013-01-02
4
572 Views
Last Modified: 2013-09-12
Hello all...

I need to forward a range of UDP ports through a Cisco 870 Router to various devices. I've published my config below...

This is because there is a VOIP phone that needs to connect from the outside in (no possibility of S2S VPN), but it's not connecting.

Please assist..




----------------------------------------------------------------------------------------------------------------------



CTIndy#show run
Building configuration...

Current configuration : 6525 bytes
!
! Last configuration change at 14:51:00 EST Wed Jan 2 2013 by ctouch
! NVRAM config last updated at 14:57:46 EST Wed Jan 2 2013 by ctouch
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CTIndy
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2607594268
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2607594268
 revocation-check none
 rsakeypair TP-self-signed-2607594268
!
!
crypto pki certificate chain TP-self-signed-2607594268
 certificate self-signed 02
  3082024B 308201B4 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363037 35393432 3638301E 170D3131 30373032 30333531
  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303735
  39343236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A3B6 2C48D6E3 3778EEA9 704EB4A3 CDC45D92 A52DADD0 6E4D3576 0B2DBB92
  1BEBE89D 74514A05 E367D13E CCD2685B 11AB6886 0C43202D 99880116 F2940746
  153F6B89 340E0859 9DF52145 3A46F5A6 DEB6DD8D 88A5E425 928DE986 04079AF0
  10FDDE65 57C20BE9 E4DEB432 C6CF88DE 02A3D314 0C0C43BA 2F50BC5E 4361CCCF
  611F0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 13435449 6E64792E 4354696E 64792E6C 6F63616C 301F0603
  551D2304 18301680 143B64AC 65D3F8E6 F7904C90 F4911F8D 65B2793D D6301D06
  03551D0E 04160414 3B64AC65 D3F8E6F7 904C90F4 911F8D65 B2793DD6 300D0609
  2A864886 F70D0101 04050003 81810029 FAF2A093 69D3730B 40265212 38338B6C
  966CBB6F A7ED4BF5 964B8725 0C973812 B23DAAA9 2404EFAB 2089775C 4459FCF1
  ED56C682 3604EA56 EE34F087 161C55C4 FB612A2A 088DE03F B7C9000B BCF78B49
  BB459CE7 A9CDFE4E E6DE90BB 0B73B8EF C1E96680 B14609CC D75E657E EA7C1279
  A34FD9F8 D5D88B5A A4A034FA 340B50
        quit
dot11 syslog
ip cef
!
!
ip dhcp excluded-address 192.168.2.101 192.168.2.254
ip dhcp excluded-address 192.168.2.1 192.168.2.49
!
!
ip domain name CTindy.local
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 authentication pre-share
crypto isakmp key CBVPN123$ address 99.102.191.182
crypto isakmp key G@sTires0i! address 24.172.168.10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET
!
!
crypto map CTMAP 1 ipsec-isakmp
 set peer 99.102.191.182
 set transform-set CTLVPNSET
 match address VPNACL
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel0
 ip address 10.254.0.9 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 66.158.172.194
 tunnel destination 24.172.168.10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$
 ip address 66.158.172.194 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CTMAP
!
interface Vlan1
 description internal LAN
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.158.172.193
ip route 192.168.15.0 255.255.255.0 Tunnel0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary
ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary
ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary
ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
ip nat inside destination list PHONE1 pool PHONE1
ip nat inside destination list PHONE2 pool PHONE2
ip nat inside destination list PHONE3 pool PHONE3
ip nat inside destination list SERVER pool SERVER
!
ip access-list extended NAT
 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT2
 deny   ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended PHONE1
 permit tcp any any range 6000 6001
 permit udp any any range 6000 6001
 permit tcp any any eq 9000
 permit tcp any any eq 5090
 permit udp any any eq 5090
 permit tcp any any eq 5003
 permit udp any any eq 5003
 permit udp any any eq 9000
ip access-list extended PHONE2
 permit udp any any range 30000 30031
 permit udp any any range 40000 40159
ip access-list extended PHONE3
 permit tcp any any eq telnet
ip access-list extended SERVER
 permit tcp any any eq 443
 permit tcp any any eq 987
 permit tcp 205.237.99.160 0.0.0.31 host 66.158.172.194 eq smtp
 permit tcp 69.84.129.224 0.0.0.31 host 66.158.172.194 eq smtp
 permit tcp 74.94.129.208 0.0.0.15 host 66.158.172.194 eq smtp
 permit tcp 69.84.129.224 0.0.0.31 host 66.158.172.194 eq 389
 permit tcp 74.94.129.208 0.0.0.15 host 66.158.172.194 eq 389
 permit tcp 72.1.146.64 0.0.0.31 host 66.158.172.194 eq 389
 permit tcp 72.1.146.64 0.0.0.31 host 66.158.172.194 eq smtp
 permit tcp 205.237.99.160 0.0.0.31 host 66.158.172.194 eq 389
ip access-list extended VPNACL
 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended VPNACL2
 permit ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
!
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map nonnat permit 10
 match ip address NAT
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password cisco
 login local
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17174982
ntp server 216.171.120.36
end
0
Comment
Question by:Tom-J-Lael
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38738484
If the phone is connecting from the outside, your nat statements need to reference the public ip the phone is connecting with. Otherwise you're sending traffic to the Internet with a source and/or destination ip of a private range, neither of which are allowed on the Internet. A I would start by correcting your nat statements.

It is also highly recommended to configure the firewall service on any router that connects directly to the public Internet, but that has nothing to do with the original question.
0
 
LVL 5
ID: 38739336
Is nat to be a outside nat ?
0
 
LVL 3

Accepted Solution

by:
Tom-J-Lael earned 0 total points
ID: 38742565
i've been reading that it's not possible to forward ranges of UDP ports through Cisco Router, can anyone confirm or deny this?

Again, it's a Cisco 870 , 12.4(15)T7
0
 
LVL 3

Author Closing Comment

by:Tom-J-Lael
ID: 39486140
it's not possible to forward UPD ports on Cisco router
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now