how to port forward a range of UDP ports on the Cisco 2811 router
Need to forward a range of UDP ports to the inside host on Cisco 2811 router. I got the access-list fine because the syntax allows for the range command. The nat part is what I am not sure about.
I am using the following commands for the single port forwarding:
ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060
where 192.168.1.30 is the inside host that the port is forwarded to.
ASKER
I do have ip nat outside and ip nat inside
I don't believer that the security feature-set and firewall are enabled.
I don't believer that the security feature-set and firewall are enabled.
ASKER
R2811YNG#sh run
Building configuration...
Current configuration : 9303 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2811YNG
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-20.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$e3Vd$TXUTMTXHgP5PBURizHvSS1
aaa new-model
aaa authentication login sdm_vpn_xauth_ml local
aaa authorization network sdm_vpn_group_ml local
aaa session-id common
ip source-route
ip cef
ip domain name domain.local
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
!
username admin password xxxxxxxxxx privilege 15
archive
log config
hidekeys
!
interface FastEthernet0/0
description "WAN"
ip address x.x.x.35 255.255.255.224
ip access-group 105 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description "LAN"
ip address 192.168.1.40 255.255.255.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
switchport access vlan 2
!
interface FastEthernet0/2/1
switchport access vlan 2
!
interface FastEthernet0/2/2
switchport access vlan 2
!
interface FastEthernet0/2/3
switchport access vlan 2
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
ip access-group 104 in
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port 8080
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 4 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.30 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.1.30 7000 interface FastEthernet0/0 7000
ip nat inside source static tcp 192.168.1.30 21326 interface FastEthernet0/0 21326
ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060
ip nat inside source static udp 192.168.1.30 5061 interface FastEthernet0/0 5061
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit 72.139.78.86
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 6 permit 72.139.78.86
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 23 permit 72.139.78.86
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip host 72.139.78.86 any
access-list 101 permit ip host 208.124.130.107 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip host 72.139.78.86 any
access-list 102 permit ip host 208.124.130.107 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq telnet
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 443
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq cmd
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 21326
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 7000
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 5060 5061
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999
access-list 104 deny tcp any host 192.168.1.40 eq 22
access-list 104 deny tcp any host 192.168.1.40 eq www
access-list 104 deny tcp any host 192.168.1.40 eq 443
access-list 104 deny tcp any host 192.168.1.40 eq cmd
access-list 104 deny udp any host 192.168.1.40 eq snmp
access-list 104 permit ip any any
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 22
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 443
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq cmd
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 8080
access-list 105 permit tcp any host x.x.x.35 eq 443
access-list 105 permit tcp any host x.x.x.35 eq 22
access-list 105 deny tcp any host x.x.x.35 eq telnet
access-list 105 deny tcp any host x.x.x.35 eq 22
access-list 105 deny tcp any host x.x.x.35 eq www
access-list 105 deny tcp any host x.x.x.35 eq 443
access-list 105 deny tcp any host x.x.x.35 eq cmd
access-list 105 deny udp any host x.x.x.35 eq snmp
access-list 105 permit ip any any
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
snmp-server engineID local 0000000902000007851880A0
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
transport input ssh
line vty 5 15
access-class 102 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
end
Building configuration...
Current configuration : 9303 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2811YNG
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-20.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$e3Vd$TXUTMTXHgP5PBURizHvSS1
aaa new-model
aaa authentication login sdm_vpn_xauth_ml local
aaa authorization network sdm_vpn_group_ml local
aaa session-id common
ip source-route
ip cef
ip domain name domain.local
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
!
username admin password xxxxxxxxxx privilege 15
archive
log config
hidekeys
!
interface FastEthernet0/0
description "WAN"
ip address x.x.x.35 255.255.255.224
ip access-group 105 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description "LAN"
ip address 192.168.1.40 255.255.255.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
switchport access vlan 2
!
interface FastEthernet0/2/1
switchport access vlan 2
!
interface FastEthernet0/2/2
switchport access vlan 2
!
interface FastEthernet0/2/3
switchport access vlan 2
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
ip access-group 104 in
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port 8080
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 4 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.30 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.1.30 7000 interface FastEthernet0/0 7000
ip nat inside source static tcp 192.168.1.30 21326 interface FastEthernet0/0 21326
ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060
ip nat inside source static udp 192.168.1.30 5061 interface FastEthernet0/0 5061
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit 72.139.78.86
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 6 permit 72.139.78.86
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 23 permit 72.139.78.86
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip host 72.139.78.86 any
access-list 101 permit ip host 208.124.130.107 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip host 72.139.78.86 any
access-list 102 permit ip host 208.124.130.107 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq telnet
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 443
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq cmd
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 21326
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 7000
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 5060 5061
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999
access-list 104 deny tcp any host 192.168.1.40 eq 22
access-list 104 deny tcp any host 192.168.1.40 eq www
access-list 104 deny tcp any host 192.168.1.40 eq 443
access-list 104 deny tcp any host 192.168.1.40 eq cmd
access-list 104 deny udp any host 192.168.1.40 eq snmp
access-list 104 permit ip any any
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 22
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 443
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq cmd
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 8080
access-list 105 permit tcp any host x.x.x.35 eq 443
access-list 105 permit tcp any host x.x.x.35 eq 22
access-list 105 deny tcp any host x.x.x.35 eq telnet
access-list 105 deny tcp any host x.x.x.35 eq 22
access-list 105 deny tcp any host x.x.x.35 eq www
access-list 105 deny tcp any host x.x.x.35 eq 443
access-list 105 deny tcp any host x.x.x.35 eq cmd
access-list 105 deny udp any host x.x.x.35 eq snmp
access-list 105 permit ip any any
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
snmp-server engineID local 0000000902000007851880A0
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
transport input ssh
line vty 5 15
access-class 102 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
end
ASKER
I need to nat the following access-list with the big udp port range to the host 192.168.1.30
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Why is 192. 168.1.30 repeated in the ip nat statement?
ASKER
Ok, thanks. I'll try the forwarding.
Why is 192. 168.1.30 repeated in the ip nat statement?Fair question.
It's because the NAT pool expects a range of IP addresses (a pool). We're only interested in ports for one internal IP, so we just say start and end IP is the same.
Can you show the complete NAT and ACL config please?
Does the router have the security feature-set and firewall enabled?