Link to home
Avatar of pajkico
pajkicoFlag for Canada

asked on

how to port forward a range of UDP ports on the Cisco 2811 router

Need to forward a range of UDP ports to the inside host on Cisco 2811 router. I got the access-list fine because the syntax allows for the range command. The nat part is what I am not sure about.

I am using the following commands for the single port forwarding:

ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060

where 192.168.1.30 is the inside host that the port is forwarded to.

Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

All good. Do you have ip nat outside on the outside interface, and ip nat inside on the inside interface?

Can you show the complete NAT and ACL config please?

Does the router have the security feature-set and firewall enabled?

Avatar of pajkico

ASKER

I do have ip nat outside and ip nat inside

I don't believer that the security feature-set and firewall are enabled.
Avatar of pajkico

ASKER

R2811YNG#sh run
Building configuration...
Current configuration : 9303 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2811YNG
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-20.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$e3Vd$TXUTMTXHgP5PBURizHvSS1
aaa new-model
aaa authentication login sdm_vpn_xauth_ml local
aaa authorization network sdm_vpn_group_ml local
aaa session-id common
ip source-route
ip cef
ip domain name domain.local
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
 no dspfarm
!
username admin password xxxxxxxxxx privilege 15
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 description "WAN"
 ip address x.x.x.35 255.255.255.224
 ip access-group 105 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description "LAN"
 ip address 192.168.1.40 255.255.255.0
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 switchport access vlan 2
!
interface FastEthernet0/2/1
 switchport access vlan 2
!
interface FastEthernet0/2/2
 switchport access vlan 2
!
interface FastEthernet0/2/3
 switchport access vlan 2
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile
!
interface Vlan1
 no ip address
!
interface Vlan2
 no ip address
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port 8080
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 4 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.30 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.1.30 7000 interface FastEthernet0/0 7000
ip nat inside source static tcp 192.168.1.30 21326 interface FastEthernet0/0 21326
ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060
ip nat inside source static udp 192.168.1.30 5061 interface FastEthernet0/0 5061
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit 72.139.78.86
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 6 permit 72.139.78.86
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 23 permit 72.139.78.86
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip host 72.139.78.86 any
access-list 101 permit ip host 208.124.130.107 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip host 72.139.78.86 any
access-list 102 permit ip host 208.124.130.107 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq telnet
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 443
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq cmd
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 21326
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 7000
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 5060 5061
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999
access-list 104 deny   tcp any host 192.168.1.40 eq 22
access-list 104 deny   tcp any host 192.168.1.40 eq www
access-list 104 deny   tcp any host 192.168.1.40 eq 443
access-list 104 deny   tcp any host 192.168.1.40 eq cmd
access-list 104 deny   udp any host 192.168.1.40 eq snmp
access-list 104 permit ip any any
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 22
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 443
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq cmd
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 8080
access-list 105 permit tcp any host x.x.x.35 eq 443
access-list 105 permit tcp any host x.x.x.35 eq 22
access-list 105 deny   tcp any host x.x.x.35 eq telnet
access-list 105 deny   tcp any host x.x.x.35 eq 22
access-list 105 deny   tcp any host x.x.x.35 eq www
access-list 105 deny   tcp any host x.x.x.35 eq 443
access-list 105 deny   tcp any host x.x.x.35 eq cmd
access-list 105 deny   udp any host x.x.x.35 eq snmp
access-list 105 permit ip any any
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
snmp-server engineID local 0000000902000007851880A0
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 privilege level 15
  transport input ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
end
Avatar of pajkico

ASKER

I need to nat the following access-list with the big udp port range to the host 192.168.1.30

access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999


ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of pajkico

ASKER

Why is 192. 168.1.30 repeated in the ip nat statement?
Avatar of pajkico

ASKER

Ok, thanks. I'll try the forwarding.
Why is 192. 168.1.30 repeated in the ip nat statement?
Fair question.

It's because the NAT pool expects a range of IP addresses (a pool). We're only interested in ports for one internal IP, so we just say start and end IP is the same.