Avatar of pajkico
pajkico
Flag for Canada asked on

how to port forward a range of UDP ports on the Cisco 2811 router

Need to forward a range of UDP ports to the inside host on Cisco 2811 router. I got the access-list fine because the syntax allows for the range command. The nat part is what I am not sure about.

I am using the following commands for the single port forwarding:

ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060

where 192.168.1.30 is the inside host that the port is forwarded to.

Cisco

Avatar of undefined
Last Comment
Craig Beck

8/22/2022 - Mon
Craig Beck

All good. Do you have ip nat outside on the outside interface, and ip nat inside on the inside interface?

Can you show the complete NAT and ACL config please?

Does the router have the security feature-set and firewall enabled?

pajkico

ASKER
I do have ip nat outside and ip nat inside

I don't believer that the security feature-set and firewall are enabled.
pajkico

ASKER
R2811YNG#sh run
Building configuration...
Current configuration : 9303 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2811YNG
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-20.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$e3Vd$TXUTMTXHgP5PBURizHvSS1
aaa new-model
aaa authentication login sdm_vpn_xauth_ml local
aaa authorization network sdm_vpn_group_ml local
aaa session-id common
ip source-route
ip cef
ip domain name domain.local
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
 no dspfarm
!
username admin password xxxxxxxxxx privilege 15
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 description "WAN"
 ip address x.x.x.35 255.255.255.224
 ip access-group 105 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description "LAN"
 ip address 192.168.1.40 255.255.255.0
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 switchport access vlan 2
!
interface FastEthernet0/2/1
 switchport access vlan 2
!
interface FastEthernet0/2/2
 switchport access vlan 2
!
interface FastEthernet0/2/3
 switchport access vlan 2
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile
!
interface Vlan1
 no ip address
!
interface Vlan2
 no ip address
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port 8080
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 4 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.30 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.1.30 7000 interface FastEthernet0/0 7000
ip nat inside source static tcp 192.168.1.30 21326 interface FastEthernet0/0 21326
ip nat inside source static udp 192.168.1.30 5060 interface FastEthernet0/0 5060
ip nat inside source static udp 192.168.1.30 5061 interface FastEthernet0/0 5061
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit 72.139.78.86
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 6 permit 72.139.78.86
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 23 permit 72.139.78.86
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip host 72.139.78.86 any
access-list 101 permit ip host 208.124.130.107 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip host 72.139.78.86 any
access-list 102 permit ip host 208.124.130.107 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq telnet
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 443
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq cmd
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 21326
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 eq 7000
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 5060 5061
access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999
access-list 104 deny   tcp any host 192.168.1.40 eq 22
access-list 104 deny   tcp any host 192.168.1.40 eq www
access-list 104 deny   tcp any host 192.168.1.40 eq 443
access-list 104 deny   tcp any host 192.168.1.40 eq cmd
access-list 104 deny   udp any host 192.168.1.40 eq snmp
access-list 104 permit ip any any
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 22
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 443
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq cmd
access-list 105 permit tcp host 72.139.78.86 host x.x.x.35 eq 8080
access-list 105 permit tcp any host x.x.x.35 eq 443
access-list 105 permit tcp any host x.x.x.35 eq 22
access-list 105 deny   tcp any host x.x.x.35 eq telnet
access-list 105 deny   tcp any host x.x.x.35 eq 22
access-list 105 deny   tcp any host x.x.x.35 eq www
access-list 105 deny   tcp any host x.x.x.35 eq 443
access-list 105 deny   tcp any host x.x.x.35 eq cmd
access-list 105 deny   udp any host x.x.x.35 eq snmp
access-list 105 permit ip any any
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
snmp-server engineID local 0000000902000007851880A0
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 privilege level 15
  transport input ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
end
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
pajkico

ASKER
I need to nat the following access-list with the big udp port range to the host 192.168.1.30

access-list 104 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.40 range 10000 13999


ASKER CERTIFIED SOLUTION
Craig Beck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
pajkico

ASKER
Why is 192. 168.1.30 repeated in the ip nat statement?
pajkico

ASKER
Ok, thanks. I'll try the forwarding.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

Why is 192. 168.1.30 repeated in the ip nat statement?
Fair question.

It's because the NAT pool expects a range of IP addresses (a pool). We're only interested in ports for one internal IP, so we just say start and end IP is the same.