NAT port forwarding

Unanswered Question
Jul 11th, 2007
User Badges:

I have recently purchased a Cisco 871 router. In the GUI from the installed software, I have been able to configure which ports are forwarded to a specified IP address within my local area network.

This seems to output a configuration line like this:


ip nat inside source static tcp 192.168.1.123 1000 interface Dialer0 1000


However, I can only do this one port at a time. Is there a function or command that I can use to specify a range of ports? For example, I would like to forward tcp ports 1000-2300 to the IP address 192.168.1.123.


Any help would be appreciated.



(p.s: I think I posted in the wrong Topic previously)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Thu, 07/12/2007 - 05:15
User Badges:
  • Purple, 4500 points or more

What your doing is port forwarding, which is OK. You can not do a range, each port you want open will have to be an individual line. However you could translate all ports. Here is an example-


ip nat inside source static 192.168.1.123 interface Dialer0


Be careful though, because this will translate all ports! You will no longer be able access your router directly from the outside (think remote management).


HTH and please rate.

Edison Ortiz Thu, 07/12/2007 - 09:26
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

access-list 100 permit udp host 192.168.1.123 range 1000-2300 any


ip nat inside source list 100 interface dialer0 overload


tonyspcrepairs Sat, 10/20/2012 - 03:08
User Badges:

hi jmaginarynumber did you ever solve this? I have the same problem forwarding a range of ports on a 2651XM router but the solutions given here didn't work for me. Thanks if you can shed light.

PowerBarry43 Tue, 11/06/2012 - 04:10
User Badges:

Hi


I own a 2621xm which I have used for port forwarding with NAT overload. from what I can see your options are to forward a port onto the address of your NATed interface with the command:


ip nat inside source static (tcp/udp) your.inside.ip.address portnumber your.interface.ip.address externalportnumber


eg


ip nat inside source static tcp 192.168.1.43 22 194.41.66.2 8022


would allow me to reach 192.168.1.43 port 22 from outside using 8022 or whatever port you specify in the command.


alternatively you could change the interface address to one in the same network so that it is seen as a different devicewith a different ip that only has the forwarded port open.


the final way would be to forward the entire inside address to a new external ip address for example if you have a 192.168.0.0 /24 NATed to 194.41.66.0 /24 through an interface with an ip of 194.41.66.2 you could run the folowing command:


ip nat inside source static 192.168.1.43 194.41.66.43


allowing you to communicate with that host as if there was no NAT. from here you can use the access-list feature to close ports that you don't need.


Hope this helps!


Barry

tonyspcrepairs Tue, 11/06/2012 - 07:34
User Badges:

thanks for your response barry but it doesn't help. I already have ports forwarded in my router with the same commands you've given but the point of this thread is to forward a range of ports, not one port.

I've also read before about forwwarding all ports to a certain ip and then using an access list to trim it down but I've never seen anyone give an example of what such an access command would look like.

Mohammad Ali Wed, 11/07/2012 - 07:42
User Badges:
  • Silver, 250 points or more

Tony Edison has an example of using port range above.

tonyspcrepairs Thu, 11/08/2012 - 00:07
User Badges:

ok thanks I see that but I'm still having no joy. First time I tried it my internet connection dropped out. Then I tried again and got my internet connection back but the access-list given above isn't filtering any ports. My lan is on 172.16.0.0 and ip I want to forward to is 172.16.1.43 and I tried the command:

access-list 100 permit udp host 172.16.1.43 range 5060 5061 any

ip nat inside source list 100 interface dialer0 overload

it should only allow 5060 and 5061 through but the router is allowing all ports through, it's not stopping anything.

Mohammad Ali Thu, 11/08/2012 - 08:40
User Badges:
  • Silver, 250 points or more

Try adding a deny line under that then.  So that the most specific is allowed and anything else is not allowed.  Are you able to post a diagram/full config minus the private information?


access-list 100 permit udp host 172.16.1.43 range 5060 5061 any

access-list 100 deny any any

tonyspcrepairs Sun, 11/11/2012 - 12:16
User Badges:

@mohammed ali, thanks for your further help on this. I tried access-list 100 deny ip any any as you said but still there was no control over the incoming ports. The router just kept on allowing all ports through. I even tried access list 100 deny ip any any all on its own but still there was no port blockage, which I found very strange. The command

ip nat inside source static 172.16.1.43  interface Dialer0

does allow all ports through but nothing seems to work in blocking unwanted ports.

btw I am using IOS c2600-ipbasek9-mz.124-15.T14.bin which is one of the latest from cisco.

tonyspcrepairs Sun, 11/11/2012 - 12:19
User Badges:

@ cadet: thanks for the link. I tried the commands there but they only work with tcp, they don't work with udp. I also tried the additional configs further down in the blog but still they only worked with tcp. Nothing worked in letting udp through.

I am using c2600-ipbasek9-mz.124-15.T14.bin. If the IOS is to blame, do you know what IOS I should be using?

cadet alain Mon, 11/12/2012 - 00:36
User Badges:
  • Purple, 4500 points or more

Hi,


yes of course the rotary solution can only work for TCP not for UDP, I'm sorry I had not remarked that you wanted a solution for UDP.

I'll let you know if  I  find a solution for UDP.


Regards.


Alain



Don't forget to rate helpful posts.

Actions

This Discussion