cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1257
Views
13
Helpful
35
Replies

I can't belive that nobody knows how to do this on Cisco IOS?

olafmarcos
Level 1
Level 1

I've been looking for a solution to forward a port range for months, and I haven't any solution yet.

I am CCNA Certified and CCNP cursed. I've asked to my teachers, in conferences and my isp support. Nobody knows how to do it.

A common task like this, that in every router is so trivial, why is so dificult in Cisco? Is it possible?

Thanks in advance to everybody.

Olaf

35 Replies 35

paolo bevilacqua
Hall of Fame
Hall of Fame

Cisco is famous for not doing things that cheap makers do since day one. There are many examples.

With regard to your question, will try to give it an answer as soon I have time to look into it.

I've found some ways to do, but if you have only one public ip, the router lost the connection due to map public ip to server private ip. All outside request are natted to server private ip and only it has access to internet.

I hope your advices.

Regards,

Olaf

Hi,

to the person that low rated my post above, if this is the kind of attitude toward contributions that are made in frankness and good will, that may make me think again about further researching the issue.

Hi p.bevilacqua!

The person who rated your post is me, the Author of the query, Olaf. I rated your post based on help to resolve the issue, and at the moment my problem is there.

I am very thankful for search the solution, but i thought that 5 points are given when the issue is resolved. If I am mistaken, please tell me and I apologize the annoyances.

Best regards,

Olaf

Hi Olaf,

I did not expected at all to receive any points for an interlocutory post in which I was basically saying "will look into this", but neither a low rating that should be reserved only for obscure, senseless, or contemptuous posts.

In short, it is not necessary to rate all posts.

And since then I got another inappropriate '1' in this thread, I can tell for sure that someone again, is misusing the system.

Best thing for me then, is to stay away from this thread.

Good luck.

Hi Paolo,

I'm sorry to rating you with 2 points. I now understand that ratings lowers than 3 are bad ratings. Sorry for the inconvenients. I can't edit my rating, can i?

Best regards,

Olaf

Hi Olaf,

there is no problem whatsoever. I understand that you didn't meant that to be a punitive rating.

Hope you can get a satisfying answer to your question, I'm too sleepy to think about it right now.

Can you give us the template you are working on ?

You can forward ports by using an ACL to describe the source and destination address along with the ports and then associate that ACL to a inside source list.

I have a router with one fixed public ip address. I need to forward the udp range 10001-20000 to 192.168.99.4.

The config is:

controller DSL 0

mode atm

line-term cpe

line-mode 4-wire standard

dsl-mode shdsl symmetric annex B

line-rate 2432

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description CONEXION PPP INTERNET

pvc datos 0/33

ubr 2048

oam-pvc 0

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.99.1 255.255.255.248

no ip redirects

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

load-interval 30

!

interface Dialer1

description Interfaz WAN para la conexion de Internet

ip address negotiated

ip access-group 199 in

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname XXXX

ppp chap password 7 XXXX

!

interface Dialer0

no ip address

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip dns server

!

ip nat inside source list 10 interface Dialer1 overload

!

access-list 10 remark --- Definicion del trafico a NATear ---

access-list 10 permit 192.168.99.0 0.0.0.7

access-list 199 remark Lista de Seguridad: Filtrado ICMP y SNMP

access-list 199 deny icmp any any redirect

access-list 199 permit icmp any any echo-reply

access-list 199 permit icmp host X.X.X.X any

access-list 199 permit ip X.X.X.X 0.0.0.63 any

access-list 199 permit ip X.X.X.X 0.0.0.31 any

access-list 199 permit ip X.X.X.X 0.0.0.255 any

access-list 199 deny icmp any any

access-list 199 deny ip 127.0.0.0 0.255.255.255 any

access-list 199 deny ip 224.0.0.0 31.255.255.255 any

access-list 199 deny ip host 0.0.0.0 any

access-list 199 deny ip host 255.255.255.255 any

access-list 199 deny udp any any eq snmp

access-list 199 deny udp any any eq snmptrap

access-list 199 permit ip any any

If you need more information, please let me know.

Thanks and best regards,

Olaf

You would need to modify your current source list on the NAT, as follow:

ip nat inside source list 100 interface Dialer1 overload

and the ACL as follow:

access-list 100 permit ip 192.168.99.0 0.0.0.7 any

access-list 100 permit udp host 192.168.99.4 range 10001-20000 any

I've tried those commands and doesn't work.

I've tried switching ACL order too.

Does this work for you?

Regards,

Olaf

Olaf,

I believe if you keep EdisonOrtiz configuration and then add either

**************

ip nat inside source static 192.168.99.4 interface dialer1

**************

or

**************

ip nat inside source static 192.168.99.4 [outside ip] extendable

**************

It should work.

I know I have done this another way before but I can't find the config I am still looking.

Thanks,

David

Hi David:

You are correct. Adding

ip nat inside source static 192.168.99.4 interface dialer1

works, but all ports are open, high security risk.

And doing that command , isn't neccesary change the acl overload. I've

ip nat inside source list 10 interface Dialer1 overload

access-list 10 permit 192.168.99.0 0.0.0.7

and it works, but with all ports open in 192.168.99.4 and router lost connection. If I do an extended ping with source 192.168.99.1 it works.

I`ve added a named acl like this in dialer 1.

ip access-list extended inet_in

remark Filtro Externo

remark Permitir respuesta de conexiones iniciadas desde dentro

permit tcp any any established

remark Permitir respuestas a consultas DNS de Comunitel

permit udp host eq domain any

permit udp host eq domain any

remark Permitir pings y respuestas a pings internos

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

remark Permitir SIP (5060) y RTP (10001 - 20000)

permit udp any host range 10001 20000

permit udp any host eq 5060

remark gestion de Comunitel, para permitir acceso telnet

permit tcp X.X.X.X 0.0.0.63 any eq telnet

remark Maqs. de Comuntiel para gestisn de SNMP

permit udp host X.X.X.X any eq snmp

permit udp host X.X.X.X any eq snmp

remark Denegar todo y logear

deny ip any any log

And now only range is open.

But i've the router connection issue. It is running as dns server, so i need it can connect.

How can I change the source ip address or interface of the router when it is connecting internet?

Regards,

Olaf

I'm not one hundered percent sure I follow your issue now. I will try to answer what I think is the issue. If I am wrong can you try to explain again.

In regards to this part of the comment:

And doing that command , isn't neccesary change the acl overload. I've

ip nat inside source list 10 interface Dialer1 overload

access-list 10 permit 192.168.99.0 0.0.0.7

by changing the overload ACL to the one recommended by the previous respondent you are only overloading those specific ports instead of all ports so it is necessary to use the extended ACL. By doing this it should resolve your DNS issue.

Let me know if I did misunderstand the current issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco