07-12-2007 12:33 AM - edited 03-03-2019 05:50 PM
I've been looking for a solution to forward a port range for months, and I haven't any solution yet.
I am CCNA Certified and CCNP cursed. I've asked to my teachers, in conferences and my isp support. Nobody knows how to do it.
A common task like this, that in every router is so trivial, why is so dificult in Cisco? Is it possible?
Thanks in advance to everybody.
Olaf
07-12-2007 12:44 AM
Cisco is famous for not doing things that cheap makers do since day one. There are many examples.
With regard to your question, will try to give it an answer as soon I have time to look into it.
07-12-2007 01:14 AM
I've found some ways to do, but if you have only one public ip, the router lost the connection due to map public ip to server private ip. All outside request are natted to server private ip and only it has access to internet.
I hope your advices.
Regards,
Olaf
07-12-2007 02:00 AM
Hi,
to the person that low rated my post above, if this is the kind of attitude toward contributions that are made in frankness and good will, that may make me think again about further researching the issue.
07-12-2007 04:54 AM
Hi p.bevilacqua!
The person who rated your post is me, the Author of the query, Olaf. I rated your post based on help to resolve the issue, and at the moment my problem is there.
I am very thankful for search the solution, but i thought that 5 points are given when the issue is resolved. If I am mistaken, please tell me and I apologize the annoyances.
Best regards,
Olaf
07-12-2007 12:02 PM
Hi Olaf,
I did not expected at all to receive any points for an interlocutory post in which I was basically saying "will look into this", but neither a low rating that should be reserved only for obscure, senseless, or contemptuous posts.
In short, it is not necessary to rate all posts.
And since then I got another inappropriate '1' in this thread, I can tell for sure that someone again, is misusing the system.
Best thing for me then, is to stay away from this thread.
Good luck.
07-12-2007 01:11 PM
Hi Paolo,
I'm sorry to rating you with 2 points. I now understand that ratings lowers than 3 are bad ratings. Sorry for the inconvenients. I can't edit my rating, can i?
Best regards,
Olaf
07-12-2007 03:44 PM
Hi Olaf,
there is no problem whatsoever. I understand that you didn't meant that to be a punitive rating.
Hope you can get a satisfying answer to your question, I'm too sleepy to think about it right now.
07-12-2007 06:11 AM
Can you give us the template you are working on ?
You can forward ports by using an ACL to describe the source and destination address along with the ports and then associate that ACL to a inside source list.
07-12-2007 07:03 AM
I have a router with one fixed public ip address. I need to forward the udp range 10001-20000 to 192.168.99.4.
The config is:
controller DSL 0
mode atm
line-term cpe
line-mode 4-wire standard
dsl-mode shdsl symmetric annex B
line-rate 2432
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description CONEXION PPP INTERNET
pvc datos 0/33
ubr 2048
oam-pvc 0
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.99.1 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
load-interval 30
!
interface Dialer1
description Interfaz WAN para la conexion de Internet
ip address negotiated
ip access-group 199 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXX
ppp chap password 7 XXXX
!
interface Dialer0
no ip address
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip dns server
!
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 remark --- Definicion del trafico a NATear ---
access-list 10 permit 192.168.99.0 0.0.0.7
access-list 199 remark Lista de Seguridad: Filtrado ICMP y SNMP
access-list 199 deny icmp any any redirect
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp host X.X.X.X any
access-list 199 permit ip X.X.X.X 0.0.0.63 any
access-list 199 permit ip X.X.X.X 0.0.0.31 any
access-list 199 permit ip X.X.X.X 0.0.0.255 any
access-list 199 deny icmp any any
access-list 199 deny ip 127.0.0.0 0.255.255.255 any
access-list 199 deny ip 224.0.0.0 31.255.255.255 any
access-list 199 deny ip host 0.0.0.0 any
access-list 199 deny ip host 255.255.255.255 any
access-list 199 deny udp any any eq snmp
access-list 199 deny udp any any eq snmptrap
access-list 199 permit ip any any
If you need more information, please let me know.
Thanks and best regards,
Olaf
07-12-2007 09:10 AM
You would need to modify your current source list on the NAT, as follow:
ip nat inside source list 100 interface Dialer1 overload
and the ACL as follow:
access-list 100 permit ip 192.168.99.0 0.0.0.7 any
access-list 100 permit udp host 192.168.99.4 range 10001-20000 any
07-12-2007 10:23 AM
I've tried those commands and doesn't work.
I've tried switching ACL order too.
Does this work for you?
Regards,
Olaf
07-12-2007 10:48 AM
Olaf,
I believe if you keep EdisonOrtiz configuration and then add either
**************
ip nat inside source static 192.168.99.4 interface dialer1
**************
or
**************
ip nat inside source static 192.168.99.4 [outside ip] extendable
**************
It should work.
I know I have done this another way before but I can't find the config I am still looking.
Thanks,
David
07-12-2007 11:46 AM
Hi David:
You are correct. Adding
ip nat inside source static 192.168.99.4 interface dialer1
works, but all ports are open, high security risk.
And doing that command , isn't neccesary change the acl overload. I've
ip nat inside source list 10 interface Dialer1 overload
access-list 10 permit 192.168.99.0 0.0.0.7
and it works, but with all ports open in 192.168.99.4 and router lost connection. If I do an extended ping with source 192.168.99.1 it works.
I`ve added a named acl like this in dialer 1.
ip access-list extended inet_in
remark Filtro Externo
remark Permitir respuesta de conexiones iniciadas desde dentro
permit tcp any any established
remark Permitir respuestas a consultas DNS de Comunitel
permit udp host
permit udp host
remark Permitir pings y respuestas a pings internos
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
remark Permitir SIP (5060) y RTP (10001 - 20000)
permit udp any host
permit udp any host
remark gestion de Comunitel, para permitir acceso telnet
permit tcp X.X.X.X 0.0.0.63 any eq telnet
remark Maqs. de Comuntiel para gestisn de SNMP
permit udp host X.X.X.X any eq snmp
permit udp host X.X.X.X any eq snmp
remark Denegar todo y logear
deny ip any any log
And now only range is open.
But i've the router connection issue. It is running as dns server, so i need it can connect.
How can I change the source ip address or interface of the router when it is connecting internet?
Regards,
Olaf
07-12-2007 11:52 AM
I'm not one hundered percent sure I follow your issue now. I will try to answer what I think is the issue. If I am wrong can you try to explain again.
In regards to this part of the comment:
And doing that command , isn't neccesary change the acl overload. I've
ip nat inside source list 10 interface Dialer1 overload
access-list 10 permit 192.168.99.0 0.0.0.7
by changing the overload ACL to the one recommended by the previous respondent you are only overloading those specific ports instead of all ports so it is necessary to use the extended ACL. By doing this it should resolve your DNS issue.
Let me know if I did misunderstand the current issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: