Port range forwarding to multiple internal ips with a dynamic ISP connectio

Unanswered Question
Jan 3rd, 2009
User Badges:

I have a 2611 router connected with a dynamic ip assigned by the ISP. My configuration works fine for now but when I get a new ip assigned from my ISP I know my port forwarding will break. For some reason I cannot route-map to the interface fa0/0 instead of outside ip address. Does anyone know how to forward a range of ports to different internal ips from outside interface instead of outside ip address? here is my config....


Thanks,


~Roman



interface fa0/0

ip nat outside


interface fa0/1

ip nat inside


interface s1/0

ip nat inside



ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable

ip nat inside source static 192.168.1.3 22 72.xxx.xxx.85 route-map DESKTOP extendable



access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 100 remark Desktop computer port-forwarding

access-list 100 permit tcp host 192.168.1.3 eq 3389 any

access-list 100 permit tcp host 192.168.1.3 eq 28960 any

access-list 100 permit udp host 192.168.1.3 range 28960 32000 any


route-map DESKTOP permit 10

match ip address 100


ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Collin Clark Mon, 01/05/2009 - 05:52
User Badges:
  • Purple, 4500 points or more

Use the interface name-


p nat inside source static tcp 192.168.0.1 2067 interface fa0/0 2067

ip nat inside source static tcp 192.168.0.2 2068 interface fa0/0 2068

ip nat inside source static tcp 192.168.0.3 2080 interface fa0/0 2080

ip nat inside source static tcp 192.168.0.4 2070 interface fa0/0 2070

ip nat inside source static tcp 192.168.0.5 2075 interface fa0/0 2075


Hope that helps.

khomitchr Tue, 01/06/2009 - 02:49
User Badges:

For the single port forwarding that would work, but what about the range of ports 29860 through 32000? Will I have to make a statement for each port or is there an easier way to accomplish this without flooding my config with nat statements?


Thanks,


~Roman


Also it would be nice if cisco could include the interface option in the route-map command in the next IOS release :)


Example:


ip nat inside source static 192.168.1.3 interface fa0/0 route-map DESKTOP



There is no option for this in my router even with a 12.4 IOS. If there is no solution for this I'm hoping the next release of IOS will have this option so dynamic ips would not cause this conflict. I know any Linksys router has the option to forward a range of ports and it is designed for dynamic ip service, so I'm hoping a professional router like the 2611 could do the same.


Another thought: mabey the router automaticly updates the ip by using on alias to the interface? Any thoughts?

Collin Clark Tue, 01/06/2009 - 06:40
User Badges:
  • Purple, 4500 points or more

In your first post you stated that you translate to a couple of different machines. Since your doing that your stuck creating a ton of port translations. If you were going to one PC, you could just nat all ports with the following command.


ip nat inside source static 192.168.13.5 interface Dialer0


With the NAT examples (using the interface instead of the IP), it will automatically update.

khomitchr Wed, 01/07/2009 - 02:15
User Badges:

So your telling me i need to make my config look like this for it to work?




interface fa0/0

ip nat outside


interface fa0/1

ip nat inside


interface s1/0

ip nat inside



ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static tcp 10.0.0.2 22 interface fa0/0 22

ip nat inside source static tcp 192.168.1.4 20 interface fa0/0 20

ip nat inside source static tcp 192.168.1.4 21 interface fa0/0 21

ip nat inside source static tcp 192.168.1.2 80 interface fa0/0 80

ip nat inside source static tcp 192.168.1.3 3389 interface fa0/0 3389

ip nat inside source static tcp 192.168.1.3 28960 interface fa0/0 28960

ip nat inside source static udp 192.168.1.3 28960 interface fa0/0 28960

|

|

|

|

| 3040 total statements

| required

|

|

|

ip nat inside source static udp 192.168.1.3 28960 interface fa0/0 32000




access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255


ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp



This means that my router config will be completly flooded and will probably reduce the

performance of the router dramaticly and make it extremely difficult to manage! NOTE: the 3040 statements required.

Does Cisco not have a better solution when any home based LINKSYS router can do the job with a few clicks of a mouse? Doesn't Linksys use the same CLI command structure

to manage the routers GUI in the background? Note: telnet and SSH is turned of in LINKSYS routers and there is no way to turn it on unless you have an old one

with never upgraded firware laying around.


Can anyone else confirm that Cisco interprise routers have no easy way of accomplishing this? and if so, how do I notify Cisco of the issue that they can make the proper

changes in the next IOS release?


This is on example of what i think Cisco should make available for this issue in there next release of the IOS if there is no know current solution for this...


interface fa0/0

ip nat outside


interface fa0/1

ip nat inside


interface s1/0

ip nat inside



ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static 10.0.0.2 22 interface fa0/0 22 extendable

ip nat inside source static 192.168.1.2 80 interface fa0/0 80 extendable

ip nat inside source static 192.168.1.3 interface fa0/0 route-map DESKTOP extendable

ip nat inside source static 192.168.1.4 interface fa0/0 route-map FTP extendable


access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 100 remark Desktop computer port-forwarding

access-list 100 permit tcp host 192.168.1.3 eq 3389 any

access-list 100 permit tcp host 192.168.1.3 eq 28960 any

access-list 100 permit udp host 192.168.1.3 range 28960 32000 any

access-list 100 remark FTP Server computer port-forwarding

access-list 101 permit udp host 192.168.1.4 range 20 21 any


route-map DESKTOP permit 10

match ip address 100


route-map FTP permit 10

match ip address 101


ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp


Any help is apreciated!


Sincerely,


~Roman

Collin Clark Wed, 01/07/2009 - 06:28
User Badges:
  • Purple, 4500 points or more

Linksys and Cisco do not use the same CLI. AFAIK Cisco IOS can not do this, however the Cisco ASA (their firewall product) can use port ranges.

khomitchr Wed, 01/07/2009 - 15:55
User Badges:

Understood.


Mr. Clark is there away for me to forward my request of implementing this option into the next IOS. Who would I have to forward this request too or how would I go about doing this? I think it would help Cisco in supporting more customer needs in the future.


Thanks,


~Roman

Collin Clark Thu, 01/08/2009 - 06:15
User Badges:
  • Purple, 4500 points or more

Roman-


The best I know of is to talk with your local Cisco sales rep. You could also call your local Cisco office directly. Best of luck.


Collin

khomitchr Thu, 01/08/2009 - 16:50
User Badges:

Collin,


thanks for all your help regarding this matter. I think I have figured out a solution from your advice in using a linksys router connecting to my router idea. I think if you have 2 cisco 2611 routers you can accomplish port forwarding because the second router in line only needs to know the ip from the first router which will be always static. The first router would only have to forward all port numbers to a single ip with this command:


ip nat inside source static 10.0.0.5 interface fa0/0


10.0.0.5 would be the outside interface for router 2


Then I would setup nat overload on the second router with port forwarding using route-map command! Or my other options would be to get a ASA firewall that has these capabilities or linksys router as you suggested. Do you think this would work in a dynamic ip envirnment?


Another intresting command I stumbled upon a was port-map, which I think is for UPnP support to the firewall and cannot be used for port forwarding. I might be wrong though.


Sincerely,


Roman K.

Hi,


If you only have one internal IP requiring a lot of ports to be forwarded, you could use the NAT Default Inside Server functionality as such ...


ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static 10.0.0.2 22 interface fa0/0 22

ip nat inside source static 192.168.1.2 80 interface fa0/0 80

ip nat inside source static 192.168.1.3 interface fa0/0

ip nat inside source static 192.168.1.4 20 interface fa0/0 20

ip nat inside source static 192.168.1.4 21 interface fa0/0 21


But this would completely expose 192.168.1.3 to the outside (with the exception of the ports forwarded to the other ips). To safeguard against this, you can add an inbound acl to Fa0/0, and use ip inspect to dynamically open it for (inside originated session) reply packets as such ...


access-list 150 permit tcp any any eq 20

access-list 150 permit tcp any any eq 21

access-list 150 permit tcp any any eq 22

access-list 150 permit tcp any any eq 80

access-list 150 permit tcp any any eq 3389

access-list 150 permit udp any any range 28960 32000


ip inspect name in-to-out tcp

ip inspect name in-to-out udp

ip inspect name in-to-out icmp


interface fa0/0

ip access-group 150 in

ip inspect in-to-out out

no ip unreachables


Cheers,


(Also) Roman.

khomitchr Sat, 01/10/2009 - 17:01
User Badges:

I will give it a shot and let you know how it turns out. Might be a few days though.


Thanks,


~Roman

Actions

This Discussion