cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1677
Views
8
Helpful
11
Replies

Port range forwarding to multiple internal ips with a dynamic ISP connectio

khomitchr
Level 1
Level 1

I have a 2611 router connected with a dynamic ip assigned by the ISP. My configuration works fine for now but when I get a new ip assigned from my ISP I know my port forwarding will break. For some reason I cannot route-map to the interface fa0/0 instead of outside ip address. Does anyone know how to forward a range of ports to different internal ips from outside interface instead of outside ip address? here is my config....

Thanks,

~Roman

interface fa0/0

ip nat outside

interface fa0/1

ip nat inside

interface s1/0

ip nat inside

ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable

ip nat inside source static 192.168.1.3 22 72.xxx.xxx.85 route-map DESKTOP extendable

access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 100 remark Desktop computer port-forwarding

access-list 100 permit tcp host 192.168.1.3 eq 3389 any

access-list 100 permit tcp host 192.168.1.3 eq 28960 any

access-list 100 permit udp host 192.168.1.3 range 28960 32000 any

route-map DESKTOP permit 10

match ip address 100

ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp

11 Replies 11

Collin Clark
VIP Alumni
VIP Alumni

Use the interface name-

p nat inside source static tcp 192.168.0.1 2067 interface fa0/0 2067

ip nat inside source static tcp 192.168.0.2 2068 interface fa0/0 2068

ip nat inside source static tcp 192.168.0.3 2080 interface fa0/0 2080

ip nat inside source static tcp 192.168.0.4 2070 interface fa0/0 2070

ip nat inside source static tcp 192.168.0.5 2075 interface fa0/0 2075

Hope that helps.

For the single port forwarding that would work, but what about the range of ports 29860 through 32000? Will I have to make a statement for each port or is there an easier way to accomplish this without flooding my config with nat statements?

Thanks,

~Roman

Also it would be nice if cisco could include the interface option in the route-map command in the next IOS release :)

Example:

ip nat inside source static 192.168.1.3 interface fa0/0 route-map DESKTOP

There is no option for this in my router even with a 12.4 IOS. If there is no solution for this I'm hoping the next release of IOS will have this option so dynamic ips would not cause this conflict. I know any Linksys router has the option to forward a range of ports and it is designed for dynamic ip service, so I'm hoping a professional router like the 2611 could do the same.

Another thought: mabey the router automaticly updates the ip by using on alias to the interface? Any thoughts?

In your first post you stated that you translate to a couple of different machines. Since your doing that your stuck creating a ton of port translations. If you were going to one PC, you could just nat all ports with the following command.

ip nat inside source static 192.168.13.5 interface Dialer0

With the NAT examples (using the interface instead of the IP), it will automatically update.

So your telling me i need to make my config look like this for it to work?

interface fa0/0

ip nat outside

interface fa0/1

ip nat inside

interface s1/0

ip nat inside

ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static tcp 10.0.0.2 22 interface fa0/0 22

ip nat inside source static tcp 192.168.1.4 20 interface fa0/0 20

ip nat inside source static tcp 192.168.1.4 21 interface fa0/0 21

ip nat inside source static tcp 192.168.1.2 80 interface fa0/0 80

ip nat inside source static tcp 192.168.1.3 3389 interface fa0/0 3389

ip nat inside source static tcp 192.168.1.3 28960 interface fa0/0 28960

ip nat inside source static udp 192.168.1.3 28960 interface fa0/0 28960

|

|

|

|

| 3040 total statements

| required

|

|

|

ip nat inside source static udp 192.168.1.3 28960 interface fa0/0 32000

access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp

This means that my router config will be completly flooded and will probably reduce the

performance of the router dramaticly and make it extremely difficult to manage! NOTE: the 3040 statements required.

Does Cisco not have a better solution when any home based LINKSYS router can do the job with a few clicks of a mouse? Doesn't Linksys use the same CLI command structure

to manage the routers GUI in the background? Note: telnet and SSH is turned of in LINKSYS routers and there is no way to turn it on unless you have an old one

with never upgraded firware laying around.

Can anyone else confirm that Cisco interprise routers have no easy way of accomplishing this? and if so, how do I notify Cisco of the issue that they can make the proper

changes in the next IOS release?

This is on example of what i think Cisco should make available for this issue in there next release of the IOS if there is no know current solution for this...

interface fa0/0

ip nat outside

interface fa0/1

ip nat inside

interface s1/0

ip nat inside

ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static 10.0.0.2 22 interface fa0/0 22 extendable

ip nat inside source static 192.168.1.2 80 interface fa0/0 80 extendable

ip nat inside source static 192.168.1.3 interface fa0/0 route-map DESKTOP extendable

ip nat inside source static 192.168.1.4 interface fa0/0 route-map FTP extendable

access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 100 remark Desktop computer port-forwarding

access-list 100 permit tcp host 192.168.1.3 eq 3389 any

access-list 100 permit tcp host 192.168.1.3 eq 28960 any

access-list 100 permit udp host 192.168.1.3 range 28960 32000 any

access-list 100 remark FTP Server computer port-forwarding

access-list 101 permit udp host 192.168.1.4 range 20 21 any

route-map DESKTOP permit 10

match ip address 100

route-map FTP permit 10

match ip address 101

ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp

Any help is apreciated!

Sincerely,

~Roman

Linksys and Cisco do not use the same CLI. AFAIK Cisco IOS can not do this, however the Cisco ASA (their firewall product) can use port ranges.

Understood.

Mr. Clark is there away for me to forward my request of implementing this option into the next IOS. Who would I have to forward this request too or how would I go about doing this? I think it would help Cisco in supporting more customer needs in the future.

Thanks,

~Roman

Roman-

The best I know of is to talk with your local Cisco sales rep. You could also call your local Cisco office directly. Best of luck.

Collin

Collin,

thanks for all your help regarding this matter. I think I have figured out a solution from your advice in using a linksys router connecting to my router idea. I think if you have 2 cisco 2611 routers you can accomplish port forwarding because the second router in line only needs to know the ip from the first router which will be always static. The first router would only have to forward all port numbers to a single ip with this command:

ip nat inside source static 10.0.0.5 interface fa0/0

10.0.0.5 would be the outside interface for router 2

Then I would setup nat overload on the second router with port forwarding using route-map command! Or my other options would be to get a ASA firewall that has these capabilities or linksys router as you suggested. Do you think this would work in a dynamic ip envirnment?

Another intresting command I stumbled upon a was port-map, which I think is for UPnP support to the firewall and cannot be used for port forwarding. I might be wrong though.

Sincerely,

Roman K.

Hi,

If you only have one internal IP requiring a lot of ports to be forwarded, you could use the NAT Default Inside Server functionality as such ...

ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static 10.0.0.2 22 interface fa0/0 22

ip nat inside source static 192.168.1.2 80 interface fa0/0 80

ip nat inside source static 192.168.1.3 interface fa0/0

ip nat inside source static 192.168.1.4 20 interface fa0/0 20

ip nat inside source static 192.168.1.4 21 interface fa0/0 21

But this would completely expose 192.168.1.3 to the outside (with the exception of the ports forwarded to the other ips). To safeguard against this, you can add an inbound acl to Fa0/0, and use ip inspect to dynamically open it for (inside originated session) reply packets as such ...

access-list 150 permit tcp any any eq 20

access-list 150 permit tcp any any eq 21

access-list 150 permit tcp any any eq 22

access-list 150 permit tcp any any eq 80

access-list 150 permit tcp any any eq 3389

access-list 150 permit udp any any range 28960 32000

ip inspect name in-to-out tcp

ip inspect name in-to-out udp

ip inspect name in-to-out icmp

interface fa0/0

ip access-group 150 in

ip inspect in-to-out out

no ip unreachables

Cheers,

(Also) Roman.

Forgot you were running dhcp, 1st acl entry should be ...

access-list 150 permit udp any any eq 68

I will give it a shot and let you know how it turns out. Might be a few days though.

Thanks,

~Roman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco