Cisco 877W NAT Port redirection issue

Unanswered Question
Aug 17th, 2010

Hi to all,

I need redirect a range of ports from my public IP on the WAN side to a host in my LAN, and keep the statics NATs/NATPs too. As far i know this would be no posible because Cisco IOS for 877 does not have a parameter to specify a range of ports in the command IP NAT INSIDE SOURCE STATIC but i think i have found another way to avoid write in a line for each port in the configuration file.

I pretend use a NAT POOL of only a IP address and a ACL with the permited range of ports, so i have put these lines in the config file:

ip nat pool POOL1 192.168.1.8 192.168.1.8 netmask 255.255.255.0 type rotary

ip nat inside destination list BATTLENET pool POOL1

ip access-list extended BATTLENET

    permit tcp any any eq 3724
    permit tcp any any eq 6112
    permit tcp any any range 6881 6999

With this i pretend all traffic to the destinations ports described in the access list being redirected to the IP of the pool POOL1

The problem, i am unable to making this to work, i don't know if this is due to another configurations of my router or if this is not possible with the IOS image i'm running.

The IOS running is this image: c870-advsecurityk9-mz.123-8.YI2.bin

I don't know if, in order to make this work as intended,  i need the IOS Advanced IP Services image for the 877W instead the standard Advanced Security one. For troubleshooting purposes i have included to this post my current configuration, all possible advice will be welcome. Thank you very much for your time and support.

My config:

!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 <--->
!
username admin privilege 15 secret <--->
clock timezone GMT 1
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server <DNS SERVER 1 IP> <DNS SERVER 2 IP>
   default-router 192.168.1.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name <MY DOMAIN>
ip name-server <DNS SERVER 1 IP>
ip name-server <DNS SERVER 2 IP>
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.3 point-to-point
no ip mroute-cache
pvc <PVC of ISP>
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Dot11Radio0
no ip address
!
broadcast-key change 300 membership-termination
!
!
encryption mode ciphers tkip
!
ssid virtualikha
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 <--->
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password 7 <--->
ppp pap sent-username username password 7 <--->
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool POOL1 192.168.1.8 192.168.1.8 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.7 21 <PUBLIC IP> extendable
ip nat inside source static tcp 192.168.1.5 8000 <PUBLIC IP> 80 extendable
ip nat inside source static udp 192.168.1.9 88 <PUBLIC IP> 88 extendable
ip nat inside source static tcp 192.168.1.9 3074 <PUBLIC IP> 3074 extendable
ip nat inside source static udp 192.168.1.9 3074 <PUBLIC IP> 3074 extendable
ip nat inside source static tcp 192.168.1.4 4662 <PUBLIC IP> 4662 extendable
ip nat inside source static udp 192.168.1.4 4672 <PUBLIC IP> 4672 extendable
ip nat inside source static tcp 192.168.1.4 4711 <PUBLIC IP> 4711 extendable
ip nat inside source static tcp 192.168.1.7 6969 <PUBLIC IP> 6969 extendable
ip nat inside source static tcp 192.168.1.4 9000 <PUBLIC IP> 9000 extendable
ip nat inside source static tcp 192.168.1.7 10002 <PUBLIC IP> 10002 extendable
ip nat inside source static udp 192.168.1.7 10002 <PUBLIC IP> 10002 extendable
ip nat inside source static tcp 192.168.1.7 32459 <PUBLIC IP> 32459 extendable
ip nat inside source static udp 192.168.1.7 32459 <PUBLIC IP> 32459 extendable
ip nat inside destination list BATTLENET pool POOL1
!
ip access-list extended BATTLENET
permit tcp any any eq 3724
permit tcp any any eq 6112
permit tcp any any range 6881 6999
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq domain host <PUBLIC IP>
access-list 101 permit udp host 212.59.199.6 eq domain any
access-list 101 permit udp host 212.59.199.2 eq domain any
access-list 101 remark Servicio NTP
access-list 101 permit udp any eq ntp host <PUBLIC IP>
access-list 101 remark Servicio WWW
access-list 101 permit tcp any host <PUBLIC IP> eq www
access-list 101 remark Servicio FTP
access-list 101 permit tcp any host <PUBLIC IP> eq ftp
access-list 101 remark XBOX Live
access-list 101 permit tcp any host <PUBLIC IP> eq 3074
access-list 101 remark XBOX Live
access-list 101 permit udp any host <PUBLIC IP> eq 3074
access-list 101 remark XBOX Live
access-list 101 permit udp any host <PUBLIC IP> eq 88
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login  Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175099
ntp server 80.28.46.78
ntp server 213.98.118.5
ntp server 130.206.130.95
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kha29096335 Thu, 08/19/2010 - 02:33

Hello again,

Are there anyone with a idea / advice about the topic, please?

Kha29096335 Fri, 08/20/2010 - 09:18

Hi again, guys

Problem solved...

What fool i was...i forgot configure the access list to open the destination ports too.

access-list 101 permit tcp any host eq 3724

access-list 101 permit tcp any host eq 6112
access-list 101 permit tcp any host range 6881 6999

did the trick.

It is not sufficent wirh the

ip access-list extended WOW
permit tcp any any eq 3724
permit tcp any any eq 6112
permit tcp any any range 6881 6999
!

Linked to the ip nat pool

it is necesary open the ports too.

Kind regards.

Actions

This Discussion

Related Content