×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

HowTo: Define and forward custom service with disjoint/range of ports.

Answered Question
Jul 12th, 2012
User Badges:

I have an rv180 and I'm trying to set up a custom service that contains both multiple disjoint ports (some UDP some TCP), as well as a TCP port range. This has lead me to a couple of questions.


1) Is it even possible to have a single custom service with disjoint ports? Is it just going to be necessary to define multiple partial services for this?


2) Is it possible to forward a range of ports? It's clear how to define a service with a port range, but the port forwarding table interface only allows me to select one LAN-side port for any service. Is there a secret notation that I need to do here that will just forward to the same LAN-side port as the WAN-side port---effectively one-to-one NAT forwarding, but just for the selected service?


Thanks,

Luke

Correct Answer by Davidwagman1 about 5 years 1 month ago

Luke,


Your firmware is the current one.


I would suggest contacting small biz support, you can get them via phone or chat. I'd be curious what the outcome is.


Best,

David

Correct Answer by Davidwagman1 about 5 years 1 month ago

Hi Luke,


1) Unfortunately, it looks like you have to set up  custom services for each set of disjointed ports, and then create  forwarding rules for each custom port.


2) I'm not 100% sure I followed your question, but I think I got the gist. Port forwarding will forward traffic on the specific port (service) from your wan public IP to your designated private IP address (destination IP). You can restrict access by schedule or IP ("source users" - by host or range). Since it sounds like you're going to have multiple custom services, you'll need to create a port forwarding configuration for each service.


I hope that helps.


Best,

David


Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Davidwagman1 Thu, 07/12/2012 - 15:49
User Badges:
  • Gold, 750 points or more

Hi Luke,


1) Unfortunately, it looks like you have to set up  custom services for each set of disjointed ports, and then create  forwarding rules for each custom port.


2) I'm not 100% sure I followed your question, but I think I got the gist. Port forwarding will forward traffic on the specific port (service) from your wan public IP to your designated private IP address (destination IP). You can restrict access by schedule or IP ("source users" - by host or range). Since it sounds like you're going to have multiple custom services, you'll need to create a port forwarding configuration for each service.


I hope that helps.


Best,

David


Please rate helpful posts.

lukedalessandro Thu, 07/12/2012 - 16:23
User Badges:

Thanks David,


1) That's too bad. It seems like a weakness in the database table model that a service can't be associated with multiple ports. Maybe an update will come along at some point to deal with this.


2) So the example here is that my NAS wants me to open 55536-55567 (TCP) for it's FTP server. I can define this as a single custom service range without any issue, however when I go into port forwarding and select this service, I have to designate an internal port for the service, but the service is actually defined as a 31 port range. I can go in and add 31 specific custom services and 31 specific forwarding rules, but this seems silly.


I included screen captures of the cusom service, and the attempt to add a forwarding rule for the service. Note the web api won't let me select a range for the internal port box.



Thanks,

Luke

Davidwagman1 Thu, 07/12/2012 - 16:37
User Badges:
  • Gold, 750 points or more

Hi Luke,


Thats odd, on my RV220 I have an option "same as incoming port."  Must be the firmware is just different enough. Just a "silly" question - are you on the most recent firmware? (though I didn't see anything in the release notes about this issue).  Are you able to leave it blank (and I assume you can't out a range ie 8-15 since I can't type a dash in the box on mine either).


Best,

David

lukedalessandro Thu, 07/12/2012 - 17:04
User Badges:

Thanks again David,


Leaving the field blank reslts in a form error indication. I'm at firmware 1.0.1.9 which appears to be current, as far as I can tell (http://www.cisco.com/cisco/software/release.html?mdfid=284005904&softwareid=282465789&release=1.0.1.9&relind=AVAILABLE&rellifecycle=&reltype=latest). The field won't accept any non-numeric input, so there doesn't seem to be a magic "same as incoming port" string either. Frustrating...


Is there maybe a magic firmware that's hidden somewhere else on cisco's site? The rv220 is the same line as the rv180, right?

Luke

Correct Answer
Davidwagman1 Thu, 07/12/2012 - 17:10
User Badges:
  • Gold, 750 points or more

Luke,


Your firmware is the current one.


I would suggest contacting small biz support, you can get them via phone or chat. I'd be curious what the outcome is.


Best,

David

lukedalessandro Fri, 07/13/2012 - 07:22
User Badges:

Hi David,


Thanks for the suggestion that I talk to small biz support. It turns out that the newer web-based configuration tool of the rv180 forwards port ranges using the "access control" configuration in the firewall, rather than the "port forwarding" configuration. Port forwarding in rv180-land specifically means forwarding one port to an internal address, and permits the port number to be adjusted during the forward. "Access control" can forward port ranges, but can not remap the port range (i.e., I can't remap 10000-20000 to an internal 40000-50000 range with an offset or anything). See the included screenshot.



Your response to question 1) is correct, there isn't a way to define a service as consisting of disjoint ports (or of adjacent ports of different protocol types).


Thanks for the help,

Luke

Davidwagman1 Fri, 07/13/2012 - 07:24
User Badges:
  • Gold, 750 points or more

Luke,


Thanks for posting that, learn something new every day!  I'm glad SBSC was able to help you, they are a great group.


Best,

David

macarrut Fri, 07/13/2012 - 07:28
User Badges:

As far as forwarding discontiguous ports, each port will need its own custom service.


There are two locations port forwarding can be done in: Firewall > Access Rules, and Firewall > Port Forwarding. The Port Forwarding page would be more accurately labled "Single Port Forwarding" as you can only forward to one port with this page (due to only being able to enter one destination port). However, this allows for port translation which is increadibly useful. To forward a range of ports you need to create an Access Rule in the firewall. Creating the Access Rule is as simple as changing the Connection Type to "Inbound", Action to "Always Allow", Changing the service to the port you want forwarded (custom services are located at the bottom of the list), and setting the DNAT Server IP to the IP address of the device you are forwarding to. Make sure the rule is enabled and click save.


Also, if you are forwarding to a 1-1 NAT device be sure to check the "use other wan ip" box and enter the public IP address of the 1-1 NAT.


Hope this helps,


Martin Carruth

Network Support Engineer

B.S CIS, CCNA, A+

Office Hours: Thurs-Mon 8am-5pm EST

Contact Number: 866.606.1866 ext.601061