Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT forward a range of ports

I have a CISCO1921 router and I am trying to NAT an internal server to one of my unused public IP addresses (I have a /28 from my provider)   This server needs to have a range of UDP ports open to the internet and accessible from the outside to a single internet host only

x.x.x.18 is my router external IP used for NAT overload for all internal hosts to access the internet
x.x.x.19 is the external IP i would like to use to NAT the single host to the internet
z.z.z.z is the external host that needs to access the interal server on those ports

The person on the other end at ip z.z.z.z claims it doesnt work.  Am I missing something in my config ? Do i need to add ssomething to access lists 190 or 191 ?  How can I troubleshoot ?

Below is a portion of my sanitized config

interface GigabitEthernet0/0
ip address 10.10.99.1 255.255.255.0
ip access-group 190 in
ip flow ingress
ip nat inside
ip inspect FIREWALL in
ip virtual-reassembly in
ip policy route-map VOICE
duplex auto
speed auto
service-policy input MARK-POLICY


interface GigabitEthernet0/0/0
description WAN
ip address x.x.x.18 255.255.255.240
ip access-group 191 in
ip flow ingress
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
crypto map VPNMap


ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload


ip nat inside source static 10.10.99.74 x.x.x.19 route-map Port-Forward-Asterisk


route-map Port-Forward-Asterisk permit 10
match ip address 103

access-list 103 permit udp host z.z.z.z range 10000 20000 any
access-list 103 permit udp host z.z.z.z eq 5060 any
access-list 103 deny ip any any

2 REPLIES

Static NAT forward a range of ports

Hello.

I guess that in your configuration there is no need for route-map.

Actually you could be using just static NAT and block undesired ports by inbound ACL.

ip nat inside source static 10.10.99.74 x.x.x.19

PS: I guess you don't need "inpect" statements on both interfaces... one will be enough.

New Member

Re: Static NAT forward a range of ports

So to clarify, the access list I would create on my WAN interface would be

access-list 191 permit udp host z.z.z.z range 10000 20000 x.x.x.19 range 10000 20000

access-list 191 permit udp host z.z.z.z eq 5060 x.x.x.19 eq 5060

access-list 191 deny ip any any

      

Or

access-list 191 permit udp host z.z.z.z host x.x.x.19 range 10000 20000

access-list 191 permit udp host z.z.z.z host x.x.x.19 eq 5060

access-list 191 deny ip any any

589
Views
0
Helpful
2
Replies
CreatePlease login to create content