02-12-2014 08:06 AM - last edited on 03-25-2019 05:52 PM by ciscomoderator
I have a CISCO1921 router and I am trying to NAT an internal server to one of my unused public IP addresses (I have a /28 from my provider) This server needs to have a range of UDP ports open to the internet and accessible from the outside to a single internet host only
x.x.x.18 is my router external IP used for NAT overload for all internal hosts to access the internet
x.x.x.19 is the external IP i would like to use to NAT the single host to the internet
z.z.z.z is the external host that needs to access the interal server on those ports
The person on the other end at ip z.z.z.z claims it doesnt work. Am I missing something in my config ? Do i need to add ssomething to access lists 190 or 191 ? How can I troubleshoot ?
Below is a portion of my sanitized config
interface GigabitEthernet0/0
ip address 10.10.99.1 255.255.255.0
ip access-group 190 in
ip flow ingress
ip nat inside
ip inspect FIREWALL in
ip virtual-reassembly in
ip policy route-map VOICE
duplex auto
speed auto
service-policy input MARK-POLICY
interface GigabitEthernet0/0/0
description WAN
ip address x.x.x.18 255.255.255.240
ip access-group 191 in
ip flow ingress
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
crypto map VPNMap
ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload
ip nat inside source static 10.10.99.74 x.x.x.19 route-map Port-Forward-Asterisk
route-map Port-Forward-Asterisk permit 10
match ip address 103
access-list 103 permit udp host z.z.z.z range 10000 20000 any
access-list 103 permit udp host z.z.z.z eq 5060 any
access-list 103 deny ip any any
02-12-2014 08:38 AM
Hello.
I guess that in your configuration there is no need for route-map.
Actually you could be using just static NAT and block undesired ports by inbound ACL.
ip nat inside source static 10.10.99.74 x.x.x.19
PS: I guess you don't need "inpect" statements on both interfaces... one will be enough.
02-12-2014 08:58 AM
So to clarify, the access list I would create on my WAN interface would be
access-list 191 permit udp host z.z.z.z range 10000 20000 x.x.x.19 range 10000 20000
access-list 191 permit udp host z.z.z.z eq 5060 x.x.x.19 eq 5060
access-list 191 deny ip any any
Or
access-list 191 permit udp host z.z.z.z host x.x.x.19 range 10000 20000
access-list 191 permit udp host z.z.z.z host x.x.x.19 eq 5060
access-list 191 deny ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: