Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2283
Views
0
Helpful
2
Replies

Static NAT forward a range of ports

Anh-Quan Le
Level 1
Level 1

‎02-12-2014 08:06 AM - last edited on ‎03-25-2019 05:52 PM by Community Manager

I have a CISCO1921 router and I am trying to NAT an internal server to one of my unused public IP addresses (I have a /28 from my provider)   This server needs to have a range of UDP ports open to the internet and accessible from the outside to a single internet host only

x.x.x.18 is my router external IP used for NAT overload for all internal hosts to access the internet
x.x.x.19 is the external IP i would like to use to NAT the single host to the internet
z.z.z.z is the external host that needs to access the interal server on those ports

The person on the other end at ip z.z.z.z claims it doesnt work.  Am I missing something in my config ? Do i need to add ssomething to access lists 190 or 191 ?  How can I troubleshoot ?

Below is a portion of my sanitized config

interface GigabitEthernet0/0
ip address 10.10.99.1 255.255.255.0
ip access-group 190 in
ip flow ingress
ip nat inside
ip inspect FIREWALL in
ip virtual-reassembly in
ip policy route-map VOICE
duplex auto
speed auto
service-policy input MARK-POLICY


interface GigabitEthernet0/0/0
description WAN
ip address x.x.x.18 255.255.255.240
ip access-group 191 in
ip flow ingress
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
crypto map VPNMap


ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload


ip nat inside source static 10.10.99.74 x.x.x.19 route-map Port-Forward-Asterisk


route-map Port-Forward-Asterisk permit 10
match ip address 103

access-list 103 permit udp host z.z.z.z range 10000 20000 any
access-list 103 permit udp host z.z.z.z eq 5060 any
access-list 103 deny ip any any

Labels:
0 Helpful
2 Replies 2

Vasilii Mikhailovskii
Level 7
Level 7

‎02-12-2014 08:38 AM

Hello.

I guess that in your configuration there is no need for route-map.

Actually you could be using just static NAT and block undesired ports by inbound ACL.

ip nat inside source static 10.10.99.74 x.x.x.19

PS: I guess you don't need "inpect" statements on both interfaces... one will be enough.

0 Helpful

Anh-Quan Le
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎02-12-2014 08:58 AM

So to clarify, the access list I would create on my WAN interface would be

access-list 191 permit udp host z.z.z.z range 10000 20000 x.x.x.19 range 10000 20000

access-list 191 permit udp host z.z.z.z eq 5060 x.x.x.19 eq 5060

access-list 191 deny ip any any

      

Or

access-list 191 permit udp host z.z.z.z host x.x.x.19 range 10000 20000

access-list 191 permit udp host z.z.z.z host x.x.x.19 eq 5060

access-list 191 deny ip any any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card