Solved: Re: Looking for some guidance

aaroncarnold · ‎12-30-2008

Here is the situation:

My company has outgrown our current linksys setup and has recently purchased a Cisco 871w router. We have two servers that need access to the outside world (an email server and a PBX that handles our voip). With the linksys we had set up port forwarding to handle the needed requests. This seems to work fine on the new cisco router until I need to forward a range of ports for the PBX (udp 10000 - 20000). Is there a way to do this with the cisco router?

Alternatively, we have 5 ip addresses from our provider. Would it be easier to set up individual ip addresses for each server and a third for all of our internet traffic?

Any help and or direction would be much appreciated.

Collin Clark · ‎12-30-2008

Translating multiple ports isn't very effective in a cisco router, but you could do what they call a one-to-one NAT, With this you would translate a public IP to a private IP, all ports and protocols. You would then use an access list to restrict what ports can be used. If you do it this way, you will have to use another public for the email server. It would look something like this-

ip nat inside source static 10.10.10.77 75.50.95.77

For email

ip nat inside source static tcp 10.10.10.70 25 75.50.95.78 25

Hope that helps.

View solution in original post

khomitchr · ‎01-02-2009

I acually have similar setup at home using a 2611 router and forwarding port ranges to multiple ips on the internal network and it works great! My issue is that I have one dynamic ip assigned by my ISP and eventually I will have to manually change the ip for each nat statement. I wanted to know if there is a way to point to the outside interface instead of using on ip address. I found out that you can use a static nat statment

"ip nat inside source static tcp 10.0.0.2 22 interface fa0/0 22" instead of

"ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable"

but I cannot find how to point my route-map to the interface to fully resolve this dynamic ip change in the future. My config is listed below which works great if you have static ips assigned by your ISP!!! Though I would love some guidance on the dynamic issue if possible. Thanks

~Roman

P.S. ip nat statements work like numbered access lists and have to be in order or it will not work. I found out the hard way!.

interface fa0/0

ip nat outside

interface fa0/1

ip nat inside

interface s1/0

ip nat inside

ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable

ip nat inside source static 192.168.1.3 72.xxx.xxx.85 route-map DESKTOP extendable

access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 100 remark Desktop computer port-forwarding

access-list 100 permit tcp host 192.168.1.3 3389 any

access-list 100 permit tcp host 192.168.1.3 28960 any

access-list 100 permit udp host 192.168.1.3 range 28960 32000 any

route-map DESKTOP permit 10

match ip address 100

View solution in original post

Collin Clark · ‎12-30-2008

Translating multiple ports isn't very effective in a cisco router, but you could do what they call a one-to-one NAT, With this you would translate a public IP to a private IP, all ports and protocols. You would then use an access list to restrict what ports can be used. If you do it this way, you will have to use another public for the email server. It would look something like this-

ip nat inside source static 10.10.10.77 75.50.95.77

For email

ip nat inside source static tcp 10.10.10.70 25 75.50.95.78 25

Hope that helps.

aaroncarnold · ‎12-31-2008

Thanks for the information. Will try this out.

khomitchr · ‎01-02-2009

I acually have similar setup at home using a 2611 router and forwarding port ranges to multiple ips on the internal network and it works great! My issue is that I have one dynamic ip assigned by my ISP and eventually I will have to manually change the ip for each nat statement. I wanted to know if there is a way to point to the outside interface instead of using on ip address. I found out that you can use a static nat statment

"ip nat inside source static tcp 10.0.0.2 22 interface fa0/0 22" instead of

"ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable"

but I cannot find how to point my route-map to the interface to fully resolve this dynamic ip change in the future. My config is listed below which works great if you have static ips assigned by your ISP!!! Though I would love some guidance on the dynamic issue if possible. Thanks

~Roman

P.S. ip nat statements work like numbered access lists and have to be in order or it will not work. I found out the hard way!.

interface fa0/0

ip nat outside

interface fa0/1

ip nat inside

interface s1/0

ip nat inside

ip nat inside source list 1 interface fa0/0 overload

ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable

ip nat inside source static 192.168.1.3 72.xxx.xxx.85 route-map DESKTOP extendable

access-list 1 remark NAT OVERLOAD List

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 100 remark Desktop computer port-forwarding

access-list 100 permit tcp host 192.168.1.3 3389 any

access-list 100 permit tcp host 192.168.1.3 28960 any

access-list 100 permit udp host 192.168.1.3 range 28960 32000 any

route-map DESKTOP permit 10

match ip address 100

aaroncarnold · ‎01-06-2009

Thanks for all the help guys. I got it working this morning!