Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

I can't belive that nobody knows how to do this on Cisco IOS?

I've been looking for a solution to forward a port range for months, and I haven't any solution yet.

I am CCNA Certified and CCNP cursed. I've asked to my teachers, in conferences and my isp support. Nobody knows how to do it.

A common task like this, that in every router is so trivial, why is so dificult in Cisco? Is it possible?

Thanks in advance to everybody.

Olaf

35 REPLIES
Hall of Fame Super Gold

Re: I can't belive that nobody knows how to do this on Cisco IOS

Cisco is famous for not doing things that cheap makers do since day one. There are many examples.

With regard to your question, will try to give it an answer as soon I have time to look into it.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I've found some ways to do, but if you have only one public ip, the router lost the connection due to map public ip to server private ip. All outside request are natted to server private ip and only it has access to internet.

I hope your advices.

Regards,

Olaf

Hall of Fame Super Gold

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi,

to the person that low rated my post above, if this is the kind of attitude toward contributions that are made in frankness and good will, that may make me think again about further researching the issue.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi p.bevilacqua!

The person who rated your post is me, the Author of the query, Olaf. I rated your post based on help to resolve the issue, and at the moment my problem is there.

I am very thankful for search the solution, but i thought that 5 points are given when the issue is resolved. If I am mistaken, please tell me and I apologize the annoyances.

Best regards,

Olaf

Hall of Fame Super Gold

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi Olaf,

I did not expected at all to receive any points for an interlocutory post in which I was basically saying "will look into this", but neither a low rating that should be reserved only for obscure, senseless, or contemptuous posts.

In short, it is not necessary to rate all posts.

And since then I got another inappropriate '1' in this thread, I can tell for sure that someone again, is misusing the system.

Best thing for me then, is to stay away from this thread.

Good luck.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi Paolo,

I'm sorry to rating you with 2 points. I now understand that ratings lowers than 3 are bad ratings. Sorry for the inconvenients. I can't edit my rating, can i?

Best regards,

Olaf

Hall of Fame Super Gold

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi Olaf,

there is no problem whatsoever. I understand that you didn't meant that to be a punitive rating.

Hope you can get a satisfying answer to your question, I'm too sleepy to think about it right now.

Hall of Fame Super Bronze

Re: I can't belive that nobody knows how to do this on Cisco IOS

Can you give us the template you are working on ?

You can forward ports by using an ACL to describe the source and destination address along with the ports and then associate that ACL to a inside source list.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I have a router with one fixed public ip address. I need to forward the udp range 10001-20000 to 192.168.99.4.

The config is:

controller DSL 0

mode atm

line-term cpe

line-mode 4-wire standard

dsl-mode shdsl symmetric annex B

line-rate 2432

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description CONEXION PPP INTERNET

pvc datos 0/33

ubr 2048

oam-pvc 0

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.99.1 255.255.255.248

no ip redirects

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

load-interval 30

!

interface Dialer1

description Interfaz WAN para la conexion de Internet

ip address negotiated

ip access-group 199 in

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname XXXX

ppp chap password 7 XXXX

!

interface Dialer0

no ip address

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip dns server

!

ip nat inside source list 10 interface Dialer1 overload

!

access-list 10 remark --- Definicion del trafico a NATear ---

access-list 10 permit 192.168.99.0 0.0.0.7

access-list 199 remark Lista de Seguridad: Filtrado ICMP y SNMP

access-list 199 deny icmp any any redirect

access-list 199 permit icmp any any echo-reply

access-list 199 permit icmp host X.X.X.X any

access-list 199 permit ip X.X.X.X 0.0.0.63 any

access-list 199 permit ip X.X.X.X 0.0.0.31 any

access-list 199 permit ip X.X.X.X 0.0.0.255 any

access-list 199 deny icmp any any

access-list 199 deny ip 127.0.0.0 0.255.255.255 any

access-list 199 deny ip 224.0.0.0 31.255.255.255 any

access-list 199 deny ip host 0.0.0.0 any

access-list 199 deny ip host 255.255.255.255 any

access-list 199 deny udp any any eq snmp

access-list 199 deny udp any any eq snmptrap

access-list 199 permit ip any any

If you need more information, please let me know.

Thanks and best regards,

Olaf

Hall of Fame Super Bronze

Re: I can't belive that nobody knows how to do this on Cisco IOS

You would need to modify your current source list on the NAT, as follow:

ip nat inside source list 100 interface Dialer1 overload

and the ACL as follow:

access-list 100 permit ip 192.168.99.0 0.0.0.7 any

access-list 100 permit udp host 192.168.99.4 range 10001-20000 any

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I've tried those commands and doesn't work.

I've tried switching ACL order too.

Does this work for you?

Regards,

Olaf

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Olaf,

I believe if you keep EdisonOrtiz configuration and then add either

**************

ip nat inside source static 192.168.99.4 interface dialer1

**************

or

**************

ip nat inside source static 192.168.99.4 [outside ip] extendable

**************

It should work.

I know I have done this another way before but I can't find the config I am still looking.

Thanks,

David

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi David:

You are correct. Adding

ip nat inside source static 192.168.99.4 interface dialer1

works, but all ports are open, high security risk.

And doing that command , isn't neccesary change the acl overload. I've

ip nat inside source list 10 interface Dialer1 overload

access-list 10 permit 192.168.99.0 0.0.0.7

and it works, but with all ports open in 192.168.99.4 and router lost connection. If I do an extended ping with source 192.168.99.1 it works.

I`ve added a named acl like this in dialer 1.

ip access-list extended inet_in

remark Filtro Externo

remark Permitir respuesta de conexiones iniciadas desde dentro

permit tcp any any established

remark Permitir respuestas a consultas DNS de Comunitel

permit udp host eq domain any

permit udp host eq domain any

remark Permitir pings y respuestas a pings internos

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

remark Permitir SIP (5060) y RTP (10001 - 20000)

permit udp any host range 10001 20000

permit udp any host eq 5060

remark gestion de Comunitel, para permitir acceso telnet

permit tcp X.X.X.X 0.0.0.63 any eq telnet

remark Maqs. de Comuntiel para gestisn de SNMP

permit udp host X.X.X.X any eq snmp

permit udp host X.X.X.X any eq snmp

remark Denegar todo y logear

deny ip any any log

And now only range is open.

But i've the router connection issue. It is running as dns server, so i need it can connect.

How can I change the source ip address or interface of the router when it is connecting internet?

Regards,

Olaf

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I'm not one hundered percent sure I follow your issue now. I will try to answer what I think is the issue. If I am wrong can you try to explain again.

In regards to this part of the comment:

And doing that command , isn't neccesary change the acl overload. I've

ip nat inside source list 10 interface Dialer1 overload

access-list 10 permit 192.168.99.0 0.0.0.7

by changing the overload ACL to the one recommended by the previous respondent you are only overloading those specific ports instead of all ports so it is necessary to use the extended ACL. By doing this it should resolve your DNS issue.

Let me know if I did misunderstand the current issue.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Doing overload with one recommend has the same effect that mine.

I try to do a graphic explanation.

Net-(PublicIP)_Router_(X.X.99.1)--(99.4)VoipServer

I need to port forward range 10001-20000 from outside to VoipServer.

Off course, network 192.168.99.0 must be able to browse everywhere.

And router is dns server, so it need internet access.

If it isn't clear, please tell me.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I think I follow what you need now - I will look at the config again and try to help - verify one thing. Prior to the change I had you make with the nat statement was DNS working correctly?

I think this is somewhere in the ACL's I just have to look again.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Prior to

ip nat inside source static 192.168.99.4 interface Dialer1

DNS is working correctly, but ports aren't being forwarded.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

If I ping from router without extended commands:

Pro Inside global Inside local Outside local Outside global

icmp 89.7.245.85:6 192.168.99.4:6 212.145.4.97:6 212.145.4.97:6

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I am looking at this and I still can't definitley find the problem. When you reverted to the ACL 100 did you still have your ACL ip access-list extended inet_in implemented?

If so try removing that ACL while using the ACL100 for the nat overload.

In regards to the post prior to this one are you insinuating that you can ping the DNS server and just can't do DNS lookups?

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I don't think that natted ACL is the trick because

access-list 110 permit ip 192.168.99.0 0.0.0.7 any

is more general than the next

access-list 110 permit udp host 192.168.99.4 range 10001 20000 any

so the last is contained in the first and never matched.

If I remove the ACL inet_in, all ports are opened.

All hosts can browse, do dns request, etc... but router.

When I put the router as dns server in host 192.168.99.5 for example, router do the dns queries , but are mapped to 192.168.99.4, so replies aren't routing properly. Same wiht ping from router, are mapped to 192.168.99.4 like in previous show command.

Do you understand the problem?

If can force the router to outside with source ip 192.168.99.1 (or from interface Vlan1) when it is doing dns request or so, i think the problem is solved.

Pro Inside global Inside local Outside local Outside global

udp 89.7.245.85:53 192.168.99.4:53 212.145.4.97:53 212.145.4.97:53

I want to permit all inside to outside traffic, and forward range to server.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

ok - go ahead and give me a copy of your configuration as it sits right now. I am going to implement this in my test network.

Thanks,

David

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

you could modify that acl to

access-list 110 permit udp host 192.168.99.4 range 10001 20000 any

access-list 110 deny udp host 192.168.99.4 any

access-list 110 permit 192.168.99.0 0.0.0.7 any

then remove the one you created. after the changes.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

I thought the same, and tryied, but i'll recheck and post results.

The result is that router can't do dns request and all ports are mapped.

Regards,

Olaf

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

ip subnet-zero

no ip source-route

ip cef

ip name-server 212.x.x.97

ip name-server 212.x.x.98

interface Vlan1

ip address 192.168.99.1 255.255.255.248

no ip redirects

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

load-interval 30

!

interface Dialer1

ip address negotiated

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip dns server

!

ip nat inside source list 110 interface Dialer1 overload

ip nat inside source static 192.168.99.4 interface Dialer1

access-list 110 permit udp host 192.168.99.4 range 10001 20000 any

access-list 110 permit ip 192.168.99.0 0.0.0.7 any

I remove the ip access-group in on the Dialer 1 to test.

Very thankful,

Olaf

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

If someone else has an idea - hopefully they can help you. I am getting ready to leave for this afternoon. I will continue working on this tomorrow if no one has found a solution.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Ok. Thanks for your help.

Good night.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

olafmarcos,

You are not going to like this answer. I tried many things in my test network with no avail. I finally opened a TAC case with Cisco becuase this was driving me insane. Bottom line what you want to do is not possible, at least not the way you want to do it.

You have on of two options.

Create a static nat entry for every single port you want forwarded so like 10000, entries or something insane like that. THe other option is to use the same configuration as what we have provided with the same ACL's you are using but request an additional IP address from your ISP. Typically an ISP can provide something like a /29 so that you can have the primary IP Address on the outside interface for Internet connectivity, DNS lookups, router remote management etc... THen you would have them give you the next available ip in the range to use for your voip server. This way you will create the static translation then create the ACL to restrict to the ports you actually want to permit. I have spoken to both a TAC tech and my SE and they have both confirmed this. Let me know if you figure something else out. I have tried everything I can think of - I also found the old configuration that I thought I accomplished this in - I was wrong I finally got a second static ip from my ISP.

New Member

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi David,

I requested one more ip address 2 days ago. I know with at least 2 ip address is possible.

But the second ip address is natted totally. If tomorrow I want to map other range to other internal ip address, i will need one more ip address. This is an unnecesary waste of public ip address.

With all cheap routers, you can map one range to one internal ip address, other range to other different internal ip address, and so on. And all of this with ONE public ip.

I don't believe that this simple (trivial) and very common issue is not possible with Cisco IOS. Yes, possible but buying public ips, and wasting them.

I am losing my trust in Cisco.

Many many thanks, David. I don't know how to transmit this important impediment to Cisco for they try to resolve or give me some good explanations why they are doing things like this.

My best regards,

Olaf

Re: I can't belive that nobody knows how to do this on Cisco IOS

Hi Olaf,

Please cool down.

If I have understood clearly, you want to use 1 Public IP Address and NAT (Static NAT) to Private IP inside the network so that you may use it for different purposes?

Just wondering why are you not considering PIX FW on this aspect, I have had one NATTing on many PIX boxes and didnt have any issues (though not the exact way you are trying to do)

Please correct me if I'm wrong.

Looking forward from yourside,

Kind Regards,

Wilson Samuel

180
Views
13
Helpful
35
Replies
CreatePlease to create content