01-12-2014 10:12 AM - edited 03-04-2019 10:02 PM
What is wrong with my config ??
Im trying to forward anything coming in on ports 27000 through 27040 tcp/udp and also 1200 tcp/udp
to my server at 192.168.1.3 but, I just cant seem to get an open port scan from whatsmyip.org. The port
inside is operational it is a game server that I connect to no prob. Here is my current config.
hostname HEADEND
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip name-server 65.32.5.111
ip name-server 192.168.1.75
ip name-server 65.35.5.112
ip name-server 192.168.1.76
interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
ip http server
no ip http secure-server
ip nat pool OUTSIDE 72.186.194.72 72.186.194.72 netmask 255.255.192.0
ip nat pool SRCDS_Server 192.168.1.3 192.168.1.3 netmask 255.255.255.0
ip nat inside source list NATTY pool OUTSIDE overload
ip nat outside source list SRCDS_IN pool SRCDS_Server
ip access-list extended NATTY
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SRCDS_IN
permit tcp any range 27000 27040 72.186.192.0 0.0.63.255
control-plane
line con 0
line aux 0
line vty 0 4
login
end
01-12-2014 10:26 AM
Derek
Because you are initiating the connection from outside to inside you need to use static NAT statements.
The game server is 192.168.1.3. What is the IP you want to present that with to the internet ie. the specific IP address.
Note the address you present as must be a public IP ie. routable on the internet and must be owned by you ie. your ISP is routing that address to the outside interface of your router.
Jon
01-12-2014 10:45 AM
Hi Derek,
As a sidenote to Jon's reply, port forwarding a range of ports on Cisco devices is a little bit special.
For TCP ports you will need the rotary pool feature alonf with ip nat inside destination command.
For UDP ports I never succeeded to make it work though you'll see examples on the Net with a static inside nat coupled with a route-map matching the ports with an ACL.
Another way of doing would be to NAT all ports on the client and filter them with an inbound ACL on the outside or best use Zone based firewall to protect the machines on your LAN.
Regards
Alain
Don't forget to rate helpful posts.
01-12-2014 10:49 AM
Alain
For TCP ports you will need the rotary pool feature alonf with ip nat inside destination command.
I was only thinking of setting up specific NAT statement for each port with "ip nat inside source static ..." but it sounds from your post like there is a better way.
I think it might be best if i leave this thread to you
Jon
01-12-2014 11:22 AM
Hi Jon,
one static PAT entry per port is indeed a good solution for a few ports and I had not seen that there were only 41 ports in the 27000 range so it could be administratively doable here even if it would mean a total of 41*2 +2= 84 static entries.
Regards
Alain
Don't forget to rate helpful posts.
01-13-2014 10:48 AM
my external ip is 72.186.194.72 and my internal server is @ 192.168.1.3 and I am running PAT for my internals. Is there an example configuration using route-maps to acomplish this task that someone could possibly point me to. I have a little knowledge of route-maps from my CCNP route class. But I seem to get lost during configuraton on what is actually happening as the packet lands on my public interface.
01-13-2014 08:16 PM
Derek
I do this sort of thing with static NAT which takes precedence over dynamic NAT so it should work without route maps but it does mean you need to type out a line for each port eg. -
ip nat inside source static 192.168.1.3
but you would need to do this for each port i'm afraid. You may be able to use object groups depending on your IOS and whether object groups were supported with static NAT.
Apologies for being a bit vague in terms of what will be supported but it's a while since i did this on IOS.
Alain seemed to be suggesting that there might be a better way though but i haven't used that so the only way i am familiar with is the one above.
Jon
01-14-2014 02:40 AM
Hi,
if you only have one external IP and it is a dynamic one then the only solution is to do one static PAT entry per port/protocol like this because the rotary feature won't work if your external IP is dynamic and may change:
ip nat inside static tcp 192.168.1.3 27000 interface f0/0 27000
ip nat inside static tcp 192.168.1.3 27001 interface f0/0 27001
.....
like Jon suggested.On IOS there is some support for object-group in ACL but not in NAT command and I'm not even sure it is supported in a non traffic filtering ACL.
I will test it out and confirm.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide