I need to have 27000 through 27040 forwarded

deebeeishere · ‎01-12-2014

What is wrong with my config ??

Im trying to forward anything coming in on ports 27000 through 27040 tcp/udp and also 1200 tcp/udp

to my server at 192.168.1.3 but, I just cant seem to get an open port scan from whatsmyip.org. The port

inside is operational it is a game server that I connect to no prob. Here is my current config.

hostname HEADEND

boot-start-marker
boot-end-marker

no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef

ip name-server 65.32.5.111
ip name-server 192.168.1.75
ip name-server 65.35.5.112
ip name-server 192.168.1.76

interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto

interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp

ip http server
no ip http secure-server

ip nat pool OUTSIDE 72.186.194.72 72.186.194.72 netmask 255.255.192.0
ip nat pool SRCDS_Server 192.168.1.3 192.168.1.3 netmask 255.255.255.0
ip nat inside source list NATTY pool OUTSIDE overload
ip nat outside source list SRCDS_IN pool SRCDS_Server

ip access-list extended NATTY
permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended SRCDS_IN
permit tcp any range 27000 27040 72.186.192.0 0.0.63.255

control-plane

line con 0
line aux 0
line vty 0 4
login

end

Jon Marshall · ‎01-12-2014

Derek

Because you are initiating the connection from outside to inside you need to use static NAT statements.

The game server is 192.168.1.3. What is the IP you want to present that with to the internet ie. the specific IP address.

Note the address you present as must be a public IP ie. routable on the internet and must be owned by you ie. your ISP is routing that address to the outside interface of your router.

Jon

cadet alain · ‎01-12-2014

Hi Derek,

As a sidenote to Jon's reply, port forwarding a range of ports on Cisco devices is a little bit special.

For TCP ports you will need the rotary pool feature alonf with ip nat inside destination command.

For UDP ports I never succeeded to make it work though you'll see examples on the Net with a static inside nat coupled with a route-map matching the ports with an ACL.

Another way of doing would be to NAT all ports on the client and filter them with an inbound ACL on the outside or best use Zone based firewall to protect the machines on your LAN.

Regards

Alain

Don't forget to rate helpful posts.

Jon Marshall · ‎01-12-2014

Alain

For TCP ports you will need the rotary pool feature alonf with ip nat inside destination command.

I was only thinking of setting up specific NAT statement for each port with "ip nat inside source static ..." but it sounds from your post like there is a better way.

I think it might be best if i leave this thread to you

Jon

cadet alain · ‎01-12-2014

Hi Jon,

one static PAT entry per port is indeed a good solution for a few ports and I had not seen that there were only 41 ports in the 27000 range so it could be administratively doable here even if it would mean a total of 41*2 +2= 84 static entries.

Regards

Alain

Don't forget to rate helpful posts.

deebeeishere · ‎01-13-2014

my external ip is 72.186.194.72 and my internal server is @ 192.168.1.3 and I am running PAT for my internals. Is there an example configuration using route-maps to acomplish this task that someone could possibly point me to. I have a little knowledge of route-maps from my CCNP route class. But I seem to get lost during configuraton on what is actually happening as the packet lands on my public interface.

Jon Marshall · ‎01-13-2014

Derek

I do this sort of thing with static NAT which takes precedence over dynamic NAT so it should work without route maps but it does mean you need to type out a line for each port eg. -

ip nat inside source static 192.168.1.3 72.186.194.72

but you would need to do this for each port i'm afraid. You may be able to use object groups depending on your IOS and whether object groups were supported with static NAT.

Apologies for being a bit vague in terms of what will be supported but it's a while since i did this on IOS.

Alain seemed to be suggesting that there might be a better way though but i haven't used that so the only way i am familiar with is the one above.

Jon

cadet alain · ‎01-14-2014

Hi,

if you only have one external IP and it is a dynamic one then the only solution is to do one static PAT entry per port/protocol like this because the rotary feature won't work if your external IP is dynamic and may change:

ip nat inside static tcp 192.168.1.3 27000 interface f0/0 27000

ip nat inside static tcp 192.168.1.3 27001 interface f0/0 27001

.....

like Jon suggested.On IOS there is some support for object-group in ACL but not in NAT command and I'm not even sure it is supported in a non traffic filtering ACL.

I will test it out and confirm.

Regards

Alain

Don't forget to rate helpful posts.