Can anyone help me understand how this might work? Im having serious issues getting Tandberg H.323 working behind this router with NAT.
My setup is Cisco 1811 configured with Fas0 to pull DHCP (public address). This router is being used in a mobile medical clinic VAN so the setup needs to be seamless and transparent to the users. The idea with the DHCP is anywhere they go they could pull a DHCP address and then NAT behind that address. The van visits mostly small schools in the Texas Rio Grande Valley providing medical assistance and consulting to the local community. The router has an 8 port built in switch and all ports are sitting in default VLAN 1.
Basic stripped down config, only relevant commands listed
ip dhcp excluded-address 10.0.0.1 10.0.0.4
ip dhcp pool VANnet
network 10.0.0.0 255.255.255.240
ip address DHCP
ip NAT outside
interface VLAN 1
ip address 10.0.0.1 255.255.255.240
ip NAT inside
ip nat inside source list 1 interface Fas0 overload
access-list 1 permit 10.0.0.0 0.0.0.255
Basically everything from the 10.x.x.x is NATd to the Fas0 DHCPs address. Then I have several static NATs defined for port forwarding
ip nat inside source static tcp 10.0.0.2 (Tandberg) 1719 interface FastEthernet0 1719
ip nat inside source static tcp 10.0.0.2 1720 interface FastEthernet0 1720
Now initially I cant even get the call to connect with just using the ports above, which I should. Also knowing there are several issues with H.323 and NAT I went ahead and added all know ports Tandberg says they use
80 HTTPd *TCP
443 HTTPs TCP
1719 H323/RAS UDP
1720 H323/Q931 *TCP
2326-2373 (2837)** H323/RTP UDP
5555-55xx (5587)** H323/H.245/Q.931 TCP
Basically I created static NAT entries for all the ports and the ranges above. For the ranges I had to add a line for every port.
For example on the ranges I had to do this
ip nat inside source static udp 10.0.0.2 2326 interface FastEthernet0 2326
ip nat inside source static udp 10.0.0.2 2327 interface FastEthernet0 2327
ip nat inside source static udp 10.0.0.2 2328 interface FastEthernet0 2328
etc (all the way down through each port range)
This didnt and hasnt worked yet even with some additional tweaking Finally the question am I going about this all wrong? Is there an arrangement of commands that will even work? How can I accomplish the port forwarding setup on a Linksys/Netgear router on a real Cisco router?
I have a couple of things I need to clarify.
First thing, are the schools the van visiting using private address (RFC1918)? If so have you made sure they don't use 10.x.x.x in some form or another?
Secondly, aren't the school allso performing NAT, if they are using private addresses? And wouldn't this be a problem with H.323?
Having said that you might want to make this NAT statement insteed: "ip nat inside source static 10.0.0.2 interface FastEthernet0" as well as "ip nat inside source list 1 interface Fas0 overload", as far as I know this should work.
They are all using RFC1918 space :-) on different networks inside 10.x.x.x but none are using 10.0.x.x
You are also correct about them performing NAT on their public side... In most cases when the VAN would pull up here is how the connectivity would work...
1. VAN's plugs in at the school and the VANs router (1811) pulls an IP via DHCP (real example, 10.180.16.250)
2. That address is then NAT'd on the 1811 to an inside private net of 10.0.0.0/28. That DHCP address is overloaded and also static NATs are defined from 10.0.0.2 (Tandberg unit) to Fas0 (the DHCPd schools address) to allow all known H.323 ports.
3. In summary, 10.0.0.2, the Tandberg unit inside the VAN is NAT'd to 10.180.16.250 (My NAT) which is then NAT'd to a public address of 67.x.x.x (Schools NAT) assigned to the school through their firewall (PIX 525)
Crazy huh? :)
Interesting you pointing out the "ip nat inside source static 10.0.0.2 interface FastEthernet0" option, not sure why it didnt cross my mind to simply try that. I was so caught up in all the H323 port mess. Unfortunately I cant try any of this out because I'm back in town from the trip. I should be going back down in a few weeks to mess with this again. I just wanted to post this somewhere to wrap my mind around how to make this work
Well crazy or not, im sure there is a solution.
However I'm pretty sure the PIX 525 will ruin everything, unless you where to open up and NAT the 67.x.x.x address to the outside address on the 1800 router (10.180.16.250), but that means that you need that IP reserved on the schools DHCP server. So the van allways gets the same IP address. And in case you were to later change the router in the van, you are to move the MAC-address of FastEthernet0 to the new router.
All this is possible, but I guess you need all these things done on multiple schools, right?
Which makes a bit of a nightmare, when trying to document the whole thing.
Maybe there is a better solution......I hope so.
After doing some more research as long as fixup H323 is used on the PIX, that part shouldnt be an issue. Also I have very good cooperation from the schools so setup on their end is not an issue. The NAT to the school's public address 67.x.x.x to the router's global address 10.180.x.x is already setup. And yes idea was there would be a DHCP reservation setup at each school with external NAT setup to that reservation. All of that is fine the real issue is the second NAT on my end in the VAN.
The question still remains, are there any equivalent commands on the router that would accomplish "port forwarding/ranges" like on linksys/netgear broadband router? Or should "ip nat inside static 10.0.0.2 interface Fastethernet0" be enough?
I would go with the ip nat inside static 10.0.0.2 interface Fastethernet0", however if you want to NAT only the specified port numbers, I think this is the way to go:
ip nat inside source static 10.0.0.2 10.180.16.250 route-map BLAH extendable
ip access-list extended ACL-FOR-THE-TANDBERG
permit tcp host 10.0.0.2 any eq www
permit tcp host 10.0.0.2 any eq 443
permit udp host 10.0.0.2 any eq 1719
permit tcp host 10.0.0.2 any eq 1720
permit udp host 10.0.0.2 any range 2326 2373
permit tcp host 10.0.0.2 any range 5555 5587
route-map BLAH permit 10
match ip address ACL-FOR-THE-TANDBERG
UnfortuNATly it only works by stating the WAN address (10.180.16.250), you can't state the interface (FastEthernet0). This sort of ruins the idea that you want to be able to connect the router to any school network, without having to reconfig the router.
And I'm not sure this config allows NAT to work from both inside->outside as well as outside->inside.
Interesting... never would have thought of doing it that way. Using that example I could script it out for each school then have the folks in the VAN excute it from a shortcut on the desktop. I think I have enough to go on here and make something work...
Thanks again for the help and suggestions.
Thanx for the tip, and as you mentioned.. i wish it could work with interface! i have dynamic ip on my dsl and i needed that...
Oh well.. anyway thanx again for the info