06-24-2014 01:59 PM - edited 03-04-2019 11:13 PM
Hey everyone,
Im having an issue and i've looked for multiple guides but have not had any luck. Basically i need to forward a group of ports for my phone system, but whenever i apply these lines by creating my "ip nat inside source static" command it locks me out of my router and drops my connection. Does anyone have an idea why?
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
duplex full
speed 100
!
interface FastEthernet4
description Outside Interface
ip address xxxxxxxxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description Internal Network
ip address 10.67.1.1 255.255.252.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
no ip http server
no ip http secure-server
!
!
ip nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.0
ip nat inside source list 10 pool insidepool overload
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 extendable
ip nat inside source static udp 10.67.1.5 22 xxxxxxxxxxxx 22 extendable
ip nat inside source static tcp 10.67.1.5 80 xxxxxxxxxxxx 80 extendable
ip nat inside source static udp 10.67.1.5 80 xxxxxxxxxxxx 80 extendable
ip nat inside source static tcp 10.67.1.15 3060 xxxxxxxxxxxx 3060 extendable
ip nat inside source static udp 10.67.1.15 3060 xxxxxxxxxxxx 3060 extendable
ip nat inside source static tcp 10.67.1.15 3061 xxxxxxxxxxxx 3061 extendable
ip nat inside source static udp 10.67.1.15 3061 xxxxxxxxxxxx 3061 extendable
ip nat inside source static tcp 10.67.1.15 3062 xxxxxxxxxxxx 3062 extendable
ip nat inside source static udp 10.67.1.15 3062 xxxxxxxxxxxx 3062 extendable
ip nat inside source static tcp 10.67.1.15 3063 xxxxxxxxxxxx 3063 extendable
ip nat inside source static udp 10.67.1.15 3063 xxxxxxxxxxxx 3063 extendable
ip nat inside source static tcp 10.67.1.15 3064 xxxxxxxxxxxx 3064 extendable
ip nat inside source static udp 10.67.1.15 3064 xxxxxxxxxxxx 3064 extendable
ip nat inside source static tcp 10.67.1.15 3065 xxxxxxxxxxxx 3065 extendable
ip nat inside source static udp 10.67.1.15 3065 xxxxxxxxxxxx 3065 extendable
ip nat inside source static tcp 10.67.1.15 3066 xxxxxxxxxxxx 3066 extendable
ip nat inside source static udp 10.67.1.15 3066 xxxxxxxxxxxx 3066 extendable
ip nat inside source static tcp 10.67.1.3 3389 xxxxxxxxxxxx 3389 extendable
ip nat inside source static udp 10.67.1.5 5060 xxxxxxxxxxxx 5060 extendable
ip nat inside source static 10.67.1.9 xxxxxxxxxxxx extendable
!
access-list 10 permit 10.67.0.0 0.0.3.255
access-list 50 permit xxxxxxxxxxxx 0.0.0.255
access-list 60 permit xxxxxxxxxxxx 0.0.31.255
access-list 60 permit 10.67.0.0 0.0.3.255
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 60 in
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server xxxxxxxxxxxx
end
And here is what i put in that eventually kills my WAN connection.
access-list 100 permit tcp host any range 5060 5080 any
access-list 100 permit udp host any range 5060 5080 any
access-list 100 permit tcp host any range 10000 20000 any
access-list 100 permit udp host any range 10000 20000 any
route-map Phone_Ports permit 10
match ip add 100
ip nat inside source static 10.67.1.5 (WAN IP) route-map Phone_Ports
06-24-2014 02:54 PM
Try doing the following on each of your static NAT, rather than the line at the end.
ip nat inside source static tcp 10.67.1.5 <WAN IP> route-map Phone_Ports extendable
This is assuming the final line is the one causing your issues. Have you tried doing them one by one to isolate?
06-25-2014 11:39 AM
Unfortunately this gave me the same result. But it doesnt disconnect till i put in the static nat line.
06-25-2014 11:43 AM
You mean the last line? You won't need that if you reference the nat pool on the individual lines
06-25-2014 11:46 AM
So what your saying is that I dont even need this?
ip nat inside source static 10.67.1.5 (WAN IP) route-map Phone_Ports
06-25-2014 12:17 PM
Correct, if you're referencing the route maps on each line.
06-25-2014 02:10 PM
I greatly appreciate your help but im still kind of confused on what exactly it is that i have to do. Are you saying that if i have a "route-map" that its already being applied? And i dont need an IP nat statement?
06-26-2014 04:38 AM
Right.
Change you static nat statements to the below and remote the last line from your config. Test and let me know:
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.5 80 xxxxxxxxxxxx 80 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 80 xxxxxxxxxxxx 80 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3060 xxxxxxxxxxxx 3060 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3060 xxxxxxxxxxxx 3060 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3061 xxxxxxxxxxxx 3061 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3061 xxxxxxxxxxxx 3061 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3062 xxxxxxxxxxxx 3062 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3062 xxxxxxxxxxxx 3062 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3063 xxxxxxxxxxxx 3063 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3063 xxxxxxxxxxxx 3063 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3064 xxxxxxxxxxxx 3064 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3064 xxxxxxxxxxxx 3064 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3065 xxxxxxxxxxxx 3065 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3065 xxxxxxxxxxxx 3065 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3066 xxxxxxxxxxxx 3066 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3066 xxxxxxxxxxxx 3066 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.3 3389 xxxxxxxxxxxx 3389 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 5060 xxxxxxxxxxxx 5060 route-map Phone_Ports extendable
ip nat inside source static 10.67.1.9 xxxxxxxxxxxx route-map Phone_Ports extendable
06-26-2014 07:56 AM
Hi,
We have same issue.
You say:
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
what does it mean? normally it forwards port 22 but in route-map we want to allow a range of ports.
you sure about it? when i check nat translation, will i see 10.67.1.5 mapped to udp 5060,5061, ... 5080 etc.?
06-26-2014 12:38 PM
Yes, or you could just add it to your INBOUND ACL and be done with it..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: