cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
0
Helpful
9
Replies

Port Range Forwarding Shuts Down WAN Connection

Benjamin Crites
Level 1
Level 1

Hey everyone,

Im having an issue and i've looked for multiple guides but have not had any luck. Basically i need to forward a group of ports for my phone system, but whenever i apply these lines by creating my "ip nat inside source static" command it locks me out of my router and drops my connection. Does anyone have an idea why?

 


!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 duplex full
 speed 100
!
interface FastEthernet4
 description Outside Interface
 ip address xxxxxxxxx 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description Internal Network
 ip address 10.67.1.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
no ip http server
no ip http secure-server
!
!
ip nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.0
ip nat inside source list 10 pool insidepool overload
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 extendable
ip nat inside source static udp 10.67.1.5 22 xxxxxxxxxxxx 22 extendable
ip nat inside source static tcp 10.67.1.5 80 xxxxxxxxxxxx 80 extendable
ip nat inside source static udp 10.67.1.5 80 xxxxxxxxxxxx 80 extendable
ip nat inside source static tcp 10.67.1.15 3060 xxxxxxxxxxxx 3060 extendable
ip nat inside source static udp 10.67.1.15 3060 xxxxxxxxxxxx 3060 extendable
ip nat inside source static tcp 10.67.1.15 3061 xxxxxxxxxxxx 3061 extendable
ip nat inside source static udp 10.67.1.15 3061 xxxxxxxxxxxx 3061 extendable
ip nat inside source static tcp 10.67.1.15 3062 xxxxxxxxxxxx 3062 extendable
ip nat inside source static udp 10.67.1.15 3062 xxxxxxxxxxxx 3062 extendable
ip nat inside source static tcp 10.67.1.15 3063 xxxxxxxxxxxx 3063 extendable
ip nat inside source static udp 10.67.1.15 3063 xxxxxxxxxxxx 3063 extendable
ip nat inside source static tcp 10.67.1.15 3064 xxxxxxxxxxxx 3064 extendable
ip nat inside source static udp 10.67.1.15 3064 xxxxxxxxxxxx 3064 extendable
ip nat inside source static tcp 10.67.1.15 3065 xxxxxxxxxxxx 3065 extendable
ip nat inside source static udp 10.67.1.15 3065 xxxxxxxxxxxx 3065 extendable
ip nat inside source static tcp 10.67.1.15 3066 xxxxxxxxxxxx 3066 extendable
ip nat inside source static udp 10.67.1.15 3066 xxxxxxxxxxxx 3066 extendable
ip nat inside source static tcp 10.67.1.3 3389 xxxxxxxxxxxx 3389 extendable
ip nat inside source static udp 10.67.1.5 5060 xxxxxxxxxxxx 5060 extendable
ip nat inside source static 10.67.1.9 xxxxxxxxxxxx extendable
!
access-list 10 permit 10.67.0.0 0.0.3.255
access-list 50 permit xxxxxxxxxxxx 0.0.0.255
access-list 60 permit xxxxxxxxxxxx 0.0.31.255
access-list 60 permit 10.67.0.0 0.0.3.255
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 60 in
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server xxxxxxxxxxxx
end

 

 

 

And here is what i put in that eventually kills my WAN connection.

 

access-list 100 permit  tcp host any range 5060 5080 any
access-list 100 permit  udp host any range 5060 5080 any
access-list 100 permit  tcp host any range 10000 20000 any
access-list 100 permit  udp host any range 10000 20000 any

route-map Phone_Ports permit 10
match ip add 100

ip nat inside source static 10.67.1.5 (WAN IP)  route-map Phone_Ports

 

 

 

9 Replies 9

adamtodd16
Level 3
Level 3

Try doing the following on each of your static NAT, rather than the line at the end.

ip nat inside source static tcp 10.67.1.5 <WAN IP> route-map Phone_Ports extendable

This is assuming the final line is the one causing your issues. Have you tried doing them one by one to isolate?

Unfortunately this gave me the same result. But it doesnt disconnect till i put in the static nat line.

You mean the last line? You won't need that if you reference the nat pool on the individual lines

 

So what your saying is that I dont even need this?

 

ip nat inside source static 10.67.1.5 (WAN IP)  route-map Phone_Ports

Correct, if you're referencing the route maps on each line.

I greatly appreciate your help but im still kind of confused on what exactly it is that i have to do. Are you saying that if i have a "route-map" that its already being applied? And i dont need an IP nat statement?

Right.

Change you static nat statements to the below and remote the last line from your config. Test and let me know:

 

ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.5 80 xxxxxxxxxxxx 80 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 80 xxxxxxxxxxxx 80 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3060 xxxxxxxxxxxx 3060 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3060 xxxxxxxxxxxx 3060 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3061 xxxxxxxxxxxx 3061 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3061 xxxxxxxxxxxx 3061 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3062 xxxxxxxxxxxx 3062 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3062 xxxxxxxxxxxx 3062 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3063 xxxxxxxxxxxx 3063 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3063 xxxxxxxxxxxx 3063 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3064 xxxxxxxxxxxx 3064 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3064 xxxxxxxxxxxx 3064 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3065 xxxxxxxxxxxx 3065 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3065 xxxxxxxxxxxx 3065 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3066 xxxxxxxxxxxx 3066 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3066 xxxxxxxxxxxx 3066 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.3 3389 xxxxxxxxxxxx 3389 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 5060 xxxxxxxxxxxx 5060 route-map Phone_Ports extendable
ip nat inside source static 10.67.1.9 xxxxxxxxxxxx route-map Phone_Ports extendable

Hi,

 

We have same issue. 

You say:
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable

what does it mean? normally it forwards port 22 but in route-map we want to allow a range of ports.

you sure about it? when i check nat translation, will i see 10.67.1.5 mapped to udp 5060,5061, ... 5080 etc.?

 

Yes, or you could just add it to your INBOUND ACL and be done with it..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: