Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port Range Forwarding Shuts Down WAN Connection

Hey everyone,

Im having an issue and i've looked for multiple guides but have not had any luck. Basically i need to forward a group of ports for my phone system, but whenever i apply these lines by creating my "ip nat inside source static" command it locks me out of my router and drops my connection. Does anyone have an idea why?

 


!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 duplex full
 speed 100
!
interface FastEthernet4
 description Outside Interface
 ip address xxxxxxxxx 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description Internal Network
 ip address 10.67.1.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
no ip http server
no ip http secure-server
!
!
ip nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.0
ip nat inside source list 10 pool insidepool overload
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 extendable
ip nat inside source static udp 10.67.1.5 22 xxxxxxxxxxxx 22 extendable
ip nat inside source static tcp 10.67.1.5 80 xxxxxxxxxxxx 80 extendable
ip nat inside source static udp 10.67.1.5 80 xxxxxxxxxxxx 80 extendable
ip nat inside source static tcp 10.67.1.15 3060 xxxxxxxxxxxx 3060 extendable
ip nat inside source static udp 10.67.1.15 3060 xxxxxxxxxxxx 3060 extendable
ip nat inside source static tcp 10.67.1.15 3061 xxxxxxxxxxxx 3061 extendable
ip nat inside source static udp 10.67.1.15 3061 xxxxxxxxxxxx 3061 extendable
ip nat inside source static tcp 10.67.1.15 3062 xxxxxxxxxxxx 3062 extendable
ip nat inside source static udp 10.67.1.15 3062 xxxxxxxxxxxx 3062 extendable
ip nat inside source static tcp 10.67.1.15 3063 xxxxxxxxxxxx 3063 extendable
ip nat inside source static udp 10.67.1.15 3063 xxxxxxxxxxxx 3063 extendable
ip nat inside source static tcp 10.67.1.15 3064 xxxxxxxxxxxx 3064 extendable
ip nat inside source static udp 10.67.1.15 3064 xxxxxxxxxxxx 3064 extendable
ip nat inside source static tcp 10.67.1.15 3065 xxxxxxxxxxxx 3065 extendable
ip nat inside source static udp 10.67.1.15 3065 xxxxxxxxxxxx 3065 extendable
ip nat inside source static tcp 10.67.1.15 3066 xxxxxxxxxxxx 3066 extendable
ip nat inside source static udp 10.67.1.15 3066 xxxxxxxxxxxx 3066 extendable
ip nat inside source static tcp 10.67.1.3 3389 xxxxxxxxxxxx 3389 extendable
ip nat inside source static udp 10.67.1.5 5060 xxxxxxxxxxxx 5060 extendable
ip nat inside source static 10.67.1.9 xxxxxxxxxxxx extendable
!
access-list 10 permit 10.67.0.0 0.0.3.255
access-list 50 permit xxxxxxxxxxxx 0.0.0.255
access-list 60 permit xxxxxxxxxxxx 0.0.31.255
access-list 60 permit 10.67.0.0 0.0.3.255
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 60 in
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server xxxxxxxxxxxx
end

 

 

 

And here is what i put in that eventually kills my WAN connection.

 

access-list 100 permit  tcp host any range 5060 5080 any
access-list 100 permit  udp host any range 5060 5080 any
access-list 100 permit  tcp host any range 10000 20000 any
access-list 100 permit  udp host any range 10000 20000 any

route-map Phone_Ports permit 10
match ip add 100

ip nat inside source static 10.67.1.5 (WAN IP)  route-map Phone_Ports

 

 

 

9 REPLIES
New Member

Try doing the following on

Try doing the following on each of your static NAT, rather than the line at the end.

ip nat inside source static tcp 10.67.1.5 <WAN IP> route-map Phone_Ports extendable

This is assuming the final line is the one causing your issues. Have you tried doing them one by one to isolate?

New Member

Unfortunately this gave me

Unfortunately this gave me the same result. But it doesnt disconnect till i put in the static nat line.

New Member

You mean the last line? You

You mean the last line? You won't need that if you reference the nat pool on the individual lines

 

New Member

So what your saying is that I

So what your saying is that I dont even need this?

 

ip nat inside source static 10.67.1.5 (WAN IP)  route-map Phone_Ports

New Member

Correct, if you're

Correct, if you're referencing the route maps on each line.

New Member

I greatly appreciate your

I greatly appreciate your help but im still kind of confused on what exactly it is that i have to do. Are you saying that if i have a "route-map" that its already being applied? And i dont need an IP nat statement?

New Member

Right.Change you static nat

Right.

Change you static nat statements to the below and remote the last line from your config. Test and let me know:

 

ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.5 80 xxxxxxxxxxxx 80 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 80 xxxxxxxxxxxx 80 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3060 xxxxxxxxxxxx 3060 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3060 xxxxxxxxxxxx 3060 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3061 xxxxxxxxxxxx 3061 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3061 xxxxxxxxxxxx 3061 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3062 xxxxxxxxxxxx 3062 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3062 xxxxxxxxxxxx 3062 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3063 xxxxxxxxxxxx 3063 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3063 xxxxxxxxxxxx 3063 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3064 xxxxxxxxxxxx 3064 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3064 xxxxxxxxxxxx 3064 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3065 xxxxxxxxxxxx 3065 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3065 xxxxxxxxxxxx 3065 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.15 3066 xxxxxxxxxxxx 3066 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.15 3066 xxxxxxxxxxxx 3066 route-map Phone_Ports extendable
ip nat inside source static tcp 10.67.1.3 3389 xxxxxxxxxxxx 3389 route-map Phone_Ports extendable
ip nat inside source static udp 10.67.1.5 5060 xxxxxxxxxxxx 5060 route-map Phone_Ports extendable
ip nat inside source static 10.67.1.9 xxxxxxxxxxxx route-map Phone_Ports extendable

New Member

Hi, We have same issue. You

Hi,

 

We have same issue. 

You say:
ip nat inside source static tcp 10.67.1.5 22 xxxxxxxxxxxx 22 route-map Phone_Ports extendable

what does it mean? normally it forwards port 22 but in route-map we want to allow a range of ports.

you sure about it? when i check nat translation, will i see 10.67.1.5 mapped to udp 5060,5061, ... 5080 etc.?

 

New Member

Yes, or you could just add it

Yes, or you could just add it to your INBOUND ACL and be done with it..

157
Views
0
Helpful
9
Replies