Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4205
Views
20
Helpful
7
Replies

C891F UDP Port Range Forwarding

Go to solution
narcotics
Level 1
Level 1

‎01-23-2018 08:34 PM - edited ‎03-05-2019 09:49 AM

Hi Guys

 

I have gone through forums and multiple sites to find a solution for UDP port range forwarding, however I haven't been successful.

 

Has someone tried latest released version of IOS for this router to confirm if they have added the UDP port range forwarding as a feature?

 

We have 1 public ip and there is PAT in place. Also there are approx. 5-6 static NAT entries to allows traffic from outside to inside on different ports. I am trying to forward a range of UDP ports from outside to inside.

 

I know that if I would have had another public IP or 2nd ISP, I could have done 1 to 1 static Nat to accomplish the UDP port range forwarding however that is not the case here.

 

Also I am aware that type rotary works for TCP, which doesn't solve my problem.

 

So please let me know if someone has a solution for this issue. 

 

Thanks.

1 person had this problem
Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to narcotics

‎01-24-2018 06:16 AM

Yes you're right and I misread the post. Sorry about that.

You'll need 1 statement per port.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to narcotics

‎01-24-2018 02:36 PM - edited ‎01-24-2018 02:36 PM

No what I mean is that you'll need to have 1 line per service. As soon as you don't have overlap service, you can have everything on 1 public ip.

Even with latest IOS, you won't be able to do udp range nat


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
narcotics
Level 1
Level 1
In response to Francesco Molino

‎01-24-2018 02:55 PM

Thanks a lot. Just want to clear any doubts.

So route-map won't work because it works for multiple inside Global IP
addresses and not multiple inside local IP addresses.

Which means to create a static nat per port rule for all the ports, which
is not practical.

For example: I will have to add a line for each udp port as per below:

ip nat inside source static tcp 192.168.1.42 3389 x.x.x.x 3389 extendable
ip nat inside source static udp 192.168.20.33 5081 x.x.x.x 5081 extendable
ip nat inside source static udp 192.168.20.33 5082 x.x.x.x 5082 extendable

Adding 500 lines of udp rules, might cause unnecessary burden on the router
as well. Is this a limitation of this Cisco router only?

I think it would be easier for us to get another public ip and just do a 1
to 1 NAT from 192.168.20.33 to public ip and use route-map/acl to block the
unused ports!

View solution in original post

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to narcotics

‎01-24-2018 03:38 PM

Yes agree that getting new IP, it'll be simpler.
The udp range is the same thing across all platforms.
That's why I prefer using a firewall for such things.
Never added 500 lines of NAT on a router, but tested it now and no problem. Then the number of nat limitation is based on your platform and you can have that information on the router datasheet.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-23-2018 08:47 PM

Hi

Have you tried using route-map?

I replied to another post, take a look on what the config would look like:
https://supportforums.cisco.com/t5/wan-routing-and-switching/forward-range-ports-for-few-hosts-in-isr4331/td-p/3316899

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
narcotics
Level 1
Level 1
In response to Francesco Molino

‎01-23-2018 09:16 PM - edited ‎01-23-2018 09:17 PM

Thanks for your prompt response. I have looked at that post. Isn't this just a 1 to 1 Nat? Can you have multiple statements with different host (internal) ip and another route-map?

For example:

ip nat inside source static 192.168.1.2 82.82.82.82 route-map NAT-MAP-WEBSERVER-1.2 extendable
ip nat inside source static 192.168.10.2 82.82.82.82 route-map NAT-MAP-RDPAPPSERVER-1.2 extendable

 

For some reason I have a perception that you can only one statement.
Thanks.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to narcotics

‎01-24-2018 06:16 AM

Yes you're right and I misread the post. Sorry about that.

You'll need 1 statement per port.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
narcotics
Level 1
Level 1
In response to Francesco Molino

‎01-24-2018 07:36 AM

U mean per IP. Thanks for your response.

So that means the only solution is to have one to one static Nat, which
means I will have to get 2nd public IP address.

Does any one know if the latest Cisco iOS for 891F mode has udp port range
Nat feature?

Thanks.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to narcotics

‎01-24-2018 02:36 PM - edited ‎01-24-2018 02:36 PM

No what I mean is that you'll need to have 1 line per service. As soon as you don't have overlap service, you can have everything on 1 public ip.

Even with latest IOS, you won't be able to do udp range nat


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
narcotics
Level 1
Level 1
In response to Francesco Molino

‎01-24-2018 02:55 PM

Thanks a lot. Just want to clear any doubts.

So route-map won't work because it works for multiple inside Global IP
addresses and not multiple inside local IP addresses.

Which means to create a static nat per port rule for all the ports, which
is not practical.

For example: I will have to add a line for each udp port as per below:

ip nat inside source static tcp 192.168.1.42 3389 x.x.x.x 3389 extendable
ip nat inside source static udp 192.168.20.33 5081 x.x.x.x 5081 extendable
ip nat inside source static udp 192.168.20.33 5082 x.x.x.x 5082 extendable

Adding 500 lines of udp rules, might cause unnecessary burden on the router
as well. Is this a limitation of this Cisco router only?

I think it would be easier for us to get another public ip and just do a 1
to 1 NAT from 192.168.20.33 to public ip and use route-map/acl to block the
unused ports!
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to narcotics

‎01-24-2018 03:38 PM

Yes agree that getting new IP, it'll be simpler.
The udp range is the same thing across all platforms.
That's why I prefer using a firewall for such things.
Never added 500 lines of NAT on a router, but tested it now and no problem. Then the number of nat limitation is based on your platform and you can have that information on the router datasheet.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card