Solved: Forward range ports for few hosts in ISR4331

Oleh_83 · ‎01-23-2018

Hello!

See more instructions for forwarding ports in the Cisco ISR4331, but I can`t do this. Please help me.

I have a NAT and three hosts in my task. Me need forward some ports and range ports. You can see this in my configuration.

My config:
interface GigabitEthernet0/0/0
description Ethernet for Internet network 82.82.82.81/29
ip address 82.82.82.82 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description Ethernet for Local network 192.168.1.0/24
ip address 192.168.1.10 255.255.255.0
ip nat inside
negotiation auto
!
ip nat inside source list NAT-TRAFFIC interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.1.137 3389 82.82.82.82 3389 extendable
!

ip access-list extended NAT-TRAFFIC

permit ip 192.168.6.1 0.0.0.255 any

!

ip access-list extended PORT-FORWARD-ATC-1.11
permit tcp host 192.168.1.11 eq 5060 any
permit udp host 192.168.1.11 eq 5060 any
permit tcp host 192.168.1.11 eq 6000 any
permit udp host 192.168.1.11 eq 6000 any
permit udp host 192.168.1.11 range 1824 4999 any
permit udp host 192.168.1.11 eq 5999 any
permit tcp host 192.168.1.11 eq 5090 any
permit tcp host 192.168.1.11 eq 5003 any
permit udp host 192.168.1.11 eq 8000 any
ip access-list extended PORT-FORWARD-ATC-1.12
permit udp host 192.168.1.12 range 30000 30040 any
ip access-list extended PORT-FORWARD-WEBSERVER-1.2
permit tcp host 192.168.1.2 eq www any
permit tcp host 192.168.1.2 eq 443 any
permit tcp host 192.168.1.2 eq ftp any
permit tcp host 192.168.1.2 eq 3306 any
permit tcp host 192.168.1.2 eq 1500 any

!
!
route-map NAT-MAP-ATC-1.11 permit 20
match ip address PORT-FORWARD-ATC-1.11
!
route-map NAT-MAP-ATC-1.12 permit 30
match ip address PORT-FORWARD-ATC-1.11
!
route-map NAT-MAP-WEBSERVER-1.2 permit 10
match ip address PORT-FORWARD-WEBSERVER-1.2

How to forward this ports?
I try add this, but ca`nt add second host.
ip nat inside source static 192.168.1.2 82.82.82.82 route-map NAT-MAP-WEBSERVER-1.2 extendable

Francesco Molino · ‎01-26-2018

For udp range, you'll need to do the same way as you did for the other nat.

For your tcp you can use the following config:

ip nat pool TEST 192.168.1.12 192.168.1.12 netmask 255.255.255.0 type rotary

ip access-list extended tcp3000030040

permit tcp any any range 30000 30040

ip nat inside destination list tcp3000030040 pool TEST

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-23-2018

Hi

Your acl aren't correct.

Let's show you an example for port-forwarding.

Your IP public is 82.82.82.82 and your server IP for webservices is 192.168.1.2.

You can leave any but in my example I will set it with your public ip and private ip.

ip access-list extended PORT-FORWARD-WEBSERVER-1.2 --> You can replace host 82.82.82.82 by any if you want
permit tcp host 82.82.82.82 host 192.168.1.2 eq www
permit tcp host 82.82.82.82 host 192.168.1.2 eq 443
permit tcp host 82.82.82.82 host 192.168.1.2 eq ftp
permit tcp host 82.82.82.82 host 192.168.1.2 eq 3306
permit tcp host 82.82.82.82 host 192.168.1.2 eq 1500

!

route-map NAT-MAP-WEBSERVER-1.2 permit 10
match ip address PORT-FORWARD-WEBSERVER-1.2

!

ip nat inside source static 192.168.1.2 82.82.82.82 route-map NAT-MAP-WEBSERVER-1.2 extendable

Can you try with that config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Oleh_83 · ‎01-24-2018

Hello Francesco.

Thank for you. I change my Acl lists as you write.

My main problem, I can`t add second host for forwarding.

router-r1(config)#ip nat inside source static 192.168.1.2 82.82.82.82 route-map NAT-MAP-WEBSERVER-1.2 extendable
router-r1(config)#ip nat inside source static 192.168.1.11 82.82.82.82 route-map NAT-MAP-ATC-1.11 extendable
%NAT:similar static entry (192.168.1.2 -> 82.82.82.82) already exists

Francesco Molino · ‎01-24-2018

Hi

First of all I apology because I red your last nat and there was only one and I assumed it was what you were asking.

Normally you should have 1 line per each port forwarding in your case
We use route-map for policy-based nat and you won't be able to do achieve that using that method.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Oleh_83 · ‎01-24-2018

Hi.

How can I achieve port forwarding for these three hosts with a list of ports for them that are described above?

Francesco Molino · ‎01-24-2018

I won't do for all but let's take 1 acl :-)

ip access-list extended PORT-FORWARD-WEBSERVER-1.2
permit tcp host 82.82.82.82 host 192.168.1.2 eq www
permit tcp host 82.82.82.82 host 192.168.1.2 eq 443
permit tcp host 82.82.82.82 host 192.168.1.2 eq ftp
permit tcp host 82.82.82.82 host 192.168.1.2 eq 3306
permit tcp host 82.82.82.82 host 192.168.1.2 eq 1500

The nat config would be:

ip nat inside source static tcp 192.168.1.2 80 82.82.82.82 80

ip nat inside source static tcp 192.168.1.2 443 82.82.82.82 443

ip nat inside source static tcp 192.168.1.2 21 82.82.82.82 21

ip nat inside source static tcp 192.168.1.2 3306 82.82.82.82 3306

ip nat inside source static tcp 192.168.1.2 1500 82.82.82.82 1500

Is that clear? Let me know if you need more explanation or help

[EDIT]

Just to clarify because I reread my answer and it might confuse things. The solution I proposed is line by line because you have udp ports to be natted.

However for TCP ports , you can use another solution using nat rotary .

And the config will looks like:

ip nat pool TEST 192.168.1.11 192.168.1.11 netmask 255.255.255.0 type rotary

ip access-list extended PORT-FORWARD-ATC-1.11

permit tcp any any range 5060 5090 --> All ports from 5060 to 5090

ip nat inside destination list PORT-FORWARD-ATC-1.11 pool TEST

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Oleh_83 · ‎01-25-2018

Hi Francesco.

I understand this.

You do not understand from my words what my problem is.

I will give you another example.

For example, I have this:

Host 1: 192.168.11 (tcp 1000-2000)

Host 2: 192.168.12 (udp 3000-3200, tcp 500-505)

Host 2: 192.168.13 (udp 10000-20000)

How can I record the range of port forwarding for these three hosts?

*By my first post, I was able to add one host, the second host did not allow this system to be written.

Do you understand what my problem is?

Francesco Molino · ‎01-25-2018

Yes I understand your issue since the beginning and what I told you is that you can use rotary feature with a pool and ACL to do nat inbound for a range of TCP ports but can't work for UDP. UDP needs to be setup 1 by 1.

The solution with route-map won't work because it basically do 1:1 nat and filter ports. You can use that solution if you have multiple public ip.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Oleh_83 · ‎01-26-2018

Hi.

I come back to my old version:
ip nat inside source static tcp 192.168.1.2 21 82.82.82.82 21 extendable
ip nat inside source static tcp 192.168.1.2 80 82.82.82.82 80 extendable
ip nat inside source static tcp 192.168.1.2 443 82.82.82.82 443 extendable
ip nat inside source static tcp 192.168.1.2 1500 82.82.82.82 1500 extendable
ip nat inside source static tcp 192.168.1.2 3306 82.82.82.82 3306 extendable
ip nat inside source static tcp 192.168.1.11 5003 82.82.82.82 5003 extendable
ip nat inside source static tcp 192.168.1.11 5060 82.82.82.82 5060 extendable
ip nat inside source static udp 192.168.1.11 5060 82.82.82.82 5060 extendable
ip nat inside source static tcp 192.168.1.11 5090 82.82.82.82 5090 extendable
ip nat inside source static udp 192.168.1.11 5999 82.82.82.82 5999 extendable
ip nat inside source static tcp 192.168.1.11 6000 82.82.82.82 6000 extendable
ip nat inside source static udp 192.168.1.11 6000 82.82.82.82 6000 extendable
ip nat inside source static udp 192.168.1.11 8000 82.82.82.82 8000 extendable

But I don`t known, what doing with this:

192.168.1.11 range udp 1824-4999

192.168.1.12 range tcp 30000-30040

How to add this in my config.

Francesco Molino · ‎01-26-2018

For udp range, you'll need to do the same way as you did for the other nat.

For your tcp you can use the following config:

ip nat pool TEST 192.168.1.12 192.168.1.12 netmask 255.255.255.0 type rotary

ip access-list extended tcp3000030040

permit tcp any any range 30000 30040

ip nat inside destination list tcp3000030040 pool TEST

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Oleh_83 · ‎01-31-2018

Thanks Francesco !

Francesco Molino · ‎01-31-2018

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

MriduD · ‎04-19-2023

Hi Francesco,

Won't allowing range of ports by using route-map work? Like you showed earlier?