07-12-2007 12:33 AM - edited 03-03-2019 05:50 PM
I've been looking for a solution to forward a port range for months, and I haven't any solution yet.
I am CCNA Certified and CCNP cursed. I've asked to my teachers, in conferences and my isp support. Nobody knows how to do it.
A common task like this, that in every router is so trivial, why is so dificult in Cisco? Is it possible?
Thanks in advance to everybody.
Olaf
07-12-2007 12:03 PM
Doing overload with one recommend has the same effect that mine.
I try to do a graphic explanation.
Net-(PublicIP)_Router_(X.X.99.1)--(99.4)VoipServer
I need to port forward range 10001-20000 from outside to VoipServer.
Off course, network 192.168.99.0 must be able to browse everywhere.
And router is dns server, so it need internet access.
If it isn't clear, please tell me.
07-12-2007 12:06 PM
I think I follow what you need now - I will look at the config again and try to help - verify one thing. Prior to the change I had you make with the nat statement was DNS working correctly?
I think this is somewhere in the ACL's I just have to look again.
07-12-2007 12:19 PM
Prior to
ip nat inside source static 192.168.99.4 interface Dialer1
DNS is working correctly, but ports aren't being forwarded.
07-12-2007 12:23 PM
If I ping from router without extended commands:
Pro Inside global Inside local Outside local Outside global
icmp 89.7.245.85:6 192.168.99.4:6 212.145.4.97:6 212.145.4.97:6
07-12-2007 12:29 PM
I am looking at this and I still can't definitley find the problem. When you reverted to the ACL 100 did you still have your ACL ip access-list extended inet_in implemented?
If so try removing that ACL while using the ACL100 for the nat overload.
In regards to the post prior to this one are you insinuating that you can ping the DNS server and just can't do DNS lookups?
07-12-2007 12:41 PM
I don't think that natted ACL is the trick because
access-list 110 permit ip 192.168.99.0 0.0.0.7 any
is more general than the next
access-list 110 permit udp host 192.168.99.4 range 10001 20000 any
so the last is contained in the first and never matched.
If I remove the ACL inet_in, all ports are opened.
All hosts can browse, do dns request, etc... but router.
When I put the router as dns server in host 192.168.99.5 for example, router do the dns queries , but are mapped to 192.168.99.4, so replies aren't routing properly. Same wiht ping from router, are mapped to 192.168.99.4 like in previous show command.
Do you understand the problem?
If can force the router to outside with source ip 192.168.99.1 (or from interface Vlan1) when it is doing dns request or so, i think the problem is solved.
Pro Inside global Inside local Outside local Outside global
udp 89.7.245.85:53 192.168.99.4:53 212.145.4.97:53 212.145.4.97:53
I want to permit all inside to outside traffic, and forward range to server.
07-12-2007 12:50 PM
ok - go ahead and give me a copy of your configuration as it sits right now. I am going to implement this in my test network.
Thanks,
David
07-12-2007 12:58 PM
you could modify that acl to
access-list 110 permit udp host 192.168.99.4 range 10001 20000 any
access-list 110 deny udp host 192.168.99.4 any
access-list 110 permit 192.168.99.0 0.0.0.7 any
then remove the one you created. after the changes.
07-12-2007 01:14 PM
I thought the same, and tryied, but i'll recheck and post results.
The result is that router can't do dns request and all ports are mapped.
Regards,
Olaf
07-12-2007 01:03 PM
ip subnet-zero
no ip source-route
ip cef
ip name-server 212.x.x.97
ip name-server 212.x.x.98
interface Vlan1
ip address 192.168.99.1 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
load-interval 30
!
interface Dialer1
ip address negotiated
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password 7
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip dns server
!
ip nat inside source list 110 interface Dialer1 overload
ip nat inside source static 192.168.99.4 interface Dialer1
access-list 110 permit udp host 192.168.99.4 range 10001 20000 any
access-list 110 permit ip 192.168.99.0 0.0.0.7 any
I remove the ip access-group in on the Dialer 1 to test.
Very thankful,
Olaf
07-12-2007 01:34 PM
If someone else has an idea - hopefully they can help you. I am getting ready to leave for this afternoon. I will continue working on this tomorrow if no one has found a solution.
07-12-2007 01:38 PM
Ok. Thanks for your help.
Good night.
07-12-2007 08:08 PM
olafmarcos,
You are not going to like this answer. I tried many things in my test network with no avail. I finally opened a TAC case with Cisco becuase this was driving me insane. Bottom line what you want to do is not possible, at least not the way you want to do it.
You have on of two options.
Create a static nat entry for every single port you want forwarded so like 10000, entries or something insane like that. THe other option is to use the same configuration as what we have provided with the same ACL's you are using but request an additional IP address from your ISP. Typically an ISP can provide something like a /29 so that you can have the primary IP Address on the outside interface for Internet connectivity, DNS lookups, router remote management etc... THen you would have them give you the next available ip in the range to use for your voip server. This way you will create the static translation then create the ACL to restrict to the ports you actually want to permit. I have spoken to both a TAC tech and my SE and they have both confirmed this. Let me know if you figure something else out. I have tried everything I can think of - I also found the old configuration that I thought I accomplished this in - I was wrong I finally got a second static ip from my ISP.
07-12-2007 10:21 PM
Hi David,
I requested one more ip address 2 days ago. I know with at least 2 ip address is possible.
But the second ip address is natted totally. If tomorrow I want to map other range to other internal ip address, i will need one more ip address. This is an unnecesary waste of public ip address.
With all cheap routers, you can map one range to one internal ip address, other range to other different internal ip address, and so on. And all of this with ONE public ip.
I don't believe that this simple (trivial) and very common issue is not possible with Cisco IOS. Yes, possible but buying public ips, and wasting them.
I am losing my trust in Cisco.
Many many thanks, David. I don't know how to transmit this important impediment to Cisco for they try to resolve or give me some good explanations why they are doing things like this.
My best regards,
Olaf
07-13-2007 05:55 AM
Hi Olaf,
Please cool down.
If I have understood clearly, you want to use 1 Public IP Address and NAT (Static NAT) to Private IP inside the network so that you may use it for different purposes?
Just wondering why are you not considering PIX FW on this aspect, I have had one NATTing on many PIX boxes and didnt have any issues (though not the exact way you are trying to do)
Please correct me if I'm wrong.
Looking forward from yourside,
Kind Regards,
Wilson Samuel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide