08-31-2012 02:33 PM - edited 03-04-2019 05:26 PM
Hi there,
I have been banging my head on my keyboard for hours researching this issue and trying to find a solution.
I need to forward a range of UDP ports (about 100 of them) for a minecraft server I am setting up and for other services on my network and I would like to find the easy way of doing this. I only get 1 dynamic IP assigned by my ISP so static nat wont work for my situation.
The method I have been using to open udp ports is
"ip nat inside source static udp 192.168.1.101 7101 interface FastEthernet0/1 7101"
and thats good and works and all but it isnt verry efficiant as 100 entries like that will clutter up my config.
I have been using the following method to forward TCP ports which works great, just cant get UDP to forward this way.
ip nat pool stream 192.168.1.100 192.168.1.100 netmask 255.255.255.0 type rotary
ip nat inside destination list 105 pool stream
ip access-list extended 105
permit udp any any range 5000 5011
permit tcp any any range 5000 5011
Is there any easy way that anyone knows of to forward UDP port ranges?
thanks.
Setup:
Cisco 1841
IOS version: 12.4(24)t2
1 external interface with 1 ISP dynamic IP
config :
Current configuration : 2792 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPS700
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
no ip source-route
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool stream 192.168.1.100 192.168.1.100 netmask 255.255.255.0 type rotary
ip nat pool websvr 192.168.1.101 192.168.1.101 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.1.101 7103 interface FastEthernet0/1 7103
ip nat inside source static udp 192.168.1.100 7100 interface FastEthernet0/1 7100
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside destination list stream pool stream
ip nat inside destination list webevr pool websvr
!
ip access-list extended Stream
permit udp any any range 5000 5011
permit tcp any any range 5000 5011
ip access-list extended websvr
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any range 25500 25600
permit udp any any range 25500 25600
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
end
02-04-2013 09:37 AM
would this work?
ip nat inside source static 192.168.1.101 interface FastEthernet0/1 route-map MINECRAFT extendable
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit udp host 192.168.1.101 any range 25500 25600
!
route-map MINECRAFT permit 10
match ip address 100
02-04-2013 10:44 AM
for some reason my router does not allow the command
ip nat inside source static 192.168.1.101 interface FastEthernet0/1 route-map MINECRAFT extendable
I can enter "ip nat inside source static 192.168.1.101 interface FastEthernet0/1" but it wont accept route-map after that.
weird...
02-04-2013 12:28 PM
well the "interface 0/1" should be your public static ip address
Then test it with:
sh ip nat translations | i udp
04-11-2017 01:52 AM
All NAT configurations with ACL and UDP port ranges do not work;
The solution is quite simple: "ip nat portgrange";
I.e we have the setup:
[SX-20]--------{LAN}[Router 881]{WAN}-------{internet}
SX-20 has IP 192.168.100.10;
R881's LAN interface 192.168.100.1;
R881's WAN interface 100.20.11.200;
IOS version is 15.4(3)M7;
Our configuration must meets the requirements:
1) SX-20 must be able to accept inbound calls from internet;
2) SX-20 must be able to call any video terminal in internet;
3) Network administrator must be able to connect to R881's console via SSH from internet;
!------Configuration------!
interface Vlan2
description ***LAN***
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet4
description ***WAN***
ip address 100.200.11.200 255.255.255.0
no ip redirects
ip nat outside
ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 172.20.11.1
!
! The ACL below should contains only IP address of SX-20;
ip access-list extended VKS-TERMINAL
permit ip host 192.168.100.10 any
!
ip nat portmap RTP-RANGE-PORTMAP
appl udp-rtp startport 16384 size 16384
!
! SSH connection to router;
ip nat inside source static tcp 192.168.100.1 22 interface FastEthernet4 22
! HTTP connection to SX-20's web interface
ip nat inside source static tcp 192.168.100.10 80 interface FastEthernet4 80
! Inbound SIP signaling;
ip nat inside source static udp 192.168.100.10 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.100.10 5061 interface FastEthernet4 5061
ip nat inside source static tcp 192.168.100.10 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.100.10 5061 interface FastEthernet4 5061
ip nat inside source static udp 192.168.100.10 5062 interface FastEthernet4 5062
! Inbound H.323 signaling;
ip nat inside source static tcp 192.168.100.10 1718 interface FastEthernet4 1718
ip nat inside source static tcp 192.168.100.10 1719 interface FastEthernet4 1719
ip nat inside source static tcp 192.168.100.10 1720 interface FastEthernet4 1720
! The entry below allows SX-20 connect to internet and allows inbound RTP connections;
ip nat inside source list VKS-TERMINAL interface FastEthernet4 overload portmap RTP-RANGE-PORTMAP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide