Re: NAT UDP port range forwarding howto?

jasonkd7tqn · ‎08-31-2012

Hi there,

I have been banging my head on my keyboard for hours researching this issue and trying to find a solution.

I need to forward a range of UDP ports (about 100 of them) for a minecraft server I am setting up and for other services on my network and I would like to find the easy way of doing this. I only get 1 dynamic IP assigned by my ISP so static nat wont work for my situation.

The method I have been using to open udp ports is

"ip nat inside source static udp 192.168.1.101 7101 interface FastEthernet0/1 7101"

and thats good and works and all but it isnt verry efficiant as 100 entries like that will clutter up my config.

I have been using the following method to forward TCP ports which works great, just cant get UDP to forward this way.

ip nat pool stream 192.168.1.100 192.168.1.100 netmask 255.255.255.0 type rotary

ip nat inside destination list 105 pool stream

ip access-list extended 105

permit udp any any range 5000 5011

permit tcp any any range 5000 5011

Is there any easy way that anyone knows of to forward UDP port ranges?

thanks.

Setup:

Cisco 1841

IOS version: 12.4(24)t2

1 external interface with 1 ISP dynamic IP

config :

Current configuration : 2792 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SPS700

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

dot11 syslog

no ip source-route

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

no ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat pool stream 192.168.1.100 192.168.1.100 netmask 255.255.255.0 type rotary

ip nat pool websvr 192.168.1.101 192.168.1.101 netmask 255.255.255.0 type rotary

ip nat inside source static tcp 192.168.1.101 7103 interface FastEthernet0/1 7103

ip nat inside source static udp 192.168.1.100 7100 interface FastEthernet0/1 7100

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside destination list stream pool stream

ip nat inside destination list webevr pool websvr

!

ip access-list extended Stream

permit udp any any range 5000 5011

permit tcp any any range 5000 5011

ip access-list extended websvr

permit udp any any eq domain

permit tcp any any eq www

permit tcp any any range 25500 25600

permit udp any any range 25500 25600

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

scheduler allocate 20000 1000

end

chad patterson · ‎02-04-2013

would this work?

ip nat inside source static 192.168.1.101 interface FastEthernet0/1 route-map MINECRAFT extendableip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit udp host 192.168.1.101 any range 25500 25600
!
route-map MINECRAFT permit 10
match ip address 100

jasonkd7tqn · ‎02-04-2013

for some reason my router does not allow the command

ip nat inside source static 192.168.1.101 interface FastEthernet0/1 route-map MINECRAFT extendable

I can enter "ip nat inside source static 192.168.1.101 interface FastEthernet0/1" but it wont accept route-map after that.

weird...

chad patterson · ‎02-04-2013

well the "interface 0/1" should be your public static ip address

Then test it with:

sh ip nat translations | i udp

greenfox878 · ‎04-11-2017

All NAT configurations with ACL and UDP port ranges do not work;

The solution is quite simple: "ip nat portgrange";

I.e we have the setup:

[SX-20]--------{LAN}[Router 881]{WAN}-------{internet}

SX-20 has IP 192.168.100.10;

R881's LAN interface 192.168.100.1;

R881's WAN interface 100.20.11.200;

IOS version is 15.4(3)M7;

Our configuration must meets the requirements:

1) SX-20 must be able to accept inbound calls from internet;

2) SX-20 must be able to call any video terminal in internet;

3) Network administrator must be able to connect to R881's console via SSH from internet;

!------Configuration------!

interface Vlan2
description ***LAN***
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet4
description ***WAN***
ip address 100.200.11.200 255.255.255.0
no ip redirects
ip nat outside
ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 172.20.11.1
!
! The ACL below should contains only IP address of SX-20;
ip access-list extended VKS-TERMINAL
permit ip host 192.168.100.10 any
!
ip nat portmap RTP-RANGE-PORTMAP
appl udp-rtp startport 16384 size 16384
!
! SSH connection to router;
ip nat inside source static tcp 192.168.100.1 22 interface FastEthernet4 22
! HTTP connection to SX-20's web interface
ip nat inside source static tcp 192.168.100.10 80 interface FastEthernet4 80
! Inbound SIP signaling;
ip nat inside source static udp 192.168.100.10 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.100.10 5061 interface FastEthernet4 5061
ip nat inside source static tcp 192.168.100.10 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.100.10 5061 interface FastEthernet4 5061
ip nat inside source static udp 192.168.100.10 5062 interface FastEthernet4 5062
! Inbound H.323 signaling;
ip nat inside source static tcp 192.168.100.10 1718 interface FastEthernet4 1718
ip nat inside source static tcp 192.168.100.10 1719 interface FastEthernet4 1719
ip nat inside source static tcp 192.168.100.10 1720 interface FastEthernet4 1720
! The entry below allows SX-20 connect to internet and allows inbound RTP connections;
ip nat inside source list VKS-TERMINAL interface FastEthernet4 overload portmap RTP-RANGE-PORTMAP