Hi, I have spent many hours trying to find a way to get this working. I have also tried to find a Cisco certified tech that actually knows what they are doing.

But at this current moment I have not been able to find either.

I am trying to open and NAT a range of UDP ports to an internal IP address. This is to use Avaya One-x SIP.

xxx.xxx.208.129 : UDP49152 - 49408 <--> 192.168.1.10 : UDP 49152 - 49408

I have a Cisco 887VA Router (PID: CISCO887VA-SEC-K9) that connects my internal networks to the internet via DSL.

I have one Public IP address that is auto negotiated via the Dialer1 interface (DSL) - xxx.xxx.138.70

I have a new public IP range that is also coming in via DSL - xxx.xxx.208.128/29

I am currently using xxx.xxx.138.70 as the nat overloaded IP for our internal PC's. The internal PC's are on the 192.168.1.0 network (VLAN1).

The Network 192.168.2.0 (VLAN2) and 192.168.3.0 (VLAN3) are currently unused. They will be connected later IF I ever get this running.

Currently we have TCP ports 5222, 5269 and 8444 NAT'ed to our OneX Server and TCP port 5061 NAT'ed to our SIP server.

This configuration works fine inside the office but I loose the voice channel when outside the office.

The voice channel is via encrypted and authenticated RTP/RTCP (UDP 49152 - 49408).

When I configure the static NAT for the whole IP address, I get a whole bunch of hack attempts on other ports from the internet.

ip nat inside source static 192.168.1.10 218.214.208.129

Any help would be greatly appreciated!

Below is my configuration:

Current configuration : 7909 bytes
!
! Last configuration change at 14:43:36 PCTime Fri Jun 12 2015
version 15.2
no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname BP
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10 0
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3103805736
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3103805736
 revocation-check none
 rsakeypair TP-self-signed-3103805736
!
!
crypto pki certificate chain TP-self-signed-3103805736
 certificate self-signed 01
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        quit
!
!
!
!

!
ip dhcp excluded-address 192.168.2.1 192.168.2.50
ip dhcp excluded-address 192.168.3.1 192.168.3.50
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool vlan1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.1
 lease 7
!
ip dhcp pool vlan2
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 dns-server 192.168.1.1
 lease 7
!
ip dhcp pool vlan3
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 192.168.1.1
 lease 7
!
!
!
no ip bootp server
ip domain name xxxxxxxxxxxxxxxxxx
ip host onex.xxxxxxxxxxxxxxx.com.au 192.168.1.52
ip host ipo.xxxxxxxxxxxx.com.au 192.168.1.10
ip name-server 203.134.24.70
ip name-server 203.134.26.70
ip cef
no ipv6 cef
ipv6 spd queue min-threshold 30
ipv6 spd queue max-threshold 31
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9
!
!
archive
 log config
  hidekeys
username nathan privilege 15 secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
controller VDSL 0
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxxxxxxxxxxx address xxx.xxx.xxx.xxx
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile TS
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
interface Ethernet0
 description $ETH-WAN$
 ip address dhcp client-id Ethernet0
 ip nat outside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 shutdown
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/16 ilmi
 !
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport trunk allowed vlan 1-3,1002-1005
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 3
 no ip address
 spanning-tree portfast
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly in
 hold-queue 32 in
 hold-queue 100 out
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly in
 hold-queue 32 in
 hold-queue 100 out
!
interface Vlan3
 ip address 192.168.3.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly in
 hold-queue 32 in
 hold-queue 100 out
!
interface Dialer0
 no ip address
 no cdp enable
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxx@xxxxxxxxx
 ppp chap password xxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxx@xxxxxxxxxx password xxxxxxxxxxxxxxxxxxx
 crypto map CMAP
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip dns server
ip nat portmap UDP_RTP
 cisco-rtp-sip-high
 appl sip-rtp startport 49152 size 256
ip nat translation timeout 3600
no ip nat service sip udp port 5060
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer1 22000
ip nat inside source static tcp 192.168.1.21 16992 interface Dialer1 22001
ip nat inside source static tcp 192.168.1.31 16992 interface Dialer1 22002
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.10 5061 xxx.xxx.208.129 5061 extendable
ip nat inside source static tcp 192.168.1.52 5222 xxx.xxx.208.129 5222 extendable
ip nat inside source static tcp 192.168.1.52 5269 xxx.xxx.208.129 5269 extendable
ip nat inside source static tcp 192.168.1.52 8444 xxx.xxx.208.129 8444 extendable
ip nat inside source static tcp 192.168.1.53 8080 xxx.xxx.208.130 8080 extendable
ip nat inside source static tcp 192.168.1.53 31272 xxx.xxx.208.130 31272 extendable
ip nat inside source static udp 192.168.1.53 31272 xxx.xxx.208.130 31272 extendable
ip nat inside source static tcp 192.168.1.54 80 xxx.xxx.208.131 80 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended SSH_LOGIN
 permit ip 192.168.1.0 0.0.0.255 any
 deny   ip any any
ip access-list extended VPN-TRAFFIC
 permit ip host 192.168.1.10 host 192.168.0.9
!
logging trap debugging
access-list 100 deny   ip host 192.168.1.10 host 192.168.0.9
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
line con 0
 no modem enable
 length 0
 stopbits 1
line aux 0
line vty 0 4
 access-class SSH_LOGIN in
 exec-timeout 40 0
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 192.189.54.17
!
end