Re: PORT FORWARDING RANGE

rotem.shein · ‎04-09-2012

Dear Techs,

i am trying to forward ports range of 10,000 to 20,000 for a customer PBX. normally i would use 1:1 NAT but he is requesting for specific traffic ports.

example:

public int: 192.168.1.3

internal IP: 10.0.1.49

My running config for NAT:

ip nat inside source list 101 interface FastEthernet0/0 overload

access-list 101 permit ip 10.0.1.0 0.0.0.255 any

fb_webuser · ‎04-09-2012

try using a pool with the rotary command like this:

ip nat pool portforward 10.0.1.49 10.0.1.49 netmask 255.255.255.0 type rotary

ip nat inside source list 110 interface FastEthernet0/0.6 overload

ip nat inside destination list 100 pool portforward

!

access-list 100 permit udp any any range 10000 20000

access-list 110 permit ip 10.0.1.0 0.0.0.255 any

You have the normal overload, and the range in a pool to connecto to the pbx.

hope it helps

---

Posted by WebUser Pedro Seabra Ávila from Cisco Support Community App

rotem.shein · ‎04-09-2012

thanks very much for the prompt response....i have tried the commands i am still block on the NAT TRANS

when switching back to 1:1 NAT i am in again fine.

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat pool portforward 10.0.1.49 10.0.1.49 netmask 255.255.255.0 type rotary

ip nat inside destination list 100 pool portforward

!

access-list 100 permit udp any any range 10000 20000

access-list 110 permit ip 10.0.1.0 0.0.0.255 any

hope you can assist

thanks

fb_webuser · ‎04-09-2012

There is a another solution, using route-maps as well:

ip access-list extended UDP_RTP

permit udp host <SIP HOST> any range 16384 37248

!

route-map SIP_NAT permit 10

match ip address UDP_RTP

!

ip nat inside source static 10.1.1.1 20.20.20.20 route-map SIP_NAT

http://www.voip-blog.co.uk/index.php/2009/11/21/nat-sip-range-on-uc500-cme

---

Posted by WebUser Pedro Seabra Ávila from Cisco Support Community App

MriduD · ‎04-18-2023

ip access-list extended UDP_RTP

permit udp host <SIP HOST> any range 16384 37248

In this access list, do we allow the private host ip address or the public ip address(from where the inbound traffic comes over to the LAN)?

Neeraj Arora · ‎04-10-2012

there is no clean solution for what you are trying to achieve except for using a one to one Static NAT mapping which you've already mentioned that it works.

there is no "range" command in NAT. so you would not be able to use Static NAT port translation as you'd have to configure 10,000 NAT statements.

So either use 1:1 NAT mapping or you can consider Pedro's suggestion of using route-map and matching ACL to only allow NAT to happen when these 10,000 ports are being accessed

For a similar query, check this thread:

https://supportforums.cisco.com/thread/2141607

Hope it helps

Neeraj

MriduD · ‎04-19-2023

Hi Neeraj,

Referring to pedro's solution,

ip access-list extended UDP_RTP

permit udp host <SIP HOST> any range 16384 37248

In this access list, do we allow the private host ip address or the public ip address(from where the inbound traffic comes over to the LAN)?

Wizard4777 · ‎06-23-2023

your local pbx ip