10-08-2018 05:52 AM
Hello Techs,
for our customer PBX I have to forwad ports from 9,000 to 10,999. I tried to do it with the route-map command and an ACL, but in this case all site-to-site VPN connections are disconnected.
Public ip address: 96.76.166.76
PBX ip address: 172.16.164.1
Here is an excerpt from the configuration:
interface GigabitEthernet8
ip address 96.76.166.76 255.255.255.252
ip nat outside
!
interface GigabitEthernet6
switchport access vlan 75
no ip address
!
interface Vlan75
ip address 172.16.164.254 255.255.255.0
ip nat inside
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet8 overload
ip nat inside source static udp 172.16.164.1 5060 96.76.166.76 5060 extendable
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.174.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.176.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.176.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.168.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.168.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.169.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.169.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.170.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.170.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.171.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.171.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.172.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.172.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.173.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.173.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.175.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.175.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.177.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.177.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.178.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.178.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.179.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.179.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.180.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.180.0 0.0.0.255
access-list 104 deny ip 172.16.166.0 0.0.0.255 172.16.181.0 0.0.0.255
access-list 104 deny ip 10.7.0.0 0.0.0.255 172.16.181.0 0.0.0.255
access-list 104 permit ip 172.16.165.0 0.0.0.255 any
access-list 104 permit ip 172.16.10.0 0.0.0.255 any
access-list 104 permit ip 172.16.166.0 0.0.0.255 any
access-list 104 permit ip 172.16.164.0 0.0.0.255 any
Here the attempt to implement it.
ip nat inside source static 172.16.164.1 96.76.166.76 route-map SDM_RMAP_2
!
route-map SDM_RMAP_2 permit 10
match ip address 106
!
access-list 106 permit udp 172.16.164.1 any range 9000 10999
Many thanks in advance for your contributions.
10-08-2018 02:05 PM
Can you post full configuration to review.
10-08-2018 11:29 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide