cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3991
Views
0
Helpful
9
Replies

port range forwarding on Cisco 1811? (H.323/NAT issue)

kevinsoliz
Level 1
Level 1

Can anyone help me understand how this might work? I’m having serious issues getting Tandberg H.323 working behind this router with NAT.

My setup is Cisco 1811 configured with Fas0 to pull DHCP (public address). This router is being used in a mobile medical clinic VAN so the setup needs to be seamless and transparent to the users. The idea with the DHCP is anywhere they go they could pull a DHCP address and then NAT behind that address. The van visits mostly small schools in the Texas Rio Grande Valley providing medical assistance and consulting to the local community. The router has an 8 port built in switch and all ports are sitting in default VLAN 1.

Basic stripped down config, only relevant commands listed…

ip dhcp excluded-address 10.0.0.1 10.0.0.4

ip dhcp pool VANnet

network 10.0.0.0 255.255.255.240

default-router 10.0.0.1

dns-server 10.0.0.1

!

interface Fas0

ip address DHCP

ip NAT outside

!

interface VLAN 1

ip address 10.0.0.1 255.255.255.240

ip NAT inside

!

ip nat inside source list 1 interface Fas0 overload

!

access-list 1 permit 10.0.0.0 0.0.0.255

Basically everything from the 10.x.x.x is NAT’d to the Fas0 DHCP’s address. Then I have several static NATs defined for port forwarding…

ip nat inside source static tcp 10.0.0.2 (Tandberg) 1719 interface FastEthernet0 1719

ip nat inside source static tcp 10.0.0.2 1720 interface FastEthernet0 1720

Now initially I can’t even get the call to connect with just using the ports above, which I should. Also knowing there are several issues with H.323 and NAT I went ahead and added all know ports Tandberg says they use…

80 HTTPd *TCP

443 HTTPs TCP

1719 H323/RAS UDP

1720 H323/Q931 *TCP

2326-2373 (2837)** H323/RTP UDP

5555-55xx (5587)** H323/H.245/Q.931 TCP

Basically I created static NAT entries for all the ports and the ranges above. For the ranges I had to add a line for every port.

For example on the ranges I had to do this…

ip nat inside source static udp 10.0.0.2 2326 interface FastEthernet0 2326

ip nat inside source static udp 10.0.0.2 2327 interface FastEthernet0 2327

ip nat inside source static udp 10.0.0.2 2328 interface FastEthernet0 2328

etc… (all the way down through each port range)

This didn’t and hasn’t worked yet even with some additional tweaking… Finally the question… am I going about this all wrong? Is there an arrangement of commands that will even work? How can I accomplish the port forwarding setup on a Linksys/Netgear router on a real Cisco router?

9 Replies 9

tekha
Level 3
Level 3

I have a couple of things I need to clarify.

First thing, are the schools the van visiting using private address (RFC1918)? If so have you made sure they don't use 10.x.x.x in some form or another?

Secondly, aren't the school allso performing NAT, if they are using private addresses? And wouldn't this be a problem with H.323?

Having said that you might want to make this NAT statement insteed: "ip nat inside source static 10.0.0.2 interface FastEthernet0" as well as "ip nat inside source list 1 interface Fas0 overload", as far as I know this should work.

They are all using RFC1918 space :-) on different networks inside 10.x.x.x but none are using 10.0.x.x

You are also correct about them performing NAT on their public side... In most cases when the VAN would pull up here is how the connectivity would work...

1. VAN's plugs in at the school and the VAN’s router (1811) pulls an IP via DHCP (real example, 10.180.16.250)

2. That address is then NAT'd on the 1811 to an inside private net of 10.0.0.0/28. That DHCP address is overloaded and also static NATs are defined from 10.0.0.2 (Tandberg unit) to Fas0 (the DHCP’d schools address) to allow all known H.323 ports.

3. In summary, 10.0.0.2, the Tandberg unit inside the VAN is NAT'd to 10.180.16.250 (My NAT) which is then NAT'd to a public address of 67.x.x.x (Schools NAT) assigned to the school through their firewall (PIX 525)

Crazy huh? :)

Interesting you pointing out the "ip nat inside source static 10.0.0.2 interface FastEthernet0" option, not sure why it didn’t cross my mind to simply try that. I was so caught up in all the H323 port mess. Unfortunately I can’t try any of this out because I'm back in town from the trip. I should be going back down in a few weeks to mess with this again. I just wanted to post this somewhere to wrap my mind around how to make this work

Well crazy or not, im sure there is a solution.

However I'm pretty sure the PIX 525 will ruin everything, unless you where to open up and NAT the 67.x.x.x address to the outside address on the 1800 router (10.180.16.250), but that means that you need that IP reserved on the schools DHCP server. So the van allways gets the same IP address. And in case you were to later change the router in the van, you are to move the MAC-address of FastEthernet0 to the new router.

All this is possible, but I guess you need all these things done on multiple schools, right?

Which makes a bit of a nightmare, when trying to document the whole thing.

Maybe there is a better solution......I hope so.

After doing some more research as long as fixup H323 is used on the PIX, that part shouldn’t be an issue. Also I have very good cooperation from the schools so setup on their end is not an issue. The NAT to the school's public address 67.x.x.x to the router's global address 10.180.x.x is already setup. And yes idea was there would be a DHCP reservation setup at each school with external NAT setup to that reservation. All of that is fine the real issue is the second NAT on my end in the VAN.

The question still remains, are there any equivalent commands on the router that would accomplish "port forwarding/ranges" like on linksys/netgear broadband router? Or should "ip nat inside static 10.0.0.2 interface Fastethernet0" be enough?

I would go with the ip nat inside static 10.0.0.2 interface Fastethernet0", however if you want to NAT only the specified port numbers, I think this is the way to go:

ip nat inside source static 10.0.0.2 10.180.16.250 route-map BLAH extendable

!

ip access-list extended ACL-FOR-THE-TANDBERG

permit tcp host 10.0.0.2 any eq www

permit tcp host 10.0.0.2 any eq 443

permit udp host 10.0.0.2 any eq 1719

permit tcp host 10.0.0.2 any eq 1720

permit udp host 10.0.0.2 any range 2326 2373

permit tcp host 10.0.0.2 any range 5555 5587

!

route-map BLAH permit 10

match ip address ACL-FOR-THE-TANDBERG

UnfortuNATly it only works by stating the WAN address (10.180.16.250), you can't state the interface (FastEthernet0). This sort of ruins the idea that you want to be able to connect the router to any school network, without having to reconfig the router.

And I'm not sure this config allows NAT to work from both inside->outside as well as outside->inside.

Interesting... never would have thought of doing it that way. Using that example I could script it out for each school then have the folks in the VAN excute it from a shortcut on the desktop. I think I have enough to go on here and make something work...

Thanks again for the help and suggestions.

You are welcome.

And please make sure to post back here, when you have found a working solution.

Thanx for the tip, and as you mentioned.. i wish it could work with interface! i have dynamic ip on my dsl and i needed that...

Oh well.. anyway thanx again for the info

darin.marais
Level 4
Level 4

just an observation - in your post is  port 1719 tcp or udp?

Review Cisco Networking for a $25 gift card