01-03-2009 06:59 PM - edited 03-04-2019 03:19 AM
I have a 2611 router connected with a dynamic ip assigned by the ISP. My configuration works fine for now but when I get a new ip assigned from my ISP I know my port forwarding will break. For some reason I cannot route-map to the interface fa0/0 instead of outside ip address. Does anyone know how to forward a range of ports to different internal ips from outside interface instead of outside ip address? here is my config....
Thanks,
~Roman
interface fa0/0
ip nat outside
interface fa0/1
ip nat inside
interface s1/0
ip nat inside
ip nat inside source list 1 interface fa0/0 overload
ip nat inside source static tcp 10.0.0.2 22 72.xxx.xxx.85 22 extendable
ip nat inside source static 192.168.1.3 22 72.xxx.xxx.85 route-map DESKTOP extendable
access-list 1 remark NAT OVERLOAD List
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark Desktop computer port-forwarding
access-list 100 permit tcp host 192.168.1.3 eq 3389 any
access-list 100 permit tcp host 192.168.1.3 eq 28960 any
access-list 100 permit udp host 192.168.1.3 range 28960 32000 any
route-map DESKTOP permit 10
match ip address 100
ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp
01-05-2009 05:52 AM
Use the interface name-
p nat inside source static tcp 192.168.0.1 2067 interface fa0/0 2067
ip nat inside source static tcp 192.168.0.2 2068 interface fa0/0 2068
ip nat inside source static tcp 192.168.0.3 2080 interface fa0/0 2080
ip nat inside source static tcp 192.168.0.4 2070 interface fa0/0 2070
ip nat inside source static tcp 192.168.0.5 2075 interface fa0/0 2075
Hope that helps.
01-06-2009 02:49 AM
For the single port forwarding that would work, but what about the range of ports 29860 through 32000? Will I have to make a statement for each port or is there an easier way to accomplish this without flooding my config with nat statements?
Thanks,
~Roman
Also it would be nice if cisco could include the interface option in the route-map command in the next IOS release :)
Example:
ip nat inside source static 192.168.1.3 interface fa0/0 route-map DESKTOP
There is no option for this in my router even with a 12.4 IOS. If there is no solution for this I'm hoping the next release of IOS will have this option so dynamic ips would not cause this conflict. I know any Linksys router has the option to forward a range of ports and it is designed for dynamic ip service, so I'm hoping a professional router like the 2611 could do the same.
Another thought: mabey the router automaticly updates the ip by using on alias to the interface? Any thoughts?
01-06-2009 06:40 AM
In your first post you stated that you translate to a couple of different machines. Since your doing that your stuck creating a ton of port translations. If you were going to one PC, you could just nat all ports with the following command.
ip nat inside source static 192.168.13.5 interface Dialer0
With the NAT examples (using the interface instead of the IP), it will automatically update.
01-07-2009 02:15 AM
So your telling me i need to make my config look like this for it to work?
interface fa0/0
ip nat outside
interface fa0/1
ip nat inside
interface s1/0
ip nat inside
ip nat inside source list 1 interface fa0/0 overload
ip nat inside source static tcp 10.0.0.2 22 interface fa0/0 22
ip nat inside source static tcp 192.168.1.4 20 interface fa0/0 20
ip nat inside source static tcp 192.168.1.4 21 interface fa0/0 21
ip nat inside source static tcp 192.168.1.2 80 interface fa0/0 80
ip nat inside source static tcp 192.168.1.3 3389 interface fa0/0 3389
ip nat inside source static tcp 192.168.1.3 28960 interface fa0/0 28960
ip nat inside source static udp 192.168.1.3 28960 interface fa0/0 28960
|
|
|
|
| 3040 total statements
| required
|
|
|
ip nat inside source static udp 192.168.1.3 28960 interface fa0/0 32000
access-list 1 remark NAT OVERLOAD List
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp
This means that my router config will be completly flooded and will probably reduce the
performance of the router dramaticly and make it extremely difficult to manage! NOTE: the 3040 statements required.
Does Cisco not have a better solution when any home based LINKSYS router can do the job with a few clicks of a mouse? Doesn't Linksys use the same CLI command structure
to manage the routers GUI in the background? Note: telnet and SSH is turned of in LINKSYS routers and there is no way to turn it on unless you have an old one
with never upgraded firware laying around.
Can anyone else confirm that Cisco interprise routers have no easy way of accomplishing this? and if so, how do I notify Cisco of the issue that they can make the proper
changes in the next IOS release?
This is on example of what i think Cisco should make available for this issue in there next release of the IOS if there is no know current solution for this...
interface fa0/0
ip nat outside
interface fa0/1
ip nat inside
interface s1/0
ip nat inside
ip nat inside source list 1 interface fa0/0 overload
ip nat inside source static 10.0.0.2 22 interface fa0/0 22 extendable
ip nat inside source static 192.168.1.2 80 interface fa0/0 80 extendable
ip nat inside source static 192.168.1.3 interface fa0/0 route-map DESKTOP extendable
ip nat inside source static 192.168.1.4 interface fa0/0 route-map FTP extendable
access-list 1 remark NAT OVERLOAD List
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark Desktop computer port-forwarding
access-list 100 permit tcp host 192.168.1.3 eq 3389 any
access-list 100 permit tcp host 192.168.1.3 eq 28960 any
access-list 100 permit udp host 192.168.1.3 range 28960 32000 any
access-list 100 remark FTP Server computer port-forwarding
access-list 101 permit udp host 192.168.1.4 range 20 21 any
route-map DESKTOP permit 10
match ip address 100
route-map FTP permit 10
match ip address 101
ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp
Any help is apreciated!
Sincerely,
~Roman
01-07-2009 06:28 AM
Linksys and Cisco do not use the same CLI. AFAIK Cisco IOS can not do this, however the Cisco ASA (their firewall product) can use port ranges.
01-07-2009 03:55 PM
Understood.
Mr. Clark is there away for me to forward my request of implementing this option into the next IOS. Who would I have to forward this request too or how would I go about doing this? I think it would help Cisco in supporting more customer needs in the future.
Thanks,
~Roman
01-08-2009 06:15 AM
Roman-
The best I know of is to talk with your local Cisco sales rep. You could also call your local Cisco office directly. Best of luck.
Collin
01-08-2009 04:50 PM
Collin,
thanks for all your help regarding this matter. I think I have figured out a solution from your advice in using a linksys router connecting to my router idea. I think if you have 2 cisco 2611 routers you can accomplish port forwarding because the second router in line only needs to know the ip from the first router which will be always static. The first router would only have to forward all port numbers to a single ip with this command:
ip nat inside source static 10.0.0.5 interface fa0/0
10.0.0.5 would be the outside interface for router 2
Then I would setup nat overload on the second router with port forwarding using route-map command! Or my other options would be to get a ASA firewall that has these capabilities or linksys router as you suggested. Do you think this would work in a dynamic ip envirnment?
Another intresting command I stumbled upon a was port-map, which I think is for UPnP support to the firewall and cannot be used for port forwarding. I might be wrong though.
Sincerely,
Roman K.
01-10-2009 08:15 AM
Hi,
If you only have one internal IP requiring a lot of ports to be forwarded, you could use the NAT Default Inside Server functionality as such ...
ip nat inside source list 1 interface fa0/0 overload
ip nat inside source static 10.0.0.2 22 interface fa0/0 22
ip nat inside source static 192.168.1.2 80 interface fa0/0 80
ip nat inside source static 192.168.1.3 interface fa0/0
ip nat inside source static 192.168.1.4 20 interface fa0/0 20
ip nat inside source static 192.168.1.4 21 interface fa0/0 21
But this would completely expose 192.168.1.3 to the outside (with the exception of the ports forwarded to the other ips). To safeguard against this, you can add an inbound acl to Fa0/0, and use ip inspect to dynamically open it for (inside originated session) reply packets as such ...
access-list 150 permit tcp any any eq 20
access-list 150 permit tcp any any eq 21
access-list 150 permit tcp any any eq 22
access-list 150 permit tcp any any eq 80
access-list 150 permit tcp any any eq 3389
access-list 150 permit udp any any range 28960 32000
ip inspect name in-to-out tcp
ip inspect name in-to-out udp
ip inspect name in-to-out icmp
interface fa0/0
ip access-group 150 in
ip inspect in-to-out out
no ip unreachables
Cheers,
(Also) Roman.
01-10-2009 12:39 PM
Forgot you were running dhcp, 1st acl entry should be ...
access-list 150 permit udp any any eq 68
01-10-2009 05:01 PM
I will give it a shot and let you know how it turns out. Might be a few days though.
Thanks,
~Roman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide