cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8839
Views
5
Helpful
3
Replies

Cisco router 881 range port forwarding

vodca_valdez
Level 1
Level 1

Hi,

I have a Cisco 881 router in my office and I would like to do port forward for port 5060, and 10000 - 20000 to my PABX(192.168.1.61).

After I did some research from internet, understand that we need to NAT by using following command to do port forward for port 5060.

ip nat inside source static udp 192.168.1.61 5060 XXX.XXX.XXX.XXX(WAN IP) 5060 extendable

However, now I'm facing an issue to perform port forward for a huge range of ports like 10000 to 20000.

It is impossible to ask me add one by one?

Anyone can help me? Big thanks~

3 Replies 3

Neeraj Arora
Level 3
Level 3

Unfortunately there is no command syntax in NAT to configure a translation for range of ports in one go, so if you only have one public ip address which is assiged to the outside interface of the edge router, and that same ip address has to be used for hosting udp ports 10000 to 20000, then you really do not have a good solution

But if you have ANOTHER public ip which can be used for NATing then, you can simply configure the command:

ip nat inside source static 192.168.1.61 70.1.1.1

With the above command, you are mapping the public ip to a private ip including all udp & tcp ports. And if you want more security then you can even have ACL (which ofcourse have a "range" keyword)  applied (using route-map) on this NAT statement so that only the ports which you want will be NATed

Hope it helps

Neeraj

Thanks for your reply Neeraj.

Would like to check if I NAT my private IP with public IP by using the command you mentioned, will it open all the ports?

I tried it before and after that I use online port checker to check the port and seem like it only open for port 80 the rest are still closed. Furthermore, my device still not able to communicate with my PABX from external network.

yes, using the command I mentioned will map all the ports of Public ip with your private ip but an online port checker tool will only look for a response on these ports and that response will only come if you have some service hosted on that port. that too will be done for TCP ports as udp will not create a session using 3 way handshake

so I am assuming that you are only using an Http service on the inside when it comes to TCP and that's why the online port checker sees that but if you host other services on that server then they will also become accessible/visible from internet

For security purpose, if you want to block unused ports from internet then you'd have to make use of ACL on the outside interface allowing only port 80 or 443 or whichever service you want to host.

Now regarding communication with PABX, you'd have to check the NAT table on the router using "sh ip nat translation" command to see if the translations are happening for the traffic coming from internet towards the PABX box

Review Cisco Networking for a $25 gift card