04-03-2012 11:56 PM - edited 03-07-2019 05:57 AM
Hi,
I have a Cisco 881 router in my office and I would like to do port forward for port 5060, and 10000 - 20000 to my PABX(192.168.1.61).
After I did some research from internet, understand that we need to NAT by using following command to do port forward for port 5060.
ip nat inside source static udp 192.168.1.61 5060 XXX.XXX.XXX.XXX(WAN IP) 5060 extendable
However, now I'm facing an issue to perform port forward for a huge range of ports like 10000 to 20000.
It is impossible to ask me add one by one?
Anyone can help me? Big thanks~
04-04-2012 07:26 AM
Unfortunately there is no command syntax in NAT to configure a translation for range of ports in one go, so if you only have one public ip address which is assiged to the outside interface of the edge router, and that same ip address has to be used for hosting udp ports 10000 to 20000, then you really do not have a good solution
But if you have ANOTHER public ip which can be used for NATing then, you can simply configure the command:
ip nat inside source static 192.168.1.61 70.1.1.1
With the above command, you are mapping the public ip to a private ip including all udp & tcp ports. And if you want more security then you can even have ACL (which ofcourse have a "range" keyword) applied (using route-map) on this NAT statement so that only the ports which you want will be NATed
Hope it helps
Neeraj
04-04-2012 09:20 PM
Thanks for your reply Neeraj.
Would like to check if I NAT my private IP with public IP by using the command you mentioned, will it open all the ports?
I tried it before and after that I use online port checker to check the port and seem like it only open for port 80 the rest are still closed. Furthermore, my device still not able to communicate with my PABX from external network.
04-05-2012 06:03 AM
yes, using the command I mentioned will map all the ports of Public ip with your private ip but an online port checker tool will only look for a response on these ports and that response will only come if you have some service hosted on that port. that too will be done for TCP ports as udp will not create a session using 3 way handshake
so I am assuming that you are only using an Http service on the inside when it comes to TCP and that's why the online port checker sees that but if you host other services on that server then they will also become accessible/visible from internet
For security purpose, if you want to block unused ports from internet then you'd have to make use of ACL on the outside interface allowing only port 80 or 443 or whichever service you want to host.
Now regarding communication with PABX, you'd have to check the NAT table on the router using "sh ip nat translation" command to see if the translations are happening for the traffic coming from internet towards the PABX box
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide