01-03-2013 06:19 PM - edited 03-07-2019 10:53 AM
I feel like this has probably been asked a thousand times over, but it doesn't seem to work for me. TCP works fine. I can't find any definitive answers, I'm still a novice with the IOS.
The purpose behind opening the ranges of UDP ports to the interface and forwarding is because the people in question want to run a VOIP phone from their home, but they have a home grade Internet connection, so therefore no static IP. Also, they're not going to pay for a router to create a S2S VPN.
Also, from one of the remote sites for which there is a VPN ( the 192.168.6.X/24 site), the audio is only one way. The phone guy says "i need to open ports both way through the VPN), but I feel like that's already been done??
For my other site ( 192.168.15.0/24 ) I have an IPSEC over GRE tunnel going, I don't know about the status of the voice phone there..or if its even made it there
Here's my config...i'm redacting things like public IP's, VPN keys, and the like
#show run
Building configuration...
Current configuration : 6525 bytes
!
! Last configuration change at 14:51:00 EST Wed Jan 2 2013 by ctouch
! NVRAM config last updated at 14:57:46 EST Wed Jan 2 2013 by ctouch
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2607594268
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2607594268
revocation-check none
rsakeypair TP-self-signed-2607594268
!
!
crypto pki certificate chain TP-self-signed-2607594268
certificate self-signed 02
3082024B 308201B4 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363037 35393432 3638301E 170D3131 30373032 30333531
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303735
39343236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A3B6 2C48D6E3 3778EEA9 704EB4A3 CDC45D92 A52DADD0 6E4D3576 0B2DBB92
1BEBE89D 74514A05 E367D13E CCD2685B 11AB6886 0C43202D 99880116 F2940746
153F6B89 340E0859 9DF52145 3A46F5A6 DEB6DD8D 88A5E425 928DE986 04079AF0
10FDDE65 57C20BE9 E4DEB432 C6CF88DE 02A3D314 0C0C43BA 2F50BC5E 4361CCCF
611F0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13435449 6E64792E 4354696E 64792E6C 6F63616C 301F0603
551D2304 18301680 143B64AC 65D3F8E6 F7904C90 F4911F8D 65B2793D D6301D06
03551D0E 04160414 3B64AC65 D3F8E6F7 904C90F4 911F8D65 B2793DD6 300D0609
2A864886 F70D0101 04050003 81810029 FAF2A093 69D3730B 40265212 38338B6C
966CBB6F A7ED4BF5 964B8725 0C973812 B23DAAA9 2404EFAB 2089775C 4459FCF1
ED56C682 3604EA56 EE34F087 161C55C4 FB612A2A 088DE03F B7C9000B BCF78B49
BB459CE7 A9CDFE4E E6DE90BB 0B73B8EF C1E96680 B14609CC D75E657E EA7C1279
A34FD9F8 D5D88B5A A4A034FA 340B50
quit
dot11 syslog
ip cef
!
!
ip dhcp excluded-address 192.168.2.101 192.168.2.254
ip dhcp excluded-address 192.168.2.1 192.168.2.49
!
!
ip domain name
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
authentication pre-share
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXx
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
crypto map CTMAP 1 ipsec-isakmp
set peer XXXXXXXXXXXXXX
set transform-set CTLVPNSET
match address VPNACL
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
ip address 10.254.0.9 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source XXXXXXXXXXXXXXXXXX
tunnel destination XXXXXXXXXXXXXXXXXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address XXXXXXXXXXXXXXXXXXXX
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CTMAP
!
interface Vlan1
description internal LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXXXXXXXXXXX
ip route 192.168.15.0 255.255.255.0 Tunnel0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary
ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary
ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary
ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
ip nat inside destination list PHONE1 pool PHONE1
ip nat inside destination list PHONE2 pool PHONE2
ip nat inside destination list PHONE3 pool PHONE3
ip nat inside destination list SERVER pool SERVER
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT2
deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended PHONE1
permit tcp any any range 6000 6001
permit udp any any range 6000 6001
permit tcp any any eq 9000
permit tcp any any eq 5090
permit udp any any eq 5090
permit tcp any any eq 5003
permit udp any any eq 5003
permit udp any any eq 9000
ip access-list extended PHONE2
permit udp any any range 30000 30031
permit udp any any range 40000 40159
ip access-list extended PHONE3
permit tcp any any eq telnet
ip access-list extended SERVER
permit tcp any any eq 443
permit tcp any any eq 987
permit tcp XXXXXXXXXXXXXX 0.0.0.31 hostXXXXXXXXXXXXXXXX eq smtp
01-06-2013 07:47 AM
bump..49 views and no replies?
01-08-2013 03:21 PM
Hey, Paul - can you clarify the problem you're having? I'm trying to grok what's broken. I gather that you've got a VoIP phone that isn't behaving as intended, but it's hard to tell from your description what all the circumstances are.
I re-ordered your config, removing some lines that I don't think have a significant bearing on the issue, and regrouping other lines to make it easier to see what the config is actually doing. I put some comments inline, more for my sanity as the config was a lot to take in. I think I got the point of the NAT statements correct based on my interpretation of how Cisco documents the commands. Apologies if I overlooked something.
! Traffic destined for 192.168.15.0/24 is routed through this tunnel interface. The tunnel mode is IPSEC, and the traffic will be encapsulated in accordance with the VTI profile. There is no "ip nat" on this interface, so traffic routed through here will not be impacted by the NAT configuration.
interface Tunnel0
ip address 10.254.0.9 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source XXXXXXXXXXXXXXXXXX
tunnel destination XXXXXXXXXXXXXXXXXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
crypto ipsec profile VTI
set transform-set TSET
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
ip route 192.168.15.0 255.255.255.0 Tunnel0
!
!
! This is the public, Internet-facing interface. Interesting traffic for another IPSEC tunnel is defined by the VPNACL access-list (which does not appear in the configuration you pasted, so was presumably redacted).
interface FastEthernet4
description $ES_WAN$
ip address XXXXXXXXXXXXXXXXXXXX
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CTMAP
!
crypto map CTMAP 1 ipsec-isakmp
set peer XXXXXXXXXXXXXX
set transform-set CTLVPNSET
match address VPNACL
!
crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac
!
!
! This is the SVI used to route traffic from the LAN. Traffic that enters here and exits via Fa4 will be subject to the NAT policy.
interface Vlan1
description internal LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
!
! Inside traffic that matches access-list 100 (does not appear in configuration) will have the source address translated to the interface IP of Fa4 using PAT overload.
ip nat inside source list 100 interface FastEthernet4 overload
! Inside traffic of 192.168.0.2:443 will have the source address translated to the interface IP of Fa4 statically.
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
!
!
! Traffic going from outside to inside destined for the ports listed in the ACL will translate the destination address (presumably the public IP of Fa4) to the inside address specified in the pool. The next 4 NATs all behave in the same way - depending on the port, the traffic will get forwarded to a different inside host.
ip access-list extended PHONE1
permit tcp any any range 6000 6001
permit udp any any range 6000 6001
permit tcp any any eq 9000
permit tcp any any eq 5090
permit udp any any eq 5090
permit tcp any any eq 5003
permit udp any any eq 5003
permit udp any any eq 9000
ip nat inside destination list PHONE1 pool PHONE1
ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary
!
!
ip access-list extended PHONE2
permit udp any any range 30000 30031
permit udp any any range 40000 40159
ip nat inside destination list PHONE2 pool PHONE2
ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary
!
ip access-list extended PHONE3
permit tcp any any eq telnet
ip nat inside destination list PHONE3 pool PHONE3
ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary
!
ip access-list extended SERVER
permit tcp any any eq 443
permit tcp any any eq 987
permit tcp XXXXXXXXXXXXXX 0.0.0.31 hostXXXXXXXXXXXXXXXX eq smtp
ip nat inside destination list SERVER pool SERVER
ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary
!
!
! These ACLs do not appear to be in use.
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT2
deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
01-08-2013 06:28 PM
First off, thank you so much for the reply. I'm positive you're an extremely busy person, and would not have been offended should you not have replied, especially this is more or less free advice. I'm just not getting much luck in the various forums (this forum, Petri IT, and Experts Exchange). I apologize for not being exactly clear to begin with...my explanation is long winded, and I apologize ahead of time...
I thoroughly enjoy PacketPushers, some of it can be "above my pay grade", but I still enjoy it none-the-less.
My problem is two fold, but both relate to this "VOIP" system of sorts. It's some off-brand phone system that the customer inherited when they purchased another company in their industry, one day they called and said "come make it work". They also inherited these Cisco routers that they want to use....I know enough to be dangerous... So here I am...
I just realized I did not originally post the entire config, so I'll do so in a separate post, perhaps I hit a character limit..
1. I have a S2S VPN between two sites... the site where 192.168.0.0/24 is the LAN, and where 192.168.6.0/24 is the LAN. The tunnel is up, and I can ping through the VPN both ways.
The phone system sits in the 192.168.0.0/24 network
Though the tunnel is up, the phone in the 192.168.6.0/24 network has one way audio only. The 0.0/24 network can hear the person in .6.0/24 , but not the other way around. My hunch is because the router at the .6.0/24 network is double-natted behind the DSL modem, and that's something I inherited unfortunately as well. The site is quite a drive, but I'll go there last resorts to fix that, but I digress.
The "phone guy" who installed the system for them says it's because "i'm not allowing UDP through the VPN". My understanding is that the ACL below covers all ports TPC/IP/UDP
ip access-list extended VPNACL
permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
My second problem is the customer wants to try to run one of these VOIP phones from their home, but they don't have a business class internet at home, so therefore no static IP, and definitely wont flip for a cisco at their house.
So...the phone guy says "Forward these TCP and UDP ports to these private IP's that the phone system uses" (the phone system has 3 private IP's BTW) and all should be well....some of which are ranges of ports
Well...I was able to get the TCP ports forwarded fine it appears but the UDP , not so much...and since I can't use telnet to test UDP connectivity...i'm stuck
I tried this method here http://evilrouters.net/2010/05/25/port-forwarding-a-range-of-ports-on-cisco-ios/ ...
Then I read online that Cisco IOS doesn't do well with forwarding ranges of UDP ports..at least on the routers..and try a route-map method....
well..the route-map method won't work for me because again the phone system has 3 private IP's that I would have to statically nat to 3 individual pubic IPs..and the phone can only be configured to talk to one public IP...
sorry this is very convuluted
01-08-2013 06:37 PM
Building configuration...
Current configuration : 6525 bytes
!
! Last configuration change at 14:51:00 EST Wed Jan 2 2013 by ctouch
! NVRAM config last updated at 14:57:46 EST Wed Jan 2 2013 by ctouch
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2607594268
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2607594268
revocation-check none
rsakeypair TP-self-signed-2607594268
!
!
crypto pki certificate chain TP-self-signed-2607594268
certificate self-signed 02
3082024B 308201B4 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363037 35393432 3638301E 170D3131 30373032 30333531
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303735
39343236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A3B6 2C48D6E3 3778EEA9 704EB4A3 CDC45D92 A52DADD0 6E4D3576 0B2DBB92
1BEBE89D 74514A05 E367D13E CCD2685B 11AB6886 0C43202D 99880116 F2940746
153F6B89 340E0859 9DF52145 3A46F5A6 DEB6DD8D 88A5E425 928DE986 04079AF0
10FDDE65 57C20BE9 E4DEB432 C6CF88DE 02A3D314 0C0C43BA 2F50BC5E 4361CCCF
611F0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13435449 6E64792E 4354696E 64792E6C 6F63616C 301F0603
551D2304 18301680 143B64AC 65D3F8E6 F7904C90 F4911F8D 65B2793D D6301D06
03551D0E 04160414 3B64AC65 D3F8E6F7 904C90F4 911F8D65 B2793DD6 300D0609
2A864886 F70D0101 04050003 81810029 FAF2A093 69D3730B 40265212 38338B6C
966CBB6F A7ED4BF5 964B8725 0C973812 B23DAAA9 2404EFAB 2089775C 4459FCF1
ED56C682 3604EA56 EE34F087 161C55C4 FB612A2A 088DE03F B7C9000B BCF78B49
BB459CE7 A9CDFE4E E6DE90BB 0B73B8EF C1E96680 B14609CC D75E657E EA7C1279
A34FD9F8 D5D88B5A A4A034FA 340B50
quit
dot11 syslog
ip cef
!
!
!
!
ip domain name
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
authentication pre-share
crypto isakmp key XXXXX address XXXXX
crypto isakmp key XXXXX address XXXXX
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
crypto map CTMAP 1 ipsec-isakmp
set peer XXXXX
set transform-set CTLVPNSET
match address VPNACL
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
ip address 10.254.0.9 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source XXXXXX
tunnel destination XXXXXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address XXXXXXXXX
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CTMAP
!
interface Vlan1
description internal LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.158.172.193
ip route 192.168.15.0 255.255.255.0 Tunnel0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary
ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary
ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary
ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
ip nat inside destination list PHONE1 pool PHONE1
ip nat inside destination list PHONE2 pool PHONE2
ip nat inside destination list PHONE3 pool PHONE3
ip nat inside destination list SERVER pool SERVER
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT2
deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended PHONE1
permit tcp any any range 6000 6001
permit udp any any range 6000 6001
permit tcp any any eq 9000
permit tcp any any eq 5090
permit udp any any eq 5090
permit tcp any any eq 5003
permit udp any any eq 5003
permit udp any any eq 9000
ip access-list extended PHONE2
permit udp any any range 30000 30031
permit udp any any range 40000 40159
ip access-list extended PHONE3
permit tcp any any eq telnet
ip access-list extended SERVER
permit tcp any any eq 443
permit tcp any any eq 987
permit tcp 205.237.99.160 0.0.0.31 host 66.158.172.194 eq smtp
permit tcp 69.84.129.224 0.0.0.31 host 66.158.172.194 eq smtp
permit tcp 74.94.129.208 0.0.0.15 host 66.158.172.194 eq smtp
permit tcp 69.84.129.224 0.0.0.31 host 66.158.172.194 eq 389
permit tcp 74.94.129.208 0.0.0.15 host 66.158.172.194 eq 389
permit tcp 72.1.146.64 0.0.0.31 host 66.158.172.194 eq 389
permit tcp 72.1.146.64 0.0.0.31 host 66.158.172.194 eq smtp
permit tcp 205.237.99.160 0.0.0.31 host 66.158.172.194 eq 389
ip access-list extended VPNACL
permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended VPNACL2
permit ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
!
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map nonnat permit 10
match ip address NAT
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
password cisco
login local
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17174982
ntp server 216.171.120.36
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide