Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
0
Replies

'Route-map' ports open, static NAT ports closed?

426385Dan
Level 1
Level 1

‎12-18-2014 03:39 AM

Hi,

 

I have been struggling to understand why this is happening for some time now and have had no luck. I have used a 'route-map' to open ranges of ports for our IP phone system on the network, and have used static NAT commands for all other ports that require opening.

 

After doing several test's using online tools, I have gathered that the only ports which are open are 50, and 1720 (I am assuming that there is another reason why the online tools cannot see all the phone system port's to be open other than them not actually being open).

 

I have tried both using the external IP address and the external interface for the static NAT translations, however this hasn't seemed to made any difference.

 

Here is the NAT information from the running config; please let me know if there is any other information which would be useful.

  • 11.111.1.1 has been used in this config as the hypothetical static WAN IP address
  • 10.9.8.1 is the gateway for the management VLAN (the IP address I use to SSH in to the router)
  • 10.9.8.2 is the VLAN1 interface for the only switch in the LAN
  • 172.16.128.194 is the management address for the wireless access point in the LAN
  • 172.16.128.192 is the address of the server
  • 192.168.255.129 is the IP address of the IP phone system
  • All interfaces on the router are configured with 'ip access-group 1 in' and 'ip access-group 1 out'

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.9.8.1 51 11.111.1.11 51 extendable
ip nat inside source static tcp 10.9.8.2 52 11.111.1.1 52 extendable
ip nat inside source static tcp 172.16.128.194 54 11.111.1.1 54 extendable
ip nat inside source static tcp 172.16.128.192 80 11.111.1.1 80 extendable
ip nat inside source static tcp 172.16.128.192 443 11.111.1.1 443 extendable
ip nat inside source static 192.168.255.129 11.111.1.1 route-map IPECS_Port_Forwarding_NAT
!
ip access-list extended IPECS_Port_Forwarding
 permit tcp host 192.168.255.129 any range 1717 1720
 permit tcp host 192.168.255.129 any eq 50
 permit udp host 192.168.255.129 any range 6000 6047
 permit tcp host 192.168.255.129 any range 6000 6588
 permit udp host 192.168.255.129 any range 8000 8047
 permit udp host 192.168.255.129 any range 9000 9047
 permit udp host 192.168.255.129 any range 5060 5060
 permit udp host 192.168.255.129 any range 5588 5588
 permit udp host 192.168.255.129 any range 7000 7015
 permit udp host 192.168.255.129 any range 7100 7115
 permit udp host 192.168.255.129 any range 7300 7315
!
access-list 1 permit any
route-map IPECS_Port_Forwarding_NAT permit 10
 match ip address IPECS_Port_Forwarding

 

Thanks in advance for any help that can be given on this issue,

 

Dan

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents