How can I forward multiple ports to an internal IP with NAT?

agustinchernitsky

Hi everyone!

I need to do a very simple task, that in Linux would take 5 secs, but with a Cisco router I have no clue on how to do it.

I need to send all traffic from ports UDP 10000 to 20000 to an internal private IP.

up to now I use this cmds to do the port forwarding:

ip nat inside source static tcp 192.168.1.100 22 201.xxx.xxx.xxx 22

Now, how on earth do I specify something like this:

ip nat inside source static udp 192.168.1.100 10000-20000 201.xxx.xxx.xxx 10000-20000

Any ideas?

Thanks amigos!

PS: I have NAT working, ATM0 is the outside int and E0 is the inside interface. Using overloading.

hectorjhrdz

ip nat outside

isn't it?

mikej412

hectorjhrdz wrote:

ip nat outside

isn't it?

Yep!

Couple of links to the Cisco Docs and an example in this thread

I'll leave the access-list port range issue as an exercise for the home viewer.

agustinchernitsky

Hey guys!

Well, after reading a bit, I think that I can do this with an acl... something like:

ip nat inside source list 101

and then:

access-list 101 permit udp host 192.168.1.xxx range 10000-20000 host 200.xxx.xxx.xxx range 10000-20000

What do you think??

PS: I don't know if the commands are ok... I can remember that they were something like this

EdTheLad

agustinchernitsky wrote:

Hi everyone!

I need to do a very simple task, that in Linux would take 5 secs, but with a Cisco router I have no clue on how to do it.

I need to send all traffic from ports UDP 10000 to 20000 to an internal private IP.

up to now I use this cmds to do the port forwarding:

ip nat inside source static tcp 192.168.1.100 22 201.xxx.xxx.xxx 22

Now, how on earth do I specify something like this:

ip nat inside source static udp 192.168.1.100 10000-20000 201.xxx.xxx.xxx 10000-20000

Any ideas?

Thanks amigos!

PS: I have NAT working, ATM0 is the outside int and E0 is the inside interface. Using overloading.

Ok, my understanding is that you want public traffic arriving with ports 10000 to 20000 to be sent to 192.168.1.100

So you should already have nat setup to translate your inside local to an outside global, something like
access-list 1 permit host 192.168.1.100
ip nat inside source-list 1 interface atm0 overload
"where atm0 will have a global ip address 201.x.x.x"

access-list 101 permit udp any range 10000 20000 host 201.x.x.x
int atm0
ip access-group 101 in


If you require something different you will have to be more clear with your description.What i have above should allow all traffic coming from the outside with source ports 10000 to 20000 to access 192.168.1.100 any other traffic ouside the port range destined for 192.168.1.100 will be discarded.I'm asuming you have a default route to the outside.

agustinchernitsky

Hi ed_the_lad, thanks for your reply...

I think that your configuration will work. Now, as you say, I am going to add something:

200.0.0.1 is the only available IP and should be used for overload and to forward all packets comming from the outside range udp 10000-20000 to IP 192.168.1.100.

can I do something like this:

ip nat inside source-list 101 interface atm0 
ip nat inside source-list 1 interface atm0 overload 

access-list 1 permit host 192.168.1.0 0.0.0.255
access-list 101 permit udp host 192.168.1.100 range 10000 20000 host 201.x.x.x range 10000 20000

Would this trigger 101 acl for port fwd first and for the rest of the traffic trigger nat overload?

EdTheLad

I think you need something like this:
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp any any range 10000 20000
ip nat inside source list 1 int atm0 overload
ip nat inside destination list 101 pool test
ip nat pool test 192.168.1.100 192.168.1.100 netmask 255.255.255.0

This should allow normal overload,except if any traffic arrives with a port range between 10000 and 20000 it will get mapped with a destination address 192.168.1.100.

agustinchernitsky

Well, I think I'll post the correct solution to this problem: route-maps

Objective:

1.- Allow internal users to access the Internet with one IP
2.- Allow external users to access an internal server buy doing port forwarding.

Solution:

1.- Create pool for external IP and do some overloading

ip nat pool nldo 201.xxx.xxx.185 201.xxx.xxx.185 netmask 255.255.255.248
ip nat inside source list 110 pool nldo overload

2.- Specify a static nat with route-map for the other external IP that we will forward some ports to the internal server 192.168.1.110:

ip nat inside source static 192.168.1.110 201.xxx.xxx.186 route-map Asterix

3.- Create the access list for the portFWD and normal NAT:

ip access-list extended AsterixPortFwd
permit tcp host 192.168.1.110 eq 22 any
permit udp host 192.168.1.110 eq 4569 any
permit udp host 192.168.1.110 eq 5004 any
permit udp host 192.168.1.110 range 5060 5069 any
permit udp host 192.168.1.110 range 10000 20000 any

access-list 110 permit ip  192.168.1.0 0.0.0.255 any

4.- Create the route-map

route-map Asterix permit 10
 match ip address AsterixPortFwd

The static map with route-map creates the translation entry so that any packet from the outside to up .186 gets forwarded to internal ip 110... But the route-map only will allow the ports that we are forwarding.

Hope it helps as reference to anyone!

mikej412

agustinchernitsky wrote:

Well, I think I'll post the correct solution to this problem: route-maps

Objective:

1.- Allow internal users to access the Internet with one IP
2.- Allow external users to access an internal server buy doing port forwarding.

Are you actually running this on a router? Is it working?

I don't see an ip nat outside in your solution that would tell NAT to translate any external traffic to that internal server. Where is that external traffice coming from -- the outside interface being used to access the internet? Or another interface?

agustinchernitsky

The Int with the public IP has the ip nat outside...

the internal int has the ip nat inside....

You should make it work...

agustinchernitsky

Let me clarify my post regarding port forwarding a range of ports with Cisco routers. The thing is: it can't be done.

My error was on the use of Route-maps. The route-maps are used only (when applied to ip nat inside commands) for traffic from the inside to the outside. It appeared to be working, but what was really happening was that all traffic for the public IP was forwarded to the private IP (no comments please ).

So, the solution, is:

1.- Use a different public IP for the internal server
2.- Do use route maps (see below)
3.- Apply ACL IN for the public interface to restrict access to the public IP being forwarded.

Regarding route-maps: If you have more than one public IP and you use one to do overloading, you might find your self (at least I did) with this problem: Traffic comming from the outside to the inside will use the correct IP, but traffic from the internal server to the outside will use the overloaded IP. This might cause problems on your setup.

To resolve this, you must specify on the ip nat ... overload ACL that traffic originating from the internal server IP must be denied. Doing this skips the IP nat inside ... overload and uses the next one (hopefully the static one) that will yield the correct IP.

My configuration now is as follows (I won't include the ACL on the internet interface):

ip nat inside source pool mypool list SkipNAT overload  (does IP 200.xxx.xxx.185)
ip nat inside source static 192.168.1.110 200.xxx.xxx.186 route-map Server

ip access-list extended SkipNAT
deny ip host 192.168.1.110 any #Does not allow traffic from the other IP
permit ip 192.168.1.0 0.0.0.255 any #The rest is fine!

route-map Server
 match ip address InternalServer

ip access-list extended InternalServer
permit ip host 192.168.1.110 any

Hope this helps... and sorry for the correction...