As you might recall, I had previously taken umbrage with Cisco's inability to forward a range of ports to a particular host. Many readers have offered suggestions and links to other documents around the Internet offering various solutions, but none of them really sat quite right with me.
In hindsight, the reason none of these suggestions sat right with me is because all the examples assumed you only had one host behind the NAT configuration. Finally, reader Serge worked with me to come up with a workable solution that resolves the port range problem but still works fine with multiple hosts.
Here's what Serge sent me by way of example:
ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary
ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool POOL1
ip nat inside destination list 102 pool POOL2
access-list 101 permit tcp any any range 100 300
access-list 102 permit tcp any any range 500 1000
As you can see, TCP ports 100 through 300 are forwarded on to 192.168.1.1 and TCP ports 500 through 1000 go to 192.168.1.2. This solution seems workable to me. Once I got beyond the idea that there can only be one ip nat pool
, I realized that this is what I should have been doing all along.
And so, here's our re-worked configuration to allow the World of Warcraft updater to successfully pass through out Cisco IOS-based firewall.
interface FastEthernet0/0
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
!
ip nat pool POOL1 192.168.9.10 192.168.9.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside destination list WOW pool POOL1
!
ip access-list extended WOW
permit tcp any any eq 3724
permit tcp any any range 6881 6999
Photo by Jenny Erickson.
I am having a similar problem as you described, and have implemented the inbound/outbound NAT & port-forwarding like your solution. I am using NAT port-forwarding to allow traffic from the Internet to reach 18 servers. The problem is that this is working for a few of the servers and not for the rest, even though the configuration is identical for all of them. I have searched hi & low trying to find a solution and/or suggestions on how to troubleshoot this problem. I have read the cisco docs but have not found a usable answer in them either. Any assistance/suggestions would be greatly appreciated. I have include a copy of the NAT stats for you to look at. Thanks, Greg
xxx_distribution_1#sh ip nat stat
Total active translations: 1504 (0 static, 1504 dynamic; 1504 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1, FastEthernet0/1.5, FastEthernet0/1.10, FastEthernet0/1.15
FastEthernet0/1.20, FastEthernet0/1.25, FastEthernet0/1.30
FastEthernet0/1.35, FastEthernet0/1.40
Hits: 4130866 Misses: 93029
CEF Translated packets: 4158864, CEF Punted packets: 110268
Expired translations: 109237
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface FastEthernet0/0 refcount 1469
-- Inside Destination
[Id: 2] access-list 101 pool xxx_webserver refcount 22
pool xxx_webserver: netmask 255.255.255.252
start 192.168.5.130 end 192.168.5.130
type rotary, total addresses 1, allocated 22 (2200%), misses 0
[Id: 3] access-list 102 pool xxx_SAP refcount 13
pool xxx_SAP: netmask 255.255.255.252
start 192.168.5.2 end 192.168.5.2
type rotary, total addresses 1, allocated 13 (1300%), misses 0
[Id: 4] access-list 103 pool xxx_sapbw refcount 0
pool xxx_sapbw: netmask 255.255.255.252
start 192.168.5.172 end 192.168.5.172
type rotary, total addresses 1, allocated 0 (0%), misses 3
[Id: 5] access-list 104 pool xxx_BI refcount 0
pool xxx_BI: netmask 255.255.255.252
start 192.168.5.82 end 192.168.5.82
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 6] access-list 106 pool xxx_Surveillance refcount 0
pool xxx_Surveillance: netmask 255.255.255.252
start 192.168.5.45 end 192.168.5.45
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 7] access-list 107 pool xxx_Prometric refcount 0
pool xxx_Prometric: netmask 255.255.255.252
start 192.168.5.3 end 192.168.5.3
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 8] access-list 108 pool xxx_CM/VUE refcount 0
pool xxx_CM/VUE: netmask 255.255.255.252
start 192.168.0.7 end 192.168.0.7
type rotary, total addresses 1, allocated 0 (0%), misses 6
[Id: 9] access-list 109 pool xxx_BI7_1 refcount 0
pool xxx_BI7_1: netmask 255.255.255.252
start 192.168.5.8 end 192.168.5.8
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 10] access-list 110 pool xxx_edu4u refcount 0
pool xxx_edu4u: netmask 255.255.255.252
start 192.168.5.16 end 192.168.5.16
type rotary, total addresses 1, allocated 0 (0%), misses 4524
[Id: 11] access-list 111 pool xxx_QC refcount 0
pool xxx_QC: netmask 255.255.255.252
start 192.168.5.18 end 192.168.5.18
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 12] access-list 112 pool xxx_EMULE refcount 0
pool xxx_EMULE: netmask 255.255.255.252
start 192.168.5.20 end 192.168.5.20
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 13] access-list 114 pool xxx_BI7_2 refcount 0
pool xxx_BI7_2: netmask 255.255.255.252
start 192.168.5.80 end 192.168.5.80
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 14] access-list 115 pool xxx_RDP refcount 0
pool xxx_RDP: netmask 255.255.255.252
start 192.168.5.11 end 192.168.5.11
type rotary, total addresses 1, allocated 0 (0%), misses 30
[Id: 15] access-list 116 pool xxx_CONTACT/CVS refcount 0
pool xxx_CONTACT/CVS: netmask 255.255.255.252
start 192.168.5.111 end 192.168.5.111
type rotary, total addresses 1, allocated 0 (0%), misses 177
[Id: 16] access-list 117 pool xxx_swtest refcount 0
pool xxx_swtest: netmask 255.255.255.252
start 192.168.5.125 end 192.168.5.125
type rotary, total addresses 1, allocated 0 (0%), misses 0
[Id: 17] access-list 118 pool xxx_cvs refcount 0
pool xxx_cvs: netmask 255.255.255.252
start 192.168.5.156 end 192.168.5.156
type rotary, total addresses 1, allocated 0 (0%), misses 0
This simply is not forwarding the ports for me. The only thing I can get to work is a route-map. Anyone else?
hello and thanks for the suggestion ... it works wonders.
more than your configuration I put in "deny ip any any" at the end
access-list some ios put the permit any any by default and which
blocked the rest of traffic for the LAN.
Best Regards
Christian
That config does not work on all scenarios, I found this will be much more universal and probably appear a little simpler:
ip nat inside source static (inside address) (outside address) extendable
!
access-list 102 permit ip any any
access-list 105 permit udp host (inside address) range (start port) (end port) any
access-list 105 permit udp host (inside address) range (start port) (end port) any
access-list 105 permit tcp host (inside address) range (start port) (end port) any
dialer-list 1 protocol ip permit
route-map MAP permit 10
match ip address 105
Just add as many access list lines as you like.
Thanks. This is exactly what I needed.
Worked first time.
I had to replace a netgear adsl box with a Cisco 877, with no additional routable ip addresses.
I needed to allow IPSEC access from the internet to a PIX on the inside (my company insists on a double-skinned setup).
NAT is now working, ipsec tunnel established, and me a happy-chappy.
Thanks again for the solution. Kudos to you.
BTG,
Where is the access list 102 refered from? Was it supposed to be 105? Is there anything else I'm missing? Was there something that needs to refer to dialer list 1? Where is the list? It doesn't seem to work for me, neither did the rotary method. Here's my entire config:
(dynamic VPN and static port translations like RDP and torrent are good.)
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname JohnHome
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 Giberish
!
no aaa new-model
clock timezone PCTime -7
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.27.19.1 172.27.19.100
ip dhcp excluded-address 172.27.19.151 172.27.19.254
!
ip dhcp pool 1
network 172.27.19.0 255.255.255.0
default-router 172.27.19.1
dns-server 172.27.4.29 172.27.4.21 208.67.222.222
!
!
ip cef
ip host members.dyndns.org 63.208.196.96
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method DynDNS
!
ip ddns update method dyndns
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
!
!
!
partition flash 2 10 2
!
username admin privilege 15 secret 5 Giberish
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key tsa47 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set trans2
!
!
!
!
interface Tunnel0
bandwidth 10000
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1700
ip nhrp authentication test
ip nhrp map multicast h.u.b.r.o.u.t.e.r
ip nhrp map 10.0.0.1 h.u.b.r.o.u.t.e.r
ip nhrp network-id WouldntYouLikeToKnow
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key wouldntYouLikeToKnow
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address 172.27.19.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description Outside WAN Interface
ip address o.u.t.s.i.d.e 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0
network 172.27.19.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 d.e.f.a.u.l.t.g.w
ip route 172.0.0.0 255.0.0.0 10.0.0.1
!
ip http server
no ip http secure-server
!
ip nat inside source list 10 interface Ethernet1 overload
! My Torrent port
ip nat inside source static tcp 172.27.19.90 9632 interface Ethernet1 9632
! My Remote Desktop port:
ip nat inside source static tcp 172.27.19.90 3389 interface Ethernet1 3389
! The new config to route to phone:
ip nat inside source static 172.27.19.15 o.u.t.s.i.d.e extendable
access-list 10 permit 172.27.19.0 0.0.0.255
access-list 102 permit ip any any
access-list 105 permit udp host 172.27.19.15 range 5060 5070 any
access-list 105 permit udp host 172.27.19.15 range 10000 20000 any
dialer-list 1 protocol ip permit
!
route-map MAP permit 10
match ip address 105
!
!
!
control-plane
!
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
exec-timeout 120 0
password 7 wouldntYouLikeToKnow
login
length 0
transport input all
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17180325
ntp server 66.27.60.10 source Ethernet1
end
Here is the code necessary for using policy based routing (PBR) with a Cisco route-map command to achieve the same objective as a destination list. This example assumes a static IP address on your WAN interface.
# WAN IP: 209.112.160.1
# LAN HOST: 192.168.9.10 (WoW)
interface FastEthernet0/0
remark LAN Interface
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
remark WAN Interface
ip address 209.112.160.1 255.255.255.0
ip nat outside
!
ip nat inside source list NAT-ACL interface FastEthernet0/1 overload
ip nat inside source static 192.168.9.10 209.112.160.1 route-map WOW-PBR extendable
!
ip access-list standard NAT-ACL
permit 192.168.9.0 0.0.0.255
!
ip access-list extended WOW-ACL
permit tcp any any eq 3724
permit tcp any any range 6881 6999
!
route-map WOW-PBR permit 10
match ip address WOW-ACL
Note: If you have an inbound access control list on your WAN interface, you have to open the same posts used by your PBR ACL. In this example, those are the ports opened by the World of Warcraft ACL that I've named WOW-ACL.
Downside of destination list is that this technique is suitable only for TCP port forwarding: http://www.cisco.com/en/US/docs/ios/11_3/dial/configuration/guide/dcnat.html#wp3881
Non-TCP traffic is passed untranslated (unless other translations are in effect).
Jason, in my setup your PBR example always give simple ip-to-ip mapping, regardless access-list :( Even in sh ip nat tra
ip nat inside source static 192.168.0.236 212.41.41.112 route-map antares extendable
route-map antares permit 10
match ip address antares
ip access-list extended antares
permit tcp any any eq www
permit tcp any any eq 2222
permit tcp any any range 6881 6889
permit tcp any any eq 51413
permit udp any any eq 5060
altair#sh ip nat tra | inc 236
--- 212.41.41.112 192.168.0.236 --- ---
This is a very useful post Scott...
Before I found your page I was frustrated too by the fact that you needed 100+ lines to open a range of 100 ports!
Anyway, I did try it but it didn't work for me.
I'm using a freeware called pfportchecker to check the status of the ports which uses their own internet server and it showed the ports I wanted (6073, 6100-6200) closed.
So, I then added a static entry within that range (port 6150) just for testing purposes and it did work just fine....
Any ideas what I could be missing?
Here's part of my config:
ip nat pool NAT-POOL 10.0.0.11 10.0.0.11 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.0.11 6150 interface Dialer0 6150
ip nat inside destination list DEMIGOD pool NAT-POOL
!
ip access-list extended DEMIGOD
permit udp any any eq 6073
permit udp any any range 6100 6200
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
thanks
Hi !
This technique is suitable only for TCP port forwarding: http://www.cisco.com/en/US/docs/ios/11_3/dial/configuration/guide/dcnat.html#wp3881
Non-TCP traffic is passed untranslated (unless other translations are in effect).
You are absolutely right!
I did try it with tcp and it does work indeed. So there's no easy way to forward 100+ ports with udp then?
At least I didn't find any :(
Jason's example with PBR doesn't work for me.
We had 12.4.6 on an 1811 and ip nat pool did not work for udp. However once we upgraded to 12.4.15 udp ports now work with the ip nat pool command.
Guys,
In you ACLs you need to use the "range" keyword instead of the "eq" keyword.
Example:
permit tcp any any range 6004 7004
Hope that helps! Using the "eq" command just lets you list ports so is you wrote 6004 7004 for your ports it would just forward those two...not the range!
I also wish I could go back and edit my paragraph. My typing is horrible!
@NETWORKGOD
the command "ip nat inside source static udp" doesn't support a range of ports so still not a working solution...
For tcp yes the destination nat pool list works as described in the blog post.
I was not refering to the "ip nat inside source static udp" statements when talking about using the range command. I was talking about the building of your ACL for you ip NAT statement route-list. Here is an example of what I have setup at a customer site right now for their VoIP system. It is in system and fully functional:
This is my "ip nat" statement:
ip nat inside source static 192.168.200.201 24.XXX.XXX.XXX route-map VOIPFORWARD extendable
Here is my route-map:
route-map VOIPFORWARD permit 10
match ip address VOIPFORWARD
Here is my ACL:
ip access-list extended VOIPFORWARD
permit tcp any any range 6004 7039
permit udp any any range 6004 7039
permit tcp any any eq 5566
permit udp any any eq 5567
permit tcp any any eq 5570
permit tcp any any eq 22
permit tcp any any eq 4444
permit udp any any eq 61
permit udp any any eq bootpc
permit udp any any eq tftp
permit udp any any eq 20001
permit tcp any any range 3998 3999
permit udp any any range 5004 5007
permit tcp any any eq www
I apologize if I was not clear in my previous statement and I hope this helps.
can you please show
sh ip nat tra
command output ?
in all my tests this config worked exactly as simple ip-to-ip mapping :(
Very interesting. We are running some tests right now I am will post what we figure out. Stay Tuned!
Hi guys,
I've been playing with this route-map config and I confirm that it is working as one-to-one translation, whenever ACL is defined in route-map match statement. I've tried to include in ACL some rubbish lines with no "useful" lines with UPD\TCP port ranges. Still, everything working.
I am extensively using route-maps in PAT translation and they work just fine.
But in static translation it looks like they do not make any effect.
I am confused... Every low-end dlink\linksys SOHO router has port range translation, but world leader does not.
Maybe someone has a TAC contract to escalate and investigate why this route-map is now working in a way expected?
Thanks.
will the same work with rotary command if not using route map but simple
config like this:
ip nat pool IP 192.168.1.70 192.168.1.70 netmask 255.255.255.0 type rotary
ip nat inside destination list 106 pool IP
access-list 106 permit udp any any range 1170 1173
try this config.
This is insane that the worlds largest provider of enterprise class network gear can't/won't allow you to do something as simple as forwarding a port range.
The ip nat pool only works with tcp traffic, not much use to me since I have a video conferencing unit that needs 5000 udp ports.
I've tried route maps and that doesnt seem to work, the connection gets in fine, a "show ip nat trans" shows the translations working correctly but the units never connect and we think its because traffic heading back out isnt correct.
Unreal....I ran into this years ago with another client who fortunately had a range of ip addresses so we did a 1:1 nat, this new client however doesnt have that luxury. Disappointed to say the least at this huge handicap Cisco equipment has.
Thank you for posting- this has solved some of my cisco networking problems... though I imagine there will be more to come!
I'm trying to open some ports for an FTP Server. Following the instructions above I entered:
ip nat pool FTP 192.168.1.212 192.168.1.212 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool FTP
and then entered:
access-list 101 permit tcp any XXX.XXX.XXX.XXX range 2998 3080
Since I didn't want to open these ports on all of my external IP addresses.
But when I enter the last command at the Cisco(config)# prompt I get an Invalid input detected at '^' marker error, at range.
Do I need to enter the access-list in a different place? Or can I only open these ports for all my IP addresses? Or am I misunderstanding the command?
Thanks for the help.
Hi Harry,
access-list 101 permit tcp any XXX.XXX.XXX.XXX range 2998 3080
One problem I see with the above command is that you need both an IP address and netmask where you have XXX.XXX.XXX.XXX. Did you have both in your original command and just copy and paste wrong in the comment?
--
Scott
Hi Scott:
That probably it I did not include a subnet mask. I will try that tomorrow when I get back to the office.
Thanks for the heads up.
Let us know how it goes!
--
Scott
Hi,
I have been trying to make my routers to do UDP port forwarding to LAN based on source IP address (WAN) for awhile and can't seems to find any solution for it.
After reading through what everyone have contributed above, non of the example works for me...
However the TCP will always work with the "ip nat source destination" NAT but the UDP will never work.
Also after implemented the "ip nat source destination" configuration on the router, the "show ip nat translation" command will display nothing.
Would be grateful if anyone can provide solution for the problem I am experiencing...
Lastly I am using IOS 12.4(22)T on Cisco 2801 router.
Cheers,
Dan
Hi,
Found this on a website and should be helpful:
INSIDE-DESTINATION
It's basically used for TCP load balancing from clients on the outside
to a virtual server on the inside. Non-tcp traffic doesn't get
translated! The important thing to remember is that it applies to
traffic initiated from the OUTSIDE to the INSIDE, and not the other way
around. Of course, the source of the return traffic from the inside to
the outside will get translated, but the initiation from outside to
inside is required to happen first, so that the dynamic NAT table entry
is created. The other key thing is that there's no "static" version of
this command, but only "list" version, hence it happens dynamically.
There actually used to be a "ip nat inside destination static" version
of this command, but it's not in newer IOSes. So here's an example.
You have ten servers on the inside with IP addresses 10.0.0.1 through
10.0.0.10. All servers have the same content, and share the same
service, for example HTTP (port 80).
Clients on the outside want to reach them as one virtual server
65.0.0.1:80.
int e0 (servers are here)
ip nat inside
int ser0 (clients are here)
ip nat ouside
!
ip nat pool VIRTUAL 10.0.0.1 10.0.0.10 prefix-length 24 type rotary
<---- The pool must be rotary!
ip nat inside destination list 1 pool VIRTUAL
!
access-list 1 permit 65.0.0.1
Multiple clients from the outside go to 65.0.0.1:80, and this traffic ip
destination will translate to 10.0.0.1:80, 10.0.0.2:80, etc...
Individual TCP port-based entries will appear in "show ip nat trans"
once traffic comes in. And obviously return traffic IP source will get
translated too. It has to match the nat table entry.
Nothing will happen if traffic is initiated from inside first. So, one
more time, traffic has to initiate from the outside. IP destination is
translated. And It doesn't work with UDP traffic.
By the way, if you want to achieve the same results for UDP traffic, you
would have to set up a bunch of "ip nat INSIDE SOURCE static UDP"
entries. You can't do it with "ip nat inside destination".
Maybe this is why it never works for me (UDP).
Cheers,
Dan
Are you able to assign multiple ip nat pools to a single ethernet interface? for example
int eth 0
ip nat pool pool1 192.168.2.80 192.168.2.80 netmask 255.255.255.0 type rotary
ip nat pool pool2 192.168.2.254 192.168.2.254 netmask 255.255.255.0 type rotary
ip nat pool pool3 192.168.2.5 192.168.2.5 netmask 255.255.255.0 type rotary
ip nat pool pool4 192.168.2.8 192.168.2.8 netmask 255.255.255.0 type rotary
I ask, because I have three webservers (one for my Home Server, one for a Bitnami Tracks server, and one for my MythTV box) along with port forwarding to allow MSN and Skype to work on my desktop. So, right now, I have about 15 ip nat inside source static commands, and would like to cut that down as much as possible.
Here is my list of commands (current)
ip nat inside source static tcp 192.168.2.5 3306 interface Dialer1 3306
ip nat inside source static udp 192.168.2.5 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.2.5 6543 interface Dialer1 6543
ip nat inside source static tcp 192.168.2.5 6544 interface Dialer1 6544
ip nat inside source static udp 192.168.2.5 6544 interface Dialer1 6544
ip nat inside source static udp 192.168.2.5 6543 interface Dialer1 6543
ip nat inside source static udp 192.168.2.8 6900 interface Dialer1 6900
ip nat inside source static udp 192.168.2.8 6899 interface Dialer1 6899
ip nat inside source static udp 192.168.2.8 6898 interface Dialer1 6898
ip nat inside source static udp 192.168.2.8 6897 interface Dialer1 6897
ip nat inside source static udp 192.168.2.8 6896 interface Dialer1 6896
ip nat inside source static udp 192.168.2.8 6895 interface Dialer1 6895
ip nat inside source static udp 192.168.2.8 6894 interface Dialer1 6894
ip nat inside source static udp 192.168.2.8 6893 interface Dialer1 6893
ip nat inside source static udp 192.168.2.8 6892 interface Dialer1 6892
ip nat inside source static udp 192.168.2.8 6891 interface Dialer1 6891
ip nat inside source static udp 192.168.2.8 6890 interface Dialer1 6890
ip nat inside source static tcp 192.168.2.8 6899 interface Dialer1 6899
ip nat inside source static tcp 192.168.2.8 6898 interface Dialer1 6898
ip nat inside source static tcp 192.168.2.8 6897 interface Dialer1 6897
ip nat inside source static tcp 192.168.2.8 6896 interface Dialer1 6896
ip nat inside source static tcp 192.168.2.8 6895 interface Dialer1 6895
ip nat inside source static tcp 192.168.2.8 6894 interface Dialer1 6894
ip nat inside source static tcp 192.168.2.8 6893 interface Dialer1 6893
ip nat inside source static tcp 192.168.2.8 6892 interface Dialer1 6892
ip nat inside source static tcp 192.168.2.8 6891 interface Dialer1 6891
ip nat inside source static tcp 192.168.2.8 6890 interface Dialer1 6890
ip nat inside source static tcp 192.168.2.8 6900 interface Dialer1 6900
ip nat inside source static tcp 192.168.2.8 44002 interface Dialer1 44002
ip nat inside source static tcp 192.168.2.254 80 interface Dialer1 80
ip nat inside source static tcp 192.168.2.254 443 interface Dialer1 443
ip nat inside source static tcp 192.168.2.254 4125 interface Dialer1 4125
ip nat inside source static tcp 192.168.2.254 8333 interface Dialer1 8333
ip nat inside source static tcp 192.168.2.254 8222 interface Dialer1 8222
ip nat inside source static udp 192.168.2.254 8222 interface Dialer1 8222
ip nat inside source static udp 192.168.2.254 8333 interface Dialer1 8333
ip nat inside source static tcp 192.168.2.80 80 interface Dialer1 8080
ip nat inside source static udp 192.168.2.80 80 interface Dialer1 8080
ip nat inside source static udp 192.168.2.80 10000 interface Dialer1 10000
ip nat inside source static tcp 192.168.2.80 10000 interface Dialer1 10000
and I will have one or two more for the MyhTV box (when I finish configuring it). I would love to cut that down to as few as possible (probably will be three ranges for the web servers and two ranges for the MSN/Skype ones).
Any help with this is greatly appreciated also. I'm running IOS 12.3(25) so I'm limited in that (on a Cisco 2514 router).
Have a great day:)
Patrick.
A little dated but this worked for me.
https://supportforums.cisco.com/docs/DOC-16848
I was trying this out and I am wondering what version you are using?
This might be a stupid guestion as I am new to this. Would the 8.3 version on this support forum be the one I follow or yours? I am planing to buy a Cisco asa 5505? Anyone care to help?
https://supportforums.cisco.com/docs/DOC-16848
I would be using overload or ?
http://cognitiveanomalies.com/cisco-nat-how-nat-works/
Works like a treat my friend.
Thank you very much. This was driving me crazy.
Cheers.
Hamun
was this issue ever resolved?
I am having the same problem... I have multiple external IP's and would like to open range of ports for only one of them
proforg says:
September 20, 2009 at 2:10 pm
Downside of destination list is that this technique is suitable only for TCP port forwarding: http://www.cisco.com/en/US/docs/ios/11_3/dial/configuration/guide/dcnat.html#wp3881
Non-TCP traffic is passed untranslated (unless other translations are in effect).
Jason, in my setup your PBR example always give simple ip-to-ip mapping, regardless access-list :( Even in sh ip nat tra
ip nat inside source static 192.168.0.236 212.41.41.112 route-map antares extendable
route-map antares permit 10
match ip address antares
ip access-list extended antares
permit tcp any any eq www
permit tcp any any eq 2222
permit tcp any any range 6881 6889
permit tcp any any eq 51413
permit udp any any eq 5060
altair#sh ip nat tra | inc 236
--- 212.41.41.112 192.168.0.236 --- ---