Anyone who has ever done anything remotely “interesting” with a run-of-the-mill broadband router is undoubtedly familiar with the concept of port forwarding. In the case of some applications (P2P comes immediately to mind, but the RTP part of VoIP is another), it is necessary to forward an entire range of ports. For some inane reason Cisco IOS is unable to forward a range of ports to a specific IP address behind a NAT installation.
Network Address Translation (NAT) translates addresses on one side of a router to one or more addresses on another side. This is the technology that allows multiple computers on RFC 1918 addresses to use a broadband connection that only allows one IP address. In general use, the router keeps a map of what ports are in use by which internal host and ensures that packets reach their proper internal destination. Unfortunately, this only works automatically if there is never a need for an external host to initiate a connection with an internal host.
In order for an external host to initiate contact with an internal host, the router must know ahead of time which port to forward to the internal host. Thus… port forwarding. If there is a web server behind the NAT router, the router must know to send all incoming TCP port 80 requests to the web server. On most low-end broadband routers, you can specify a range of ports to forward to an internal host.
Unfortunately, this isn’t possible in Cisco IOS. Port forwarding is configured with the ip nat commands (see example below), and those commands do not have an option to specify a range. If you only need to forward one or two ports to a specific host, this is only a minor hassle. Imagine needing to forward 1000 ports!
Unfortunately, I don’t have an easy solution for this problem, just a forum to gripe on. If you’ve got some ideas, leave a comment or send me an email.
I’ve included the configuration necessary to allow Blizzard’s BitTorrent-based updater for World of Warcraft to work through a Cisco IOS based router. Not only is this example relevant, but it’s an excellent example of this IOS annoyance. Unfortunately, this code example is so long (130+ lines!) that I had to include an abbreviated version here. Naturally, you can find the full-length WoW Updater example on this site.
interface FastEthernet0/0
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.9.10 3724 interface FastEthernet0/1 3724
ip nat inside source static tcp 192.168.9.10 6881 interface FastEthernet0/1 6881
ip nat inside source static tcp 192.168.9.10 6882 interface FastEthernet0/1 6882
ip nat inside source static tcp 192.168.9.10 6883 interface FastEthernet0/1 6883
! snipped over 100 lines of configuration here for brevity.
ip nat inside source static tcp 192.168.9.10 6997 interface FastEthernet0/1 6997
ip nat inside source static tcp 192.168.9.10 6998 interface FastEthernet0/1 6998
ip nat inside source static tcp 192.168.9.10 6999 interface FastEthernet0/1 6999
!
access-list 1 permit 192.168.9.0 0.0.0.255
Related Reading:
- Cisco IOS Cookbook by Kevin Dooley, Ian Brown
- Routing TCP/IP, Volume II by Jeff Doyle, Jennifer DeHaven Carroll
Photo by Jenny Erickson.
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
Might help if you were using the right tool for the right job….get either a Cisco PIX or ASA firewall…
Thanks for the response, Chris!
You’re right that a PIX or ASA doesn’t suffer from this particular annoyance. Unfortunately, not everyone has an ASA handy or available.
This information is for those folks.
You can do this. I found a way at… http://www.dslreports.com/faq/13794
That’s an interesting find. I’ll give it a try and report back with my results.
Here’s another link to a possible solution. It seems a bit cumbersome to me, but is better than nothing.
http://www.petri.co.il/forums/showthread.php?p=84196
What do you guys mean the PIX/ASA doesn’t have this problem? They sure do… I haven’t found an easy way to forward a range of ports to one machine inside while allowing another range to be forwarded to a second
Will the PIX allow static statement that allows for a range of outside ports (on the outside interface) to be forwarded to the same range on an inside address?
I don’t have thousands of lines, but a few dozen and it does clutter up the config….
Thanks,
Brandon
Hey there, my easy way was just write a file of the commands I wanted then copy and paste to the terminal. Then when I need to take the lines out, just edit the file, then copy and paste the commands to remove the rules. Just borrowed what someone had and used sed to change my ip and ethernet device.
Seems to be quite a few ways to do this depending on what you like to use the most and what is available.
http://slaptijack.com/ios-nat-for-world-of-warcraft-updater/
[...] you might recall, I had previously taken umbrage with Cisco’s inability to forward a range of ports to a particular host. Many readers have offered suggestions and links to other documents around the [...]
So if your ip is, 10.10.10.100 do like this:
–
ip nat pool wow 10.10.10.100 10.10.10.100 netmask 255.255.255.0 type rotary
ip nat inside destination list 105 pool wow
access-list 105 permit tcp any any range 6881 6999
access-list 105 permit tcp any any eq 3724
–
If your computer needs other ports forwarded just add to the access-list 105 ..
might try to assign the range to a name / object and use that -
You can use a route-map for a port range including UDP services. Instructions at this link
http://www.voip-blog.co.uk/index.php/2009/11/21/nat-sip-range-on-uc500-cme