Cisco, NAT, and Port Range Stupidity

Posted on in Networking

inquisitive (photo by windchime)Anyone who has ever done anything remotely "interesting" with a run-of-the-mill broadband router is undoubtedly familiar with the concept of port forwarding. In the case of some applications (<acronym title="Peer-to-Peer">P2P</acronym> comes immediately to mind, but the <acronym title="Real-time Transport Protocol">RTP</acronym> part of <acronym title="Voice over Internet Protocol">VoIP</acronym> is another), it is necessary to forward an entire range of ports. For some inane reason Cisco IOS is unable to forward a range of ports to a specific <acronym title="Internet Protocol">IP</acronym> address behind a <acronym title="Network Address Translation">NAT</acronym> installation.

Network Address Translation (NAT) translates addresses on one side of a router to one or more addresses on another side. This is the technology that allows multiple computers on RFC 1918 addresses to use a broadband connection that only allows one IP address. In general use, the router keeps a map of what ports are in use by which internal host and ensures that packets reach their proper internal destination. Unfortunately, this only works automatically if there is never a need for an external host to initiate a connection with an internal host.

In order for an external host to initiate contact with an internal host, the router must know ahead of time which port to forward to the internal host. Thus... port forwarding. If there is a web server behind the NAT router, the router must know to send all incoming <acronym title="Transmission Control Protocol">TCP</acronym> port 80 requests to the web server. On most low-end broadband routers, you can specify a range of ports to forward to an internal host.

Unfortunately, this isn't possible in Cisco IOS. Port forwarding is configured with the ip nat commands (see example below), and those commands do not have an option to specify a range. If you only need to forward one or two ports to a specific host, this is only a minor hassle. Imagine needing to forward 1000 ports!

Unfortunately, I don't have an easy solution for this problem, just a forum to gripe on. If you've got some ideas, leave a comment or send me an email.

I've included the configuration necessary to allow Blizzard's BitTorrent-based updater for World of Warcraft to work through a Cisco IOS based router. Not only is this example relevant, but it's an excellent example of this IOS annoyance. Unfortunately, this code example is so long (130+ lines!) that I had to include an abbreviated version here. Naturally, you can find the full-length WoW Updater example on this site.

interface FastEthernet0/0
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.9.10 3724 interface FastEthernet0/1 3724
ip nat inside source static tcp 192.168.9.10 6881 interface FastEthernet0/1 6881
ip nat inside source static tcp 192.168.9.10 6882 interface FastEthernet0/1 6882
ip nat inside source static tcp 192.168.9.10 6883 interface FastEthernet0/1 6883
! snipped over 100 lines of configuration here for brevity.
ip nat inside source static tcp 192.168.9.10 6997 interface FastEthernet0/1 6997
ip nat inside source static tcp 192.168.9.10 6998 interface FastEthernet0/1 6998
ip nat inside source static tcp 192.168.9.10 6999 interface FastEthernet0/1 6999
!
access-list 1 permit 192.168.9.0 0.0.0.255

Related Reading:

Photo by Jenny Erickson.

Slaptijack's Koding Kraken