Port forwarding a range of ports on Cisco IOS
One question that routinely comes up in a particular forum that I frequent is “How do I port forward a range of ports?” Usually, this question is met with one of two answers: 1) you don’t, or 2) manually enter 10000 “ip nat …” statements.
The correct answer is actually number three. It turns out that it is, indeed, possible to forward a range of ports in IOS. I tested this in my lab and everything works just as I would want it to. Here’s the topology:
We have a single router that we’re using. The RFC1918 address block 192.168.0/24 is being used internally, and the router will NAT all internal addresses to its public address, 198.18.0.1, as it forwards it out FastEthernet 0/0.
The PC at 198.18.0.50 will represent a host on the Internet, attempting to access services on the PC at 192.168.0.50. Since 192.168.0.50 falls in the RFC1918 address space, we’ll need to use Port Address Translation (PAT), or “port forwarding”, on the router. This is nothing new and most of us probably do it all the time. The problem arises, however, when we want to forward a large number of ports — typically ports 10000-20000 for Voice over IP (VoIP).
As I mentioned, there is a way to do this, and it’s easier than you think.
First, set up your basic NAT configuration (“ip nat inside”, “ip nat outside”, etc.). Check out “Configuring Basic NAT with overloading“, if necessary.
Next, let’s create an IP NAT pool, for a single IP address (the IP address of the internal host, 192.168.0.50):
R6(config)# ip nat pool PORTFWD 192.168.0.50 192.168.0.50 netmask 255.255.255.0 type rotary
Then, create an access list (ACL) matching the ports you want forwarded. In the case of 10000-20000/UDP for VoIP, we can use the “range” keyword to simplify things for us tremendously:
R6(config)# access-list 100 permit udp any any range 10000 20000
Last, we’ll tie our access-list 100 to the PORTFWD NAT pool that we created:
R6(config)# ip nat inside destination list 100 pool PORTFWD
Now, any UDP traffic coming into our router’s public interface (FastEthernet 0/0) with a destination port between 10000 and 20000 will be forwarded to the host at 192.168.0.50. I was able to verify this by generating UDP traffic on my MacBook and having the router forward it to another laptop with a tcpdump capture up and running — it worked wonderfully. I was running 12.4(10a) on a 2621XM. Try it out and let me know if it works for you as well!
Related Posts:
First off want to say thanks for a great write up, been wondering how to do port ranges for a while in IOS.
Not sure what I’m doing wrong however as I’ve created a pool and access list but it only forwards tcp ports. We do have an acl on the outside interface which I’ve allowed all tcp/udp ports through. If I put in another “ip nat inside source static udp xxxxxx” entry I can get that udp port working. I don’t want to type in 5000 lines :)
I need ports tcp/udp 60000-64999 forwarded, for a video conferencing system. tcp works fine, udp not so much.
Cisco 1811 router
ip nat pool videoconf 10.10.10.10 10.10.10.10 netmask 255.255.255.0 type rotary ip nat inside destination list videoconferencepat pool videoconf
ip access-list extended videoconferencepat permit udp any any range 60000 64999 permit tcp any any range 60000 64999 permit tcp any any eq 5060 permit udp any any eq 5060 permit tcp any any eq 1720
ip access-list extended out2in (acl on outside interface) permit udp any any range 60000 64999 permit tcp any any range 60000 64999 permit tcp any any eq 5060 permit udp any any eq 5060 permit tcp any any eq 1720 deny ip any any log
I’v tested everything and can see with the “show ip nat trans” command that all the tcp ports work…udp not so much. Any ideas?