One question that routinely comes up in a particular forum that I frequent is “How do I port forward a range of ports?” Usually, this question is met with one of two answers: 1) you don’t, or 2) manually enter 10000 “ip nat …” statements.
The correct answer is actually number three. It turns out that it is, indeed, possible to forward a range of ports in IOS. I tested this in my lab and everything works just as I would want it to. Here’s the topology:
We have a single router that we’re using. The RFC1918 address block 192.168.0/24 is being used internally, and the router will NAT all internal addresses to its public address, 198.18.0.1, as it forwards it out FastEthernet 0/0.
The PC at 198.18.0.50 will represent a host on the Internet, attempting to access services on the PC at 192.168.0.50. Since 192.168.0.50 falls in the RFC1918 address space, we’ll need to use Port Address Translation (PAT), or “port forwarding”, on the router. This is nothing new and most of us probably do it all the time. The problem arises, however, when we want to forward a large number of ports — typically ports 10000-20000 for Voice over IP (VoIP).
As I mentioned, there is a way to do this, and it’s easier than you think.
First, set up your basic NAT configuration (“ip nat inside”, “ip nat outside”, etc.). Check out “Configuring Basic NAT with overloading“, if necessary.
Next, let’s create an IP NAT pool, for a single IP address (the IP address of the internal host, 192.168.0.50):
R6(config)# ip nat pool PORTFWD 192.168.0.50 192.168.0.50 netmask 255.255.255.0 type rotary
Then, create an access list (ACL) matching the ports you want forwarded. In the case of 10000-20000/UDP for VoIP, we can use the “range” keyword to simplify things for us tremendously:
R6(config)# access-list 100 permit udp any any range 10000 20000
Last, we’ll tie our access-list 100 to the PORTFWD NAT pool that we created:
R6(config)# ip nat inside destination list 100 pool PORTFWD
Now, any UDP traffic coming into our router’s public interface (FastEthernet 0/0) with a destination port between 10000 and 20000 will be forwarded to the host at 192.168.0.50. I was able to verify this by generating UDP traffic on my MacBook and having the router forward it to another laptop with a tcpdump capture up and running — it worked wonderfully. I was running 12.4(10a) on a 2621XM. Try it out and let me know if it works for you as well!
{ 7 comments… read them below or add one }
First off want to say thanks for a great write up, been wondering how to do port ranges for a while in IOS.
Not sure what I’m doing wrong however as I’ve created a pool and access list but it only forwards tcp ports. We do have an acl on the outside interface which I’ve allowed all tcp/udp ports through. If I put in another “ip nat inside source static udp xxxxxx” entry I can get that udp port working. I don’t want to type in 5000 lines :)
I need ports tcp/udp 60000-64999 forwarded, for a video conferencing system. tcp works fine, udp not so much.
Cisco 1811 router
ip nat pool videoconf 10.10.10.10 10.10.10.10 netmask 255.255.255.0 type rotary
ip nat inside destination list videoconferencepat pool videoconf
ip access-list extended videoconferencepat
permit udp any any range 60000 64999
permit tcp any any range 60000 64999
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
ip access-list extended out2in (acl on outside interface)
permit udp any any range 60000 64999
permit tcp any any range 60000 64999
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
deny ip any any log
I’v tested everything and can see with the “show ip nat trans” command that all the tcp ports work…udp not so much. Any ideas?
Can confirm that this only works for tcp on c870-advipservicesk9-mz.150-1.M3.bin too. UDP is broken.
You cannot forward a range of UDP ports with this method. Yoou have to use port mapping, as per this:
http://www.voip-blog.co.uk/index.php/2009/11/21/nat-sip-range-on-uc500-cme
I have same topology as shown above. but instead forwarding port, I wan to forward the traffic designated to specific IP’s. means user 192.168.0.50 make some request to 1.1.1.1 then all the traffic should be diverted to 192.168…….Please tell me who to do this
@StackForAll I think this is what you are looking for:
Create access list to match your ports.
ip access-list extended PORTS
deny tcp any any eq 22
permit ip any any
Create a NAT Pool to match the destination ip (IP Address of “local” device)
ip nat pool FORWARD 192.168.0.50 192.168.0.50 netmask 255.255.255.0 type rotary
and of course, tie them together:
ip nat inside destination list PORTS pool FORWARD
*remember to place your ACL rules in order!
any help would be appreciated
Fantasic, short and perfect. Thanks
{ 1 trackback }