Image of Cortney & Jeremy

Port forwarding a range of ports on Cisco IOS

by Jeremy L. Gaddis on May 25, 2010 · 10 comments

in Networking

One question that routinely comes up in a particular forum that I frequent is “How do I port forward a range of ports?”  Usually, this question is met with one of two answers:  1) you don’t, or 2) manually enter 10000 “ip nat …” statements.

The correct answer is actually number three.  It turns out that it is, indeed, possible to forward a range of ports in IOS.  I tested this in my lab and everything works just as I would want it to.  Here’s the topology:

We have a single router that we’re using.  The RFC1918 address block 192.168.0/24 is being used internally, and the router will NAT all internal addresses to its public address, 198.18.0.1, as it forwards it out FastEthernet 0/0.

The PC at 198.18.0.50 will represent a host on the Internet, attempting to access services on the PC at 192.168.0.50.  Since 192.168.0.50 falls in the RFC1918 address space, we’ll need to use Port Address Translation (PAT), or “port forwarding”, on the router.  This is nothing new and most of us probably do it all the time.  The problem arises, however, when we want to forward a large number of ports — typically ports 10000-20000 for Voice over IP (VoIP).

As I mentioned, there is a way to do this, and it’s easier than you think.

First, set up your basic NAT configuration (“ip nat inside”, “ip nat outside”, etc.).  Check out “Configuring Basic NAT with overloading“, if necessary.

Next, let’s create an IP NAT pool, for a single IP address (the IP address of the internal host, 192.168.0.50):

R6(config)# ip nat pool PORTFWD 192.168.0.50 192.168.0.50 netmask 255.255.255.0 type rotary

Then, create an access list (ACL) matching the ports you want forwarded.  In the case of 10000-20000/UDP for VoIP, we can use the “range” keyword to simplify things for us tremendously:

R6(config)# access-list 100 permit udp any any range 10000 20000

Last, we’ll tie our access-list 100 to the PORTFWD NAT pool that we created:

R6(config)# ip nat inside destination list 100 pool PORTFWD

Now, any UDP traffic coming into our router’s public interface (FastEthernet 0/0) with a destination port between 10000 and 20000 will be forwarded to the host at 192.168.0.50.  I was able to verify this by generating UDP traffic on my MacBook and having the router forward it to another laptop with a tcpdump capture up and running — it worked wonderfully.  I was running 12.4(10a) on a 2621XM.  Try it out and let me know if it works for you as well!

{ 9 comments… read them below or add one }

NetworkNewb June 10, 2010 at 2:44 pm

First off want to say thanks for a great write up, been wondering how to do port ranges for a while in IOS.

Not sure what I’m doing wrong however as I’ve created a pool and access list but it only forwards tcp ports. We do have an acl on the outside interface which I’ve allowed all tcp/udp ports through. If I put in another “ip nat inside source static udp xxxxxx” entry I can get that udp port working. I don’t want to type in 5000 lines :)

I need ports tcp/udp 60000-64999 forwarded, for a video conferencing system. tcp works fine, udp not so much.

Cisco 1811 router

ip nat pool videoconf 10.10.10.10 10.10.10.10 netmask 255.255.255.0 type rotary
ip nat inside destination list videoconferencepat pool videoconf

ip access-list extended videoconferencepat
permit udp any any range 60000 64999
permit tcp any any range 60000 64999
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720

ip access-list extended out2in (acl on outside interface)
permit udp any any range 60000 64999
permit tcp any any range 60000 64999
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
deny ip any any log

I’v tested everything and can see with the “show ip nat trans” command that all the tcp ports work…udp not so much. Any ideas?

Reply

marks April 12, 2011 at 3:38 am

Can confirm that this only works for tcp on c870-advipservicesk9-mz.150-1.M3.bin too. UDP is broken.

Reply

john joseph sip udp ios June 23, 2011 at 1:58 am

You cannot forward a range of UDP ports with this method. Yoou have to use port mapping, as per this:
http://www.voip-blog.co.uk/index.php/2009/11/21/nat-sip-range-on-uc500-cme

Reply

Garrett Skjelstad January 26, 2014 at 10:07 pm

This website no longer exists.
Check out a blog post I wrote on how to do this as well.

http://ping8888.com/2014/01/21/cisco-ios-port-forwarding-pat/

Reply

StackForAll February 19, 2012 at 11:20 pm

I have same topology as shown above. but instead forwarding port, I wan to forward the traffic designated to specific IP’s. means user 192.168.0.50 make some request to 1.1.1.1 then all the traffic should be diverted to 192.168…….Please tell me who to do this

Reply

Robert Jooste February 27, 2013 at 3:19 am

@StackForAll I think this is what you are looking for:

Create access list to match your ports.

ip access-list extended PORTS
deny tcp any any eq 22
permit ip any any

Create a NAT Pool to match the destination ip (IP Address of “local” device)

ip nat pool FORWARD 192.168.0.50 192.168.0.50 netmask 255.255.255.0 type rotary

and of course, tie them together:

ip nat inside destination list PORTS pool FORWARD

*remember to place your ACL rules in order!

Reply

StackForAlii February 19, 2012 at 11:20 pm

any help would be appreciated

Reply

John Gentle October 8, 2012 at 3:47 pm

Fantasic, short and perfect. Thanks

Reply

KC October 29, 2013 at 4:14 am

Great writeup! Just what I was looking for. Worked like a charm when having to forward an awkward range of ports in for PASV ftp.

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: