One question that routinely comes up in a particular forum that I frequent is “How do I port forward a range of ports?” Usually, this question is met with one of two answers: 1) you don’t, or 2) manually enter 10000 “ip nat …” statements.
The correct answer is actually number three. It turns out that it is, indeed, possible to forward a range of ports in IOS. I tested this in my lab and everything works just as I would want it to. Here’s the topology:
We have a single router that we’re using. The RFC1918 address block 192.168.0/24 is being used internally, and the router will NAT all internal addresses to its public address, 198.18.0.1, as it forwards it out FastEthernet 0/0.
The PC at 198.18.0.50 will represent a host on the Internet, attempting to access services on the PC at 192.168.0.50. Since 192.168.0.50 falls in the RFC1918 address space, we’ll need to use Port Address Translation (PAT), or “port forwarding”, on the router. This is nothing new and most of us probably do it all the time. The problem arises, however, when we want to forward a large number of ports — typically ports 10000-20000 for Voice over IP (VoIP).
As I mentioned, there is a way to do this, and it’s easier than you think.
First, set up your basic NAT configuration (“ip nat inside”, “ip nat outside”, etc.). Check out “Configuring Basic NAT with overloading“, if necessary.
Next, let’s create an IP NAT pool, for a single IP address (the IP address of the internal host, 192.168.0.50):
R6(config)# ip nat pool PORTFWD 192.168.0.50 192.168.0.50 netmask 255.255.255.0 type rotary
Then, create an access list (ACL) matching the ports you want forwarded. In the case of 10000-20000/UDP for VoIP, we can use the “range” keyword to simplify things for us tremendously:
R6(config)# access-list 100 permit udp any any range 10000 20000
Last, we’ll tie our access-list 100 to the PORTFWD NAT pool that we created:
R6(config)# ip nat inside destination list 100 pool PORTFWD
Now, any UDP traffic coming into our router’s public interface (FastEthernet 0/0) with a destination port between 10000 and 20000 will be forwarded to the host at 192.168.0.50. I was able to verify this by generating UDP traffic on my MacBook and having the router forward it to another laptop with a tcpdump capture up and running — it worked wonderfully. I was running 12.4(10a) on a 2621XM. Try it out and let me know if it works for you as well!