2

To have the RTP media range (10000-20000) flow to the server behind nat I needed to add the following route-map:

 ip nat inside source static <pri> <pub> route-map voip-rtp extendable
 route-map voip-rtp permit 1
 match ip address 130
 exit
 access-list 130 permit udp <pub> <pri> any range 10000 65535

This got the media packets flowing correctly however, once in a while the green box starts sending port forwarding request to other services (ie, 25, 80, 587...) to the wrong servers. Erasing and reconfiguring everything from scratch and it works fine again....

Here are my other port forwarding rules:

 do clear ip nat trans *
 !
 ip nat inside source list 1 interface Dialer0 overload
 access-list 1 permit 192.168.2.0 0.0.0.255
 !
 no ip nat service sip udp port 5060
 no ip nat service sip udp port 5080
 !
 ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
 ip nat inside source static udp 192.168.2.5 53 interface Dialer0 53
 ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
 ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
 ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
 ip nat inside source static tcp 192.168.2.10 587 interface Dialer0 465
 ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
 ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
 ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060

Without the route map, I never have any issues with the other static port forwarding rules. When I need to restart the router or network for maintenance, the router start sending SMTP and HTTP requests to the wrong server.

My question. Is there a better way to do this? Is there anything wrong with my script? Finally, will adding the static port forwarding rules to the same access-list 130 fix my issue? If so, how do I do that?

Update

I am using Cisco IOS 15.2 advententerprise, and thus the working port range route map. As unstable as it is. I am hoping something can be added or removed from the configuration.

write erase
reload
!
enable
!
conf t
!
ntp server 192.168.2.15
!
hostname voiper
ip domain-name test.com
service password-encryption
enable secret 0 <password>
line vty 0 4
transport input ssh
exit
line con 0
password <password>
exit
line aux 0
password <password>
exit
!
access-list 10 permit 192.168.2.100 log
line vty 0 4
access-class 10 in
exit
!
interface Dialer0
ip address negotiated
ip nat outside
ip mtu 1492
ip tcp adjust-mss 1452
ip flow ingress
ip route-cache policy
encapsulation ppp
ppp authentication pap callin
ppp pap sent-username <username> password 0 <password>
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
dialer pool 1
no cdp enable
no shut
exit
!
interface GigabitEthernet0/0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
no shut
no ip redirects
exit
!         
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
no cdp enable
no ip redirects
no shut
exit
!
do clear ip nat trans *
!
!ip route 0.0.0.0 0.0.0.0 Dialer0
ip nat inside source list 1 interface Dialer0 overload
access-list 1 permit 192.168.2.0 0.0.0.255
!
no ip nat service sip udp port 5060
!
ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static udp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 465 interface Dialer0 465
ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060
!
! access-list 130 permit udp any any range 8000 65535
! route-map voip-rtp permit 1
! match ip address 130
! exit
! ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp
ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp extendable
route-map voip-rtp permit 1
match ip address 130
exit
!access-list 130 permit udp any any range 8000 65535
! access-list 130 permit udp 77.77.77.77 192.168.2.5 any range 8000 65535
access-list 130 permit udp 77.77.77.77 192.168.2.5 any range 8000 65535
!
!
! QOS
class-map voice
match protocol rtp audio
exit
!
policy-map wan-qos
class voice
bandwidth percent 60
exit
exit
!
policy-map parent
class class-default
shape average 10000000
service-policy wan-qos
exit
exit
!
interface GigabitEthernet0/0
bandwidth 10000
service-policy output wan-qos
exit
!
!
! Securing Cisco
no service dhcp
no ip bootp server
no service finger
no ip http server
no ip http secure-server
no snmp-server
no service config
no ip gratuitous-arps 
no ip source-route
ip options drop
!
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime 
!         
! Block WAN ICMP Pings
access-list 101 deny icmp any any echo log
access-list 101 deny icmp any any redirect log
access-list 101 deny icmp any any timestamp-request log
access-list 101 deny icmp any any information-request log
access-list 101 deny icmp any any mask-request log
access-list 101 permit ip any any


int Dialer0
IP ACCESS-GROUP 101 IN
exit

!DoS

access-list 101 deny icmp any any echo log
access-list 101 deny icmp any any redirect log
access-list 101 deny icmp any any timestamp-request log
access-list 101 deny icmp any any information-request log
access-list 101 deny icmp any any mask-request log
access-list 101 permit ip any any

do write mem

As mentioned. The config works! Then, if I have to restart the router or server, the router starts sending smtp, and http requests to 192.168.2.5, which if you look above is the suppose to go to 192.168.2.10 (smtp 25) and 192.168.2.15 (http 80) respectfully

Is there anything I can do to stabalize the configuration? Anything in there that I don't need?

Critical Update

Since I am defining static port forwarding, and as was mentioned the need to remove ip nat inside source list 1 interface Dialer0 overload. Is it possible to define static default routes for traffic originating from inside the network to outside.

I tried removing

 ip route 0.0.0.0 0.0.0.0 Dialer0

And replacing with static default routes

 ip route 0.0.0.0 0.0.0.0 Dialer0
 access-list 1 permit 192.168.2.0 0.0.0.255

The router can ping the outside world however no internet access from within the network.

Thanks in Advance,

Nick.

Nick Cameo
  • 431
  • 5
  • 11
  • i think ***ip nat inside source list 1 interface Dialer0 overload*** may have no benefit where you defined all NAT mapping static after that – Gadeliow Sep 08 '15 at 14:35
  • Hello Gadeliow! Without that rule, I get no internet access. Please note, I built this script from what I learned on the net. Self taught... – Nick Cameo Sep 08 '15 at 14:44
  • I should mention this is for a PPPoE connection. – Nick Cameo Sep 08 '15 at 14:52
  • This has come up many times (across many sites)... NAT using route-maps with an ACL do not process protocols (udp/tcp). Much new IOSes that support object-groups, *might* be able to do this, but don't count on it. http://evilrouters.net/2010/05/25/port-forwarding-a-range-of-ports-on-cisco-ios/ claims to have done it. – Ricky Sep 08 '15 at 21:09
  • 1
    http://networkengineering.stackexchange.com/questions/2238/open-a-range-of-tcp-ports-in-cisco-ios-nat http://networkengineering.stackexchange.com/questions/998/cisco-867-forward-udp-port-range (I'm not going to mark it as a dup, tho) – Ricky Sep 08 '15 at 21:13
  • Hello Ricky.. I knew this was coming. Please understand that I wanted to revisit the original post however, I chose to start a clean thread. Reason being, since then I have been able to get a working script. I am hoping that I am a little modification away from stabilizing the configuration. I have update the original post. – Nick Cameo Sep 08 '15 at 22:12
  • Will removing the `overload` in `ip nat inside source list 1 interface Dialer0 overload` stop the router from sending valid service requests (ie, http, smtp) to wrong destinations? – Nick Cameo Sep 09 '15 at 12:54
  • Hello, can anyone help me define a rule that gives access to http port 80 to a computer in the network (eg, 192.168.2.100). Please see above critical update. – Nick Cameo Sep 09 '15 at 18:35

0 Answers0