Cisco 857 - Port forwarding for a range?

#Chri5# · 25 Apr 2008 at 12:57

I've got a 857 up and running. I have some port forwards in place eg:

ip nat inside source static tcp x.x.x.x 5060 interface dialer0 5060

I now need to add port forwards for 1024 to 65535 UDP. Is it possible to add them as a block? Can you specifiy a port range in the ip nat command?

Also, can you restrict what IPs are able to access the port forward? For instance, I might want to say open the above port group but only allow traffic originating from 1.1.1.1 through.

Thanks!

quackers · 25 Apr 2008 at 13:00

how come you need to open up all those ports?

#Chri5# · 25 Apr 2008 at 13:36

RTP / SIP.

I think that having 5060 open for the SIP siginalling is enough but I want to do some testing to make sure.

Curiosityx · 25 Apr 2008 at 16:47

Unfortunately the range command isnt supported with NAT in Cisco IOS, the one ive come across before is below along with associated ports and protocols .

Ps: You dont need to forward the entire well know and above port ranges just the range for RTCP

An IP NAT pool. Using a NAT pool means you can specify an ACL (in this case with the port range) but you use a "pool" of a single address and specify the rotary method.

In the example below the IP address 192.168.1.10 is the internal address that you wish to forward the range of TCP ports to:

1. ip nat pool p2p 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
2. ip nat inside destination list 100 pool p2p
3. access-list 100 permit tcp any any range 6881 6999

H.323 / H.225 TCP/1720
H.323 / H.245 TCP/11xxx
Media Gateway Control Protocol (MGCP) UDP/2427 and TCP/2428
Skinny Client Control Protocol (SCCP) TCP/2000-2002
Simple Gateway Control Protocol (SGCP) TCP/2000-2002
H.323 / H.225 RAS TCP/1719
Session Initiation Protocol UDP/5060
Real-Time Transport Protocol (RTP) UDP/16384-32767, even ports only
Real-Time Control Protocol (RTCP) UDP/16384-32767, odd ports only

Regards

Tui · 25 Apr 2008 at 18:32

Forwarding what is effectively the whole range of UDP ports will not leave anything for other addresses. You should be able to use CBAC and inspect SIP which will allow the required RTP ports.
It's not clear what you are actually doing. Do you just have SIP clients inside or also have a registration proxy listening on 5060?

growse · 25 Apr 2008 at 18:37

Equally, you should be able to set your proxy / sip clients to use a specified range of ports for RTP. I use 15 between 15000 and 15014.