Cisco 2651XM SIP multiple port range Forward to single LAN IP.

[nispatt]

Hi Dear,
I am new to cisco. By looking couple of document I able to make the my 2651XM router work for ADSL dialing and have done couple static routing. It’s been working for last one year. Now I need the port range forwarding to an Ip address for SIP RTP from 10000 to 20000. Please help me to configure this.

Nis.

Below is the router configuration.
cisco#sh run
Building configuration...

Current configuration : 4216 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$ xxxxxxxxx
enable password xxxxxxxxx
!
username cisco privilege 15 password 0 xxxxxxxxx
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip domain name yourdomain.com
ip name-server 218.248.255.145
ip name-server 61.1.96.69
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp enable
!
!
!
!
!
!
!
interface FastEthernet0/0
description My Lan Interface
ip address 192.168.1.30 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Physical ADSL Interface (Facing the ISP)
no ip address
no ip mroute-cache
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Serial0/2
no ip address
shutdown
no cdp enable
!
interface Serial0/3
no ip address
shutdown
no cdp enable
!
interface Async1
no ip address
!
interface Async2
no ip address
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp pap sent-username syscomes password 0 xxxxxxxxx
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 5222 interface Dialer1 5222
ip nat inside source static tcp 192.168.1.1 3128 interface Dialer1 80
ip nat inside source static udp 192.168.1.16 4569 interface Dialer1 4569
ip nat inside source static tcp 192.168.1.16 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.16 143 interface Dialer1 143
ip nat inside source static tcp 192.168.1.16 22 interface Dialer1 22
ip nat inside source static tcp 192.168.1.14 110 interface Dialer1 110
ip nat inside source static tcp 192.168.1.14 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.10 5900 interface Dialer1 5900
ip nat inside source static tcp 192.168.1.10 5800 interface Dialer1 5800
ip nat inside source static tcp 192.168.1.10 21 interface Dialer1 21
ip nat inside source static udp 192.168.1.16 5060 interface Dialer1 5060
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http authentication local
ip http secure-server
!
!
access-list 10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane

 

[plshlpme]

with cisco you cant do port forwarding by ranges..
and since you only have one external ip a static nat is out of the question..

i needed to do similar port forwarding for various machines internally and ended up putting in a firewall in the middle that could do port ranges..

to my knowledge cisco still doesn't support port ranges with natting.. ie you have to enter a nat statement for each port...

 

[burtsbees]

Hi dear???
Anyway, Cisco does support this...don't know which IOS...
access-list 103 permit udp any host x.x.x.x range 10000 20000
The "host x.x.x.x" is the IP address you said you want to specify. If it is from this IP address, then substitute "any" with that IP address. If it is to the outgoing interface, substitute "host x.x.x.x" with "int di1"
Keep in mind that this is usually not necessary, as NAT overload (PAT) usually works for this sort of thing.

Burt

 

[plshlpme]

so you need external people to be able to access an internal host with a range of 10000 - 20000?

burt.. internally that would be fine for an access-list.. but if he needs this to be natted the way im reading it then hes going to need...

ip nat inside source static tcp x.x.x.x 10000 interface Dialer1 10000 extendable
ip nat inside source static tcp x.x.x.x 10001 interface Dialer1 10001 extendable
ip nat inside source static tcp x.x.x.x 10002 interface Dialer1 10002 extendable
ip nat inside source static tcp x.x.x.x 10003 interface Dialer1 10003 extendable
etc.......

 

[ADB100]

I have this working outbound, however I have Firewall IOS that does SIP protocol inspection. I keep meaning to get around to looking at getting this working inbound but just haven't had time recently. I think you should look into SIP inspection with an IOS that has Firewall support.
Currently I have the following lines in my config and SIP outbound works (obviously I have omitted quite a bit of config):

ip inspect name FW-OUT sip
!
interface Dialer1
 ip nat outside
 ip inspect FW-OUT out

I suspect I need to create some inbound inspection rules to allow SIP.

HTH

Andy

 

[burtsbees]

I read on a Verizon forum that PAT works for this sort of thing---the guy was asking about port ranges 1000-2000, and it turned out to be for VoIP.

Burt

 

[ADB100]

A quick update on this as I had a bit of time today to see if I could get this working. I created another ip inspection rule on my router but only configured SIP. I then applied this inbound on my internet facing interface:

ip inspect name Inbound sip
interface Dialer1
 ip inspect Inbound in

I can now make calls to my SIP phone and my phone rings, however if I leave it for a while I can no longer call the SIP phone so there must be some timer that is expiring?

Andy

 

[nispatt]

As suggested by burtsbees.
access-list 103 permit udp any host 192.168.1.16 range 10000 20000 -- 16 is my VOIP server. This line is not throwing any error, but still not working. Could you please tell me do I need to something more?? I have seen this way in some other forum,

ip nat pool BT x.x.x.x y.y.y.y netmask 255.255.255.0 type rotary
ip nat inside destination list 102 pool BT
access-list 102 permit tcp any any range 6881 6999
access-list 102 permit udp any any range 6881 6999

but not able to make it work, as my cisco experience is ground.

Andy, I have my Sip outbound going properly without any changes in cisco router. I can call other Sip phone but not the inbound. I have forwarded the 5060, but not able to the RTP. I will test what you suggested.

Nis.

 

[nispatt]

Hi i have configured it as mentioned by you. below is the session details. still not getting inbound.

cisco#show ip inspect session
Established Sessions
Session 83F78B80 (192.168.1.16:5060)=>(203.196.128.56:5060) sip SIS_OPEN
Session 83F78E70 (58.68.80.115:5060)=>(192.168.1.50:8741) sip SIS_OPEN
Session 83F78FE8 (58.68.65.40:5060)=>(192.168.1.16:5060) sip SIS_OPEN
Pre-generated Sessions
Pre-gen session 83F7E28C 202.144.137.8[1024:65535]=>192.168.1.50[8737:8737] sip
Pre-gen session 83F7E1C4 58.68.80.115[1024:65535]=>192.168.1.50[8741:8741] sip
Pre-gen session 83F7DEA4 192.168.1.50[1024:65535]=>192.168.1.50[8741:8741] sip
Pre-gen session 83F7DF6C 192.168.1.50[1024:65535]=>192.168.1.50[8741:8741] sip

Nis.

 

[plshlpme]

try
ip nat inside source list 102 pool BT