Cisco – UDP Port Forwarding Range

cisconat;sipudpvoip

We just purchased a cisco 3825 router running IOS 15.1. The slice of the
topology in question is as follows:

            RTP (8000-20000)            RTP (8000-20000)
192.168.2.1 <--------------> 192.168.2.5 <----------> 192.168.2.10
   (Router)                  (SIP Proxy)             (Media Server)

What we are trying to accomplish is to have the UDP range 8000-20000 forwarded
from the net to our SIP proxy 192.168.2.5. Also, our SIP proxy forwards
RTP traffic in the same range to our media server 192.168.2.10. The links
between the different servers, and the outside world are bi-directional.

Scouring the net there are some mixed reports on whether UDP port
forwarding using a range is possible. Can we please have a definitive answer if the following will work in getting RTP traffic to 192.168.2.5:

ip nat pool voip-rtp 192.168.2.5 192.168.2.5 netmask 255.255.255.0 type rotary
ip nat inside destination list 114 pool voip-rtp
ip route 0.0.0.0 0.0.0.0 Dialer0

Finally, will we need another rule for the internal routing of RTP traffic (ie, 192.168.2.5<—->192.168.2.10)?

Update – Working Route Map for SIP RTP UDP Range

access-list 130 permit udp any any range 8000 20000
route-map voip-rtp permit 1
match ip address 130
ip nat inside source static <private ip> <public ip> route-map voip-rtp

Best Answer

Try using a route map in the nat statement instead of the extended access list 114. The route map will match the extended access list 114.

Route-maps enable you to match traffic using source ip, destination ip, and tcp/udp ports, interfaces, etc ...

You define your criteria in the extended access-list 114 (I see it's already configured in your question).

Then you configure :

route-map RR permit 10
match ip address 114

ip nat inside destination route-map RR pool voip-rtp << replace your nat with this

More details and configuration examples for NAT with route-maps in : http://www.ciscopress.com/articles/article.asp?p=174107&seqNum=5

Related Solutions

Cisco 867 forward UDP port range

Try

ip nat inside source static <internal_IP> <external_IP> route-map MOO
!
route-map MOO permit 100
  match ip address 102
route-map MOO deny 200
!

I feel your own example probably should work, at least I couldn't immediately think of why not, so might be bug.

Review CCO Document for the command, namely:

Only IP hosts that are part of the route-map configuration will allow outside sessions.

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10