Answer the question
In order to leave comments, you need to log in
N
N
nicolnx2011-02-17 03:32:58
nicolnx, 2011-02-17 03:32:58
Cisco and forwarding the range of UDP ports from the world to LAN?
Good afternoon, All
There is a cat
IOS (tm) 3600 Software (C3620-IK9O3S6-M), Version 12.3(17a), RELEASE SOFTWARE (fc2)
on it is a construction like
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any any range 5000 20000
ip nat pool SRV1 192.168.0.1 192.168.0.1 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool SRV1
works great for tcp traffic and doesn't work at all for UDP.
judging by the debugging impression, such UDP traffic does not even get into access-list 100, since the counters grow only on the rules related to TCP.
Hence the question - why does it work only for TCP and is it possible to somehow overcome this without prescribing a bunch of broadcasts, one per port?
3 answer(s)
@digreen
@serejik
@nicolnx
D
digreen, 2011-02-17 @digreen
Try udp in a separate ACL and a second NAT-pool for it. Or is it unacceptable?
S
serejik, 2011-02-17 @serejik
Why is the port range for UDP 5000-20000? Maybe your packages do not fall into this range. Try to resolve everything first, and then dance from there.
N
nicolnx, 2011-02-17 @nicolnx
Tried in different ways. The only thing that worked normally is
ip nat inside source static udp 10.95.1.252 5060 xxxx 5060 extendable
and further down the list
. At the same time, if you do
ip nat inside source static udp 10.95.1.252 5060 interface Dialer0 5060
, then the translation inside works, but the server's response to the client from the world is not coming.
Everything is ok with tcp, it works flawlessly.
Either I'm misunderstanding something, or is it an IOSa oddity?
Similar questions
D
S
N
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question