# Port Forwarding Ranges on Cisco Router?



## Keith7WA (Aug 13, 2012)

Greetings All,

I'm just setting up a Cisco rv180w router to replace our aging Belkin. I need to allow a range of ports through the firewall to a particular PC on our internal network that runs our VOIP/SIP Trunk phone system.

The Cisco's Port Forwarding looks like it can only forward one port at a time, but for our phones I need to allow a full range of ports (in this case ports 49152-64512) to one machine at 192.168.x.xx.

On the Belkin I used something called 'Virtual Servers' which allows you to enter ranges of ports. Anybody know what the equivalent might be for the Cisco router? Much thanks in advance for any insight!


----------



## Wand3r3r (Sep 17, 2010)

Perhaps is you make a custom service you can do the port range. Otherwise use the DMZ [though less desirable].

http://www.cisco.com/en/US/docs/routers/csbr/rv180w/administration/guide/rv180w_admin.pdf


----------



## Troy_Jollimore (Dec 31, 2007)

If the Cisco Web Interface for that router is similar to the one for our PIX firewall, you're REALLY in for a shock versus your average D-Link/NetGear/Linksys device... 

This one doesn't seem as bad, but you're still creating an Access Control List (which they now call Port Forwarding as well) under the custom service Wanderer describes. You can enter your port range in there. I'm also not sure how automatic this router is (but it handles multiple aliased outward-facing IP addresses...Nice!) but on my PIX I also had to manually define the NAT rule to make each port visible outside of the Firewall. If you can't connect to that computer after setting up the service, that would probably be the reason why.


----------



## Keith7WA (Aug 13, 2012)

Thank you both -- that was helpful. This was not intuitive, but here's what I did:

1. Set up a Custom Service to allow the port range I needed.
2. Used Access Control to allow that custom service from any incoming IP and to direct it to the IP of our internal VOIP server.

Then, when I click on the 'Port Forwarding' tab, I see the Access Control rule automatically showing up in the list. Seems like it would be more straightforward to just allow ranges of ports in the Port Forwarding settings, but whatever…

Let me know if you see any obvious flaws with what I did.

Won't be able to fully test until I can find some off-hours time to swap in the new router.

This router does seem to have some fairly advanced features which I'm excited to learn more about!

Best Regards.


----------



## Troy_Jollimore (Dec 31, 2007)

It's Cisco. They do things their way. It's complicated, but it DOES work, and gives you TONS of granular control. Not for the faint-of-heart, though.

Let us know what happens when you test. (Yup, it WAS you from the other thread!  )

Question back at you, though. With the SIP trunk, wouldn't that all be handled 'outside' by your ISP, so you'd only have to allow requests from their SIP gateway? (I don't know, as I've never worked on one before. Just curious.)


----------



## Keith7WA (Aug 13, 2012)

Hi Troy,

I'm OK with a little bit of complexity as long as all the options are there!

Our ISP is Comcast and they don't do SIP trunks (yet). We used to use their voice service but it essentially terminates as POTS analogue lines out of their modem.

Our SIP trunk provider is Broadvox and they can get us 3 "lines" for about a third the cost of what we were paying Comcast. However, since Comcast is passing all traffic over their pipe I have to open (on our firewall) the specific ports required by their service (and by our onsite LAN PC-based PBX) in order for everything to work.

I'm a relative newbie to this level of networking so hopefully that all made sense!


----------



## Troy_Jollimore (Dec 31, 2007)

This would be a question for Broadvox, but what I'm getting at is that if the SIP traffic is being sent from them, your Access Control List (ACL) wouldn't have to permit traffic from 0.0.0.0 (all IP addresses). You could specify the address that Broadvox gives you to minimize any security risk.

Hmm, this is from Feb. 2010, but you could check out the table in this link (check with Broadvox for accuracy) and see how it goes. I never tried configuring my firewall to allow same-port traffic from multiple specific IP addresses, but it shouldn't be too hard.


----------



## Keith7WA (Aug 13, 2012)

Ah yes, I think that makes sense and would greatly reduce the risk of penetration by unauthorized parties. And thank you for the link -- that too is super helpful!


----------



## Keith7WA (Aug 13, 2012)

OK. Although I think I'm getting a handle on how to open ports through to only certain internal machines there's one thing I'm stymied on. On our Belkin router, using "Virtual Servers" we could set up access to specific machines by assigning an "inbound port" (which could be any digits, let's say "999") and this, when added to the public IP after a colon allowed mapping to a particular internal IP and a particular service from outside the office.

So...from an outside computer (OS X) I could select "connect to server", type in: "vnc://12.34.56.78:999" (where the 12.34 etc is the office's public fixed IP address). The router was set to see the incoming "999" and route me to a specific internal machine using port 5900.

Using :998 for instance would allow me to screen share a different computer on the internal network from outside the office.

Anybody know how to do the equivalent on a Cisco router? Specifically an RV180W?


----------



## Troy_Jollimore (Dec 31, 2007)

Troy Jollimore said:


> ...but on my PIX I also had to manually define the NAT rule to make each port visible outside of the Firewall. If you can't connect to that computer after setting up the service...


This is what I was referring to. This is a little different than our PIX was, but let me give it a whirl. Please click on Wanderer's link to the manual above, and turn to pages 92 & 93... We'll set up two computers for VNC access from the outside. Oh dear, this looks a bit messy without having screenshots to work from...

From the looks of it, you have to configure a 'Custom Service' for each system you want. So on PC1 we'll use VNC's default port (5900) and on PC2 we'll use (5901). So set up the two PCs as such, and configure two Custom Services (Dick VNC and Jane VNC?) for those ports. I'll assume you know how to set up Port Forwarding to each.

Now we'll set up the 1-to-1 NAT rules. Dick's first. From the look of it, your start private range will be PC1's IP address, say 192.168.1.100, your start public range will be 12.34.56.78 (external IP, as per your example), Length will be 1, and service will be 'Dick VNC'. Then we'll repeat the process for Jane, private will be PC2's address, 192.168.1.101, same public as above, Length will be 1, and service will be 'Jane VNC'.

Depending on the results of your test, the way this is set up it seems that you might want to revisit the Custom Service aspect of it. Do they connect from the outside using any other services, like RDP? It'd probably be easier to combine all of the custom ports used on a PC into a single Custom Service, like 'JANE PC' instead of 'JANE VNC'. Then you should only have to set up the NAT rule once, rather than for each service for each machine.

That still won't do the port mapping that you want, so that :999 will go to :5900 of the IP... But going back over the manual, Port Forwarding is very explicit in that it can do this. You'll probably have to play with it a bit. On my PIX, you configured the Access rule, then configured NAT to handle any port mapping. I kept it simple, and just mapped ports to the same as they were internally. (ie. change MS RDP's port on the PC from 3389 to 10000, NAT'd 10000, and the IP for RDP would be 12.34.56.78:10000.


----------



## Wand3r3r (Sep 17, 2010)

Sorry I didn't see this earlier. I could have saved you some work.

Usual method is not to vnc/rdp to each machine. kiss principle has you only vnc/rdp to ONE machine. Once connected there you can rdp /vnc to any other machine on the lan.
No port forwarding required for any of the other machines.

"incoming "999" and route me to a specific internal machine using port 5900"

Why are you making this complicated? You don't need PAT [port address translation].
You should be using port 5900 all the way thru.

Usually when changing the listening port for rdp we increment by 1 so 3389 become 3390 for 2 pcs or 3391 for 3...etc.


----------



## Keith7WA (Aug 13, 2012)

Hi Guys, sorry -- I had to shift technical gears for a couple of days to the world of video walls.

Thank you for all the advice. So, Wand3r3r -- it sounds like your method is similar to VPN where once you make a connection you can then access various machines as if you were on site? (Using AFP or SMB to each machine using it's local LAN IP address for instance).

But, if I VNC to one machine then use that shared screen to vnc to a second local machine am I not then screen sharing through screen sharing which would behave and redraw painfully slow? Or, is there a connection or tunnel that can be made (Like VPN) that then lets me choose which machine to connect to?

BTW, our clients are mostly running OS X and I'm not sure you can change the listening ports for the various services.

Based on Troy's comments I think the key here may lie with the 1-to-1 NAT rules?


----------



## Wand3r3r (Sep 17, 2010)

Not slow at all. After all the "screen redraw" is from a pc on the same lan as you are connected remotely to.

Not like vpn at all. Just another way of remotely accessing pcs.

You can't forward to the same port on multiple machines. Keep this in mind.


----------



## Troy_Jollimore (Dec 31, 2007)

Wanderer's right on that again. I do it that way because that's the way the previous guy had it set up (and that's how I do my RDP ports as well, 10000 was just an example  ). It IS fairly simple, though, but not the most secure. Ideally, you want as few holes in your firewall as you can. The way I'm trying to set mine up now is that everyone will connect to a single Terminal Server, which will then allow them to relay to their own desktop PC. I haven't decided whether I'll 'server-ize' their desktop environments or not. It's a work in progress...

While this will work with RDP, since multiple users can simultaneously connect to a single system, I don't think VNC will allow this, since it's a screen catching app. You might be stuck going 1-to-1. Even though it's OS X, there should still be a way to change those ports. Indeed, since OS X is based on Linux, you should be able to take greater control of those settings. Granted, that control usually comes from going into the Command Line Interface. 'VNC-hopping' from one remote PC to another will slow things down, but not very much. Picky users might complain about the slight lag in the mouse pointer.

#Wanderer, I think keith meant that 'like' a VPN, you single connect to the network and then you connect to things 'from the inside'. Although in this case, the only data being sent back would still only be screen data. I'm a bit confused on the specifics of what you're proposing (see below) as well, although I see where you're going with this.

#keith7wa, When you said 'outside computer', Your IP example had me thinking that you were referring to a machine outside of the NETWORK. ie., working from home. To remote into a PC at a branch office from 'home base', you shouldn't need to define anything. All ports are handled over the site-to-site VPN as if they were local, if your site-to-site VPN is configured like mine. ie., 192.168.1.0/24 <-> 192.168.2.0/24 allows all PCs to see each other across the VPN using their respective local addresses. Not the best setup security-wise, but simplifies things. Ideally, you'll want to limit which computers can connect to remote resources.


----------

