I have a unique situation that I have never encountered, but I think I am heading in the right direction. So anyone with some Cisco background please check me on this.

I want to do some port forwarding on a Cisco 1800W (Wireless) router. But I need to forward the ports to all IP's inside my network. Let me explain.

We have a DVR system that handles our security cameras, and I need to allow multiple pc's access to those cameras within our corporate headquarters. So I need to be able to forward that port to all my PC's. But I am not 100% sure how this will work.

If it were just one port I could use something like

ip nat inside source static tcp 192.168.100.X 3389 interface BVI1 3389

But how do I get it to go to any address?

Would I use something like

ip nat inside source tcp any 3389 interface BVI1 3389
or
ip nat inside source dynamic tcp any 3389 interface BVI1 3389

or do I need to setup some access list to try and work from?

Thanks for any help.

Right now, I can get out to the DVR systems, but it will not allow traffic to pass back thru the router to the local PC.

Here are the relevant portions of my config file:

interface FastEthernet1
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 208.180.138.254 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input sdmappfwp2p_SDM_HIGH
service-policy output sdmappfwp2p_SDM_HIGH

interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.123.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 208.180.138.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source list 150 interface FastEthernet1 overload
ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.123.5 100 208.180.138.254 100 extendable
ip nat inside source static tcp 192.168.123.5 4503 208.180.138.254 4503 extendable
ip nat inside source static tcp 192.168.123.5 5800 208.180.138.254 5800 extendable
ip nat inside source static tcp 192.168.123.56 5801 208.180.138.254 5801 extendable
ip nat inside source static tcp 192.168.123.5 5900 208.180.138.254 5900 extendable
ip nat inside source static tcp 192.168.123.56 5901 208.180.138.254 5901 extendable
ip nat inside source static tcp 192.168.123.50 10051 208.180.138.254 10070 extendable
ip nat inside source static tcp 192.168.123.5 10884 208.180.138.254 10884 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 208.180.138.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp any any eq 2000
access-list 100 permit udp any any eq 2000
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any any eq 2000
access-list 101 permit tcp any any eq 2000
access-list 101 permit tcp any host 208.180.138.254 eq 10884
access-list 101 permit tcp any host 208.180.138.254 eq 10070
access-list 101 permit tcp any host 208.180.138.254 eq 5900
access-list 101 permit tcp any host 208.180.138.254 eq 5800
access-list 101 permit tcp any host 208.180.138.254 eq 4503
access-list 101 permit tcp any host 208.180.138.254 eq 100
access-list 101 permit udp host 208.180.42.100 eq domain host 208.180.138.254
access-list 101 permit udp host 208.180.42.68 eq domain host 208.180.138.254
access-list 101 deny ip 192.168.123.0 0.0.0.255 any
access-list 101 permit icmp any host 208.180.138.254 echo-reply
access-list 101 permit icmp any host 208.180.138.254 time-exceeded
access-list 101 permit icmp any host 208.180.138.254 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 208.180.138.254 eq 2000
access-list 101 permit udp any host 208.180.138.254 eq 2000
access-list 150 permit tcp any host 208.180.138.254 eq 2000
access-list 150 permit udp any host 208.180.138.254 eq 2000
access-list 150 permit tcp any any eq 2000
access-list 150 permit udp any any eq 2000
no cdp run

It has been a while since I configed a Cisco ACL, but I think this maybe a problem.

access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 208.180.138.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp any any eq 2000
access-list 100 permit udp any any eq 2000

It appears you have this applied to the interface that is connected to your internal network (192.168.123/24) and is filtering traffic as it comes from the said network into the router.

From what I remember Cisco ACLs are processed from from the top to the bottom. Once it finds a match, it filters/sends the traffic accordingly. Since there is a sweeping statement of "permit ip any any" before the more granular "permit tcp any any eq 2000" and "permit udp any any eq 2000" I believe those last two statements will not be utilized.

The other thing that struck me as odd was "deny ip 208.180.138.0 0.0.0.255 any". It appears this is blocking traffic with a destination addresses in 208.180.138.0/24. While this would be fine if this network is just a "link" type network, but if there are hosts within that network it may cause some issues.

Am I understanding your ACLs correctly?

That shouldn't make a difference as they are both permit statements. If you had a deny that caught some traffic and then a permit you would be correct on the order. But the permits are ok.

If you want to forward something to all PCs (IPs) on a network it needs to be a broadcast or multicast. Then you can just setup a rule based on source address and port to allow that traffic.