Port Address Redirection

Unanswered Question
Oct 23rd, 2009
User Badges:

Hey all,

I am running into a scenario where I need to perform port address redirection for external users accessing an internal VoIP server. Configuring port address redirection is easy enough when you are dealing with one port mapping to one port. But what happens when you need to configure port redirection on a range of ports (say 10000-20000). I obviously cannot configure that many static NAT entries in the router. Anyone know of some creative ways to accomplish this?

Thanks in advance for any help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Tim Kerr Sun, 10/25/2009 - 11:59
User Badges:

Any ideas here guys/gals? Just throwing it out here, but is there any way to accomplish this scenario with policy based routing? Or maybe some other technology? If a Linksys router can do it I have to believe that a Cisco router can too! It would be optimal if I had a firewall appliance, because I am sure I can do it with that.

Thanks in advance.

Edison Ortiz Sun, 10/25/2009 - 16:12
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Are you referring to port address translation (PAT) or source-based routing (a.k.a PBR)?

You can perform PAT on a range of ports - simply match on an ACL which support port ranges.

access-list 101 permit tcp [source] range 1000 2000 [destination]

ip nat inside source list 101...

or, with PBR (using same ACL)

route-map PBR

match ip address 101

set ip next hop ....

interface fx/x

ip policy route-map PBR



Tim Kerr Sun, 10/25/2009 - 17:41
User Badges:


Thanks for answering! I am actually referring to port address redirection (that's the name given in the Ciscopress Cisco Router Ifrewall Security book). Essentially what it is is static NAT.

An example is below:

ip nat inside source static tcp interface

Like I mentioned, I can make this work if I were to type it in for all of the ports individually, but when trying to make it work with a significant range of ports is proving to be difficult.

I have found a way to make it work, but it is not ideal, and sends ALL traffic to an inside default IP. The method is referred to as "nat inside default server". Like I said though, that sends ALL traffic destined for the external IP of the router on any port that is not specified in any other static or dynamic nat configuration, to the default IP specified. Anyway, ... that isn't optimal.

I will try what you suggested, but am not sure if it is going to work. Thanks for that! Any other ideas?

Tim Kerr Mon, 10/26/2009 - 19:31
User Badges:


Thank you for your help here. While I could not make the static NAT with a route-map work with my setup, it did lead me down a different path of research, and I was eventually able to find a fix. Below are the commands.

ip nat pool MyPool netmask type rotary

ip nat inside destination list 102 pool MyPool

access-list 102 permit tcp any any range 3380 3390

In the above configuration the IP is the IP of the inside server I wanted to send my TCP 3380-3390 traffic to.


This Discussion