Port Address Redirection

Tim K · ‎10-23-2009

Hey all,

I am running into a scenario where I need to perform port address redirection for external users accessing an internal VoIP server. Configuring port address redirection is easy enough when you are dealing with one port mapping to one port. But what happens when you need to configure port redirection on a range of ports (say 10000-20000). I obviously cannot configure that many static NAT entries in the router. Anyone know of some creative ways to accomplish this?

Thanks in advance for any help!

Tim K · ‎10-25-2009

Any ideas here guys/gals? Just throwing it out here, but is there any way to accomplish this scenario with policy based routing? Or maybe some other technology? If a Linksys router can do it I have to believe that a Cisco router can too! It would be optimal if I had a firewall appliance, because I am sure I can do it with that.

Thanks in advance.

Edison Ortiz · ‎10-25-2009

Are you referring to port address translation (PAT) or source-based routing (a.k.a PBR)?

You can perform PAT on a range of ports - simply match on an ACL which support port ranges.

access-list 101 permit tcp [source] range 1000 2000 [destination]

ip nat inside source list 101...

or, with PBR (using same ACL)

route-map PBR

match ip address 101

set ip next hop ....

interface fx/x

ip policy route-map PBR

Regards

Edison.

Tim K · ‎10-25-2009

Edison,

Thanks for answering! I am actually referring to port address redirection (that's the name given in the Ciscopress Cisco Router Ifrewall Security book). Essentially what it is is static NAT.

An example is below:

ip nat inside source static tcp interface

Like I mentioned, I can make this work if I were to type it in for all of the ports individually, but when trying to make it work with a significant range of ports is proving to be difficult.

I have found a way to make it work, but it is not ideal, and sends ALL traffic to an inside default IP. The method is referred to as "nat inside default server". Like I said though, that sends ALL traffic destined for the external IP of the router on any port that is not specified in any other static or dynamic nat configuration, to the default IP specified. Anyway, ... that isn't optimal.

I will try what you suggested, but am not sure if it is going to work. Thanks for that! Any other ideas?

Edison Ortiz · ‎10-25-2009

You can try your static NAT with a route-map and the route-map will match on an ACL. Only if there is a match on the ACL, the static NAT will occur.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Would that work for you?

Regards

Edison.

Tim K · ‎10-26-2009

Edison,

Thank you for your help here. While I could not make the static NAT with a route-map work with my setup, it did lead me down a different path of research, and I was eventually able to find a fix. Below are the commands.

ip nat pool MyPool 192.168.0.69 192.168.0.69 netmask 255.255.255.0 type rotary

ip nat inside destination list 102 pool MyPool

access-list 102 permit tcp any any range 3380 3390

In the above configuration the 192.168.0.69 IP is the IP of the inside server I wanted to send my TCP 3380-3390 traffic to.