Translate a range of ports using NAT

Answered Question
Jun 16th, 2010

Hi,


I have a Cisco 857 router. I have an internal ip address to which I want to direct traffic from an external source.


The internal IP address is 192.168.2.50. Previously I have translated a single port to this address, I did this by adding a line to my access list:


access-list 101 permit tcp source_address destination_address eq 50000


and a NAT entry:


ip nat inside source static tcp 192.168.2.50 50000 interface Dialer0 50000



I now want to add a range of ports, so I added this line to my access list


access-list 101 permit tcp source_address destination_address range 50000 51000


Is there a way to add a range of ports to my NAT entry too?


Thanks


Nick

Correct Answer by John Blakley about 6 years 8 months ago

Okay, I was able to set this up but it doesn't work. Using a route-map or ACL with range listed doesn't add it to the translation table. You're probably stuck with doing individual lines for each port that you want to translate.


John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Wed, 06/16/2010 - 10:28

Can you do a one to one translation?


ip nat  inside source static 192.168.2.50 interface Dialer0


Then you can just use your range in the ACL that you apply to the outside interface.


HTH,

John

nickc1976 Thu, 06/17/2010 - 02:11

Hi John,


Thanks for the info. If I add the line:


ip nat inside source static 192.168.2.50 interface Dialer0


What effect will this have on traffic coming in to the external interface? Will it forward all traffic to 192.168.2.50, or just make the external interface aware that 192.168.2.50 is available for the port range that I open in the acl?


I should also mention that there are some other NAT rules, such as:


ip nat inside source static udp 192.168.2.30 45000 interface Dialer0 45000

ip nat inside source static tcp 192.168.2.115 25000 interface Dialer0 25000


These have an accompanying ACL entry, and I don't want any of this traffic to be affected by any new rules that I add.


Nick

John Blakley Thu, 06/17/2010 - 06:32

Ah, yeah, that would make a difference because you're forwarding different ports to different addresses. I don't know if this will work, but you might try something like:


access-list 110 permit tcp any host 192.168.2.50 range


route-map INCOMING permit 10

match ip address 110



ip nat insid source static route-map INCOMING interface Dialer0


I don't have a way of testing this, but this is the way that you'd do it in an ASA. (sort of.) I'd do this after hours to see if it'd work for you though.


HTH,

John

Correct Answer
John Blakley Thu, 06/17/2010 - 07:05

Okay, I was able to set this up but it doesn't work. Using a route-map or ACL with range listed doesn't add it to the translation table. You're probably stuck with doing individual lines for each port that you want to translate.


John

nickc1976 Fri, 06/18/2010 - 01:39

I ended up creating a separate line for each entry, it didn't take that long in the end.


Thanks for your help


Nick

Actions

This Discussion

Related Content