06-16-2010 08:59 AM - edited 03-04-2019 08:48 AM
Hi,
I have a Cisco 857 router. I have an internal ip address to which I want to direct traffic from an external source.
The internal IP address is 192.168.2.50. Previously I have translated a single port to this address, I did this by adding a line to my access list:
access-list 101 permit tcp source_address destination_address eq 50000
and a NAT entry:
ip nat inside source static tcp 192.168.2.50 50000 interface Dialer0 50000
I now want to add a range of ports, so I added this line to my access list
access-list 101 permit tcp source_address destination_address range 50000 51000
Is there a way to add a range of ports to my NAT entry too?
Thanks
Nick
Solved! Go to Solution.
06-17-2010 07:05 AM
Okay, I was able to set this up but it doesn't work. Using a route-map or ACL with range listed doesn't add it to the translation table. You're probably stuck with doing individual lines for each port that you want to translate.
John
06-16-2010 10:28 AM
Can you do a one to one translation?
ip nat inside source static 192.168.2.50 interface Dialer0
Then you can just use your range in the ACL that you apply to the outside interface.
HTH,
John
06-17-2010 02:11 AM
Hi John,
Thanks for the info. If I add the line:
ip nat inside source static 192.168.2.50 interface Dialer0
What effect will this have on traffic coming in to the external interface? Will it forward all traffic to 192.168.2.50, or just make the external interface aware that 192.168.2.50 is available for the port range that I open in the acl?
I should also mention that there are some other NAT rules, such as:
ip nat inside source static udp 192.168.2.30 45000 interface Dialer0 45000
ip nat inside source static tcp 192.168.2.115 25000 interface Dialer0 25000
These have an accompanying ACL entry, and I don't want any of this traffic to be affected by any new rules that I add.
Nick
06-17-2010 06:32 AM
Ah, yeah, that would make a difference because you're forwarding different ports to different addresses. I don't know if this will work, but you might try something like:
access-list 110 permit tcp any host 192.168.2.50 range
route-map INCOMING permit 10
match ip address 110
ip nat insid source static route-map INCOMING interface Dialer0
I don't have a way of testing this, but this is the way that you'd do it in an ASA. (sort of.) I'd do this after hours to see if it'd work for you though.
HTH,
John
06-17-2010 07:05 AM
Okay, I was able to set this up but it doesn't work. Using a route-map or ACL with range listed doesn't add it to the translation table. You're probably stuck with doing individual lines for each port that you want to translate.
John
06-18-2010 01:39 AM
I ended up creating a separate line for each entry, it didn't take that long in the end.
Thanks for your help
Nick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: