Solved: Translate a range of ports using NAT

nickc1976 · ‎06-16-2010

Hi,

I have a Cisco 857 router. I have an internal ip address to which I want to direct traffic from an external source.

The internal IP address is 192.168.2.50. Previously I have translated a single port to this address, I did this by adding a line to my access list:

access-list 101 permit tcp source_address destination_address eq 50000

and a NAT entry:

ip nat inside source static tcp 192.168.2.50 50000 interface Dialer0 50000

I now want to add a range of ports, so I added this line to my access list

access-list 101 permit tcp source_address destination_address range 50000 51000

Is there a way to add a range of ports to my NAT entry too?

Thanks

Nick

John Blakley · ‎06-17-2010

Okay, I was able to set this up but it doesn't work. Using a route-map or ACL with range listed doesn't add it to the translation table. You're probably stuck with doing individual lines for each port that you want to translate.

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎06-16-2010

Can you do a one to one translation?

ip nat inside source static 192.168.2.50 interface Dialer0

Then you can just use your range in the ACL that you apply to the outside interface.

HTH,

John

HTH, John *** Please rate all useful posts ***

nickc1976 · ‎06-17-2010

Hi John,

Thanks for the info. If I add the line:

ip nat inside source static 192.168.2.50 interface Dialer0

What effect will this have on traffic coming in to the external interface? Will it forward all traffic to 192.168.2.50, or just make the external interface aware that 192.168.2.50 is available for the port range that I open in the acl?

I should also mention that there are some other NAT rules, such as:

ip nat inside source static udp 192.168.2.30 45000 interface Dialer0 45000

ip nat inside source static tcp 192.168.2.115 25000 interface Dialer0 25000

These have an accompanying ACL entry, and I don't want any of this traffic to be affected by any new rules that I add.

Nick

John Blakley · ‎06-17-2010

Ah, yeah, that would make a difference because you're forwarding different ports to different addresses. I don't know if this will work, but you might try something like:

access-list 110 permit tcp any host 192.168.2.50 range

route-map INCOMING permit 10

match ip address 110

ip nat insid source static route-map INCOMING interface Dialer0

I don't have a way of testing this, but this is the way that you'd do it in an ASA. (sort of.) I'd do this after hours to see if it'd work for you though.

HTH,

John

HTH, John *** Please rate all useful posts ***

John Blakley · ‎06-17-2010

Okay, I was able to set this up but it doesn't work. Using a route-map or ACL with range listed doesn't add it to the translation table. You're probably stuck with doing individual lines for each port that you want to translate.

John

HTH, John *** Please rate all useful posts ***

nickc1976 · ‎06-18-2010

I ended up creating a separate line for each entry, it didn't take that long in the end.

Thanks for your help

Nick