Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT static translations with route-map (e.g. port range static NAT)

Hi guys,

IOS version: c1841-advsecurityk9-mz.124-3c.bin

I've been triyng to publish my internal IP PBX to Inernet and want to make port translations only for specific ports and port ranges

for security reasons.

As long as I have TCP and UDP ports needed to be translated, I can't use well-known solution using rotary IP pools which works only for TCP.

I found a solution based on use route-maps to specificaly indicate what shoud be take to account while creating static translation.

This documents explains how to manipulate static nat translations for outgoing connections, but has nothing to do of explaining of

how incoming connections will be affected.

So, I created a config:

ip nat inside source static X.X.X.123 route-map RMAP_NAT_STATIC

route-map RMAP_NAT_STATIC permit 10
match ip address ACL_NAT_STATIC

ip access-list extended ACL_NAT_STATIC

permit tcp host eq 443 any

permit udp host eq 5060 any

permit udp host range 10000 20000 any

Well, this config is supposed to staticaly map ONLY ports TCP443, UDP5060 and UDP10k-20k from to public X.X.X.123 address. All incoming connections to other ports due to ACL configuration, should not be staticaly translated.

It looks like a correct one, but the problem is that even with route-map statement in ip nat inside source line is translated as simple one-to-one LocalIP-ExtIP translation, ALL(!) ports TCP\UDP 1-65535

I'am confused. People from this link also noticed such behaviour:

Well, interesting thing is that even if I delete all statements in ACL_NAT_STATIC or having in ACL something like that:

ip access-list extended ACL_NAT_STATIC

permit ip host any

in order to create a "placeholter" and theoreticaly turn off any static translation, I will still have a one-to-one unrestricted translation...

What am I doing wrong or it is a some malfunction in IOS?

Thanks in advance.


Re: NAT static translations with route-map (e.g. port range stat


Can you test applying the route-map to the incoming interface as well? (not only applied to the STATIC NAT statement).


New Member

Re: NAT static translations with route-map (e.g. port range stat


Just a route-map with only "match ip address" statement and no "set" statements?