https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154339#M356646 <HTML><HEAD></HEAD><BODY><P>You can either configure access-list and apply that on the WAN interface, and you would also need "ip inspect" on the outbound direction on the WAN interface. Plus of course the static NAT above.</P><P></P><P>Or, alternatively, you can configure static PAT for each of the ports:</P><P>ip nat inside source static tcp 192.168.10.50 80 50.200.2.3 80</P><P>ip nat inside source static tcp 192.168.10.50 81 50.200.2.3 81</P><P>ip nat inside source static tcp 192.168.10.50 82 50.200.2.3 82</P><P>...</P><P>...</P><P>ip nat inside source static tcp 192.168.10.50 90 50.200.2.3 90</P></BODY></HTML> Fri, 15 Feb 2013 00:31:39 GMT Jennifer Halim 2013-02-15T00:31:39Z https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154336#M356641 <P>Hi,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; I have 4 public IPs on Router 3845 interface FastEthernet 0/0/1. IP as below.</P><P></P><P>50.200.2.2</P><P>50.200.2.3 secondary</P><P>50.200.2.4 <SPAN style="font-size: 10pt;">secondary</SPAN></P><P>50.200.2.5 <SPAN style="font-size: 10pt;">secondary</SPAN></P><P></P><P>I wan to allow ports 80 to 90 on 50.200.2.3 for my webserver (192.168.10.50) please help in this regards.</P> Tue, 12 Mar 2019 01:00:33 GMT https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154336#M356641 qasimkhans 2019-03-12T01:00:33Z https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154337#M356643 <HTML><HEAD></HEAD><BODY><P>Instead of configuring the spare public ip address as a secondary IP on the interface, you should be using that as a spare IP for your NATing purposes.</P><P></P><P>In your case, please remove them as the secondary IP, and configure NAT as follows:</P><P></P><P>ip nat inside source static 192.168.10.50 50.200.2.3</P><P></P><P>You would then need to configure "ip nat inside" on your lan interface, and "ip nat outside" on fa0/0/1</P><P></P><P>Then you can use the other 2 spare public IP for NATing to other servers if required.</P></BODY></HTML> Thu, 14 Feb 2013 14:19:11 GMT https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154337#M356643 Jennifer Halim 2013-02-14T14:19:11Z https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154338#M356645 <HTML><HEAD></HEAD><BODY><P>I only want to open 80 to 90 ports for incoming traffic on <SPAN style="font-size: 10pt;">50.200.2.3. can you tell me how i can do this.</SPAN></P></BODY></HTML> Thu, 14 Feb 2013 14:36:05 GMT https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154338#M356645 qasimkhans 2013-02-14T14:36:05Z https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154339#M356646 <HTML><HEAD></HEAD><BODY><P>You can either configure access-list and apply that on the WAN interface, and you would also need "ip inspect" on the outbound direction on the WAN interface. Plus of course the static NAT above.</P><P></P><P>Or, alternatively, you can configure static PAT for each of the ports:</P><P>ip nat inside source static tcp 192.168.10.50 80 50.200.2.3 80</P><P>ip nat inside source static tcp 192.168.10.50 81 50.200.2.3 81</P><P>ip nat inside source static tcp 192.168.10.50 82 50.200.2.3 82</P><P>...</P><P>...</P><P>ip nat inside source static tcp 192.168.10.50 90 50.200.2.3 90</P></BODY></HTML> Fri, 15 Feb 2013 00:31:39 GMT https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154339#M356646 Jennifer Halim 2013-02-15T00:31:39Z https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154340#M356647 <HTML><HEAD></HEAD><BODY><P>Will following ACL work? if yes, then how i will use<SPAN style="font-size: 10pt;"> 50.200.2.3 for incoming traffic?</SPAN></P><P></P><P>(config)#<SPAN style="font-size: 10pt;">ip access-list extended acl_inbound</SPAN></P><P>(config)#<SPAN style="font-size: 10pt;"> permit tcp any host 192.168.10.50 range 80 90</SPAN></P><P>(config-if)#ip access-group acl_inbound in</P></BODY></HTML> Fri, 15 Feb 2013 01:27:01 GMT https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154340#M356647 qasimkhans 2013-02-15T01:27:01Z https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154341#M356648 <HTML><HEAD></HEAD><BODY><P>ACL should be as follows:</P><P>ip access-list extended acl_inbound</P><P> permit tcp any host 50.200.2.3 range 80 90</P><P>int fa0/0/1</P><P> ip access-group acl_inbound in</P><P></P><P>Then the static NAT as follows:</P><P>ip nat inside source static 192.168.10.50 50.200.2.3</P><P></P><P>Lastly, you would need "ip inspect":</P><P>ip inspect name fw-inspect tcp</P><P>ip inspect name fw-inspect udp</P><P>ip inspect name fw-inspect icmp</P><P>ip inspect name fw-inspect bootpc</P><P>ip inspect name fw-inspect bootps</P><P>ip inspect name fw-inspect ftp</P><P>ip inspect name fw-inspect dns</P><P>ip inspect name fw-inspect http</P><P>ip inspect name fw-inspect https</P><P></P><P>int fa0/0/1</P><P> ip inspect fw-inspect out</P></BODY></HTML> Fri, 15 Feb 2013 01:31:03 GMT https://community.cisco.com/t5/network-security/open-port-range-on-secondary-ips-on-router-interface/m-p/2154341#M356648 Jennifer Halim 2013-02-15T01:31:03Z