Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
0
Helpful
5
Replies

Open Port range on secondary IPs on Router interface

qasimkhans
Level 1
Level 1

‎02-13-2013 10:10 AM - edited ‎03-11-2019 06:00 PM

Hi,

     I have 4 public IPs on Router 3845 interface FastEthernet 0/0/1. IP as below.

50.200.2.2

50.200.2.3 secondary

50.200.2.4 secondary

50.200.2.5 secondary

I wan to allow ports 80 to 90 on 50.200.2.3 for my webserver (192.168.10.50) please help in this regards.

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-14-2013 06:19 AM

Instead of configuring the spare public ip address as a secondary IP on the interface, you should be using that as a spare IP for your NATing purposes.

In your case, please remove them as the secondary IP, and configure NAT as follows:

ip nat inside source static 192.168.10.50 50.200.2.3

You would then need to configure "ip nat inside" on your lan interface, and "ip nat outside" on fa0/0/1

Then you can use the other 2 spare public IP for NATing to other servers if required.

0 Helpful

qasimkhans
Level 1
Level 1
In response to Jennifer Halim

‎02-14-2013 06:36 AM

I only want to open 80 to 90 ports for incoming traffic on 50.200.2.3. can you tell me how i can do this.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to qasimkhans

‎02-14-2013 04:31 PM

You can either configure access-list and apply that on the WAN interface, and you would also need "ip inspect" on the outbound direction on the WAN interface. Plus of course the static NAT above.

Or, alternatively, you can configure static PAT for each of the ports:

ip nat inside source static tcp 192.168.10.50 80 50.200.2.3 80

ip nat inside source static tcp 192.168.10.50 81 50.200.2.3 81

ip nat inside source static tcp 192.168.10.50 82 50.200.2.3 82

...

...

ip nat inside source static tcp 192.168.10.50 90 50.200.2.3 90

0 Helpful

qasimkhans
Level 1
Level 1
In response to Jennifer Halim

‎02-14-2013 05:27 PM

Will following ACL work? if yes, then how i will use 50.200.2.3 for incoming traffic?

(config)#ip access-list extended acl_inbound

(config)# permit tcp any host 192.168.10.50 range 80 90

(config-if)#ip access-group acl_inbound in

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to qasimkhans

‎02-14-2013 05:31 PM

ACL should be as follows:

ip access-list extended acl_inbound

permit tcp any host 50.200.2.3 range 80 90

int fa0/0/1

ip access-group acl_inbound in

Then the static NAT as follows:

ip nat inside source static 192.168.10.50 50.200.2.3

Lastly, you would need "ip inspect":

ip inspect name fw-inspect tcp

ip inspect name fw-inspect udp

ip inspect name fw-inspect icmp

ip inspect name fw-inspect bootpc

ip inspect name fw-inspect bootps

ip inspect name fw-inspect ftp

ip inspect name fw-inspect dns

ip inspect name fw-inspect http

ip inspect name fw-inspect https

int fa0/0/1

ip inspect fw-inspect out

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card