Re: cisco ISR4331/K9 NAT UDP/TCP port-range cleanup

Starkwittie · ‎09-13-2019

-Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.2, RELEASE SOFTWARE (fc4)-

Hi All,

I've tried several suggestions I found on the community but without success unfortunately, and probably it will already be somewhere here on the community but I cannot seem to find it.

I would like to cleanup the UDP NAT statements, so my config looks better.

This is what I would like to cleanup:

ip nat inside source static udp 10.10.90.201 16000 interface GigabitEthernet0/0/0 16000
ip nat inside source static udp 10.10.90.201 16001 interface GigabitEthernet0/0/0 16001
ip nat inside source static udp 10.10.90.201 16002 interface GigabitEthernet0/0/0 16002
ip nat inside source static udp 10.10.90.201 16003 interface GigabitEthernet0/0/0 16003
ip nat inside source static udp 10.10.90.201 16004 interface GigabitEthernet0/0/0 16004
ip nat inside source static udp 10.10.90.201 16005 interface GigabitEthernet0/0/0 16005
ip nat inside source static udp 10.10.90.201 16006 interface GigabitEthernet0/0/0 16006
ip nat inside source static udp 10.10.90.201 16007 interface GigabitEthernet0/0/0 16007
ip nat inside source static udp 10.10.90.201 16008 interface GigabitEthernet0/0/0 16008
ip nat inside source static udp 10.10.90.201 16009 interface GigabitEthernet0/0/0 16009
ip nat inside source static udp 10.10.90.201 16010 interface GigabitEthernet0/0/0 16010
ip nat inside source static udp 10.10.90.201 16011 interface GigabitEthernet0/0/0 16011
ip nat inside source static udp 10.10.90.201 16012 interface GigabitEthernet0/0/0 16012
ip nat inside source static udp 10.10.90.201 16013 interface GigabitEthernet0/0/0 16013
ip nat inside source static udp 10.10.90.201 16014 interface GigabitEthernet0/0/0 16014
ip nat inside source static udp 10.10.90.201 16015 interface GigabitEthernet0/0/0 16015

I've read things about route map but this command my router does not accept.

Any ideas?

Thanks a lot in advance

paul driver · ‎09-13-2019

Hello

Below is a possible solution however you mention your ios doesn't support route-maps correct?

access-list 100 permit udp host 10.10.90.201 range 1600 16015 any range 1600 16015
route-map UDP
match ip address 100

ip nat inside source static 10.10.90.201 10.10.90.201 route-map UDP extendable

EDITED

Looks like @pieterh as mentioned it already , i did also find a possible alternative to a nat route-map using NAT portmap which seems positive how ever ive never used it before and at present cannot test it.

access-list 1 permit 10.10.90.201
ip nat portmap UDP
appl udp-rtp startport 16000 size 16064

ip nat inside source list 1 interface x/x overload portmap UDP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Starkwittie · ‎09-13-2019

Hi Paul,

it is supposed to be supported from IOS 12.x and I have 16.x:

And this is working ip nat inside source static 10.10.90.201 10.10.90.201 route-map UDP extendable

But it seems it has a problem with the WAN interface, so this is not working as it needs to come in from WAN to LAN or am I seeying this wrong?

ip nat inside source static 10.10.90.201 interface GigabitEthernet0/0/0 route-map UDP extendable

gives:

TMROUTER01(config)#ip nat inside source static 10.10.90.201 interface GigabitEthernet0/0/0 route-map UDP extendable
^
% Invalid input detected at '^' marker.

Best regards

Glenn Verhoeven

pieterh · ‎09-13-2019

look at this post

no route map, but ip nat portmap

check if your IOS version supports this command.

and this post that says:

If you notice on the last command that you are not allowed to use a route-map on an interface so I had to type in the WAN ip address.