01-24-2007 08:10 AM - edited 03-03-2019 03:28 PM
I want to map a range of tcp ports to an internal host from the internet. I could use the ip nat inside static tcp command for mapping an specific port, but what if I want to map the tcp port range from 8000 to 8050?, Is there a way to do that with a single command?
Solved! Go to Solution.
01-30-2007 11:04 AM
Try this:
1.create static translation:
ip nat inside source static 192.168.60.10 172.16.181.195 route-map MAP extendable
ip nat inside source static tcp 192.168.1.2 80 172.17.181.195 80 extendable
2. Define the port range
access-list 101 permit tcp host 192.168.60.10 range 8000 8050 any
route-map MAP permit 10
match ip address 101
Refer the following link to Mapping an Application with a Port Range:
01-30-2007 11:04 AM
Try this:
1.create static translation:
ip nat inside source static 192.168.60.10 172.16.181.195 route-map MAP extendable
ip nat inside source static tcp 192.168.1.2 80 172.17.181.195 80 extendable
2. Define the port range
access-list 101 permit tcp host 192.168.60.10 range 8000 8050 any
route-map MAP permit 10
match ip address 101
Refer the following link to Mapping an Application with a Port Range:
02-02-2007 03:55 PM
Thanks
03-17-2007 01:54 PM
Sorry for the Double post
03-17-2007 02:07 PM
I'm not quite following the address scheme here. I am attemting the same 10000 ports to one nat command, I have 192.168.1.0/24 as my inside addresses and the internet via DHCP as outside address. eth0/0 is internet (DHCP) eth0/1 is private NAT (192.168.1.0/24) I want to forward two ranges 5004-5082 udp and 10000-20000 udp to inside host 192.168.1.103. Can you give me a few pointers?
Thanks.
03-19-2007 07:10 PM
in your case, it would be like this:
ip nat inside source static 192.168.1.103 interface ethernet0/0 route map MAP
access-list 101 permit udp host 192.168.1.103 range 5004 5082 any
access-list 101 permit udp host 192.168.1.103 range 10000 20000 any
route-map MAP permit 10
match ip address 101
03-19-2007 07:20 PM
My Cisco 2611 is not accepting the command. It won't allow anything after "ethernet0/0". it is expecting the end of the line after ethernet0/0.
Any suggestions?
03-19-2007 08:37 PM
Hi,
Your command would go like
ip nat inside source
Cheers !
03-19-2007 08:49 PM
I tried
ip nat inside source route-map MAP interface ethernet0/0
with no results I also finished by adding the other configs). I'm still lost and not working.
01-15-2021 04:39 AM
After test, the solution is inaccurate as it opens all ports, the route-map has no effect to restrict the port range, actually it is 1:1 IP mapping.
There is huge security concerns.
Test example as below:
access-list 119 permit tcp host 172.31.33.16 range 16384 32768 any
!
route-map RTP_Port_Range permit 10
match ip address 119
route-map RTP_Port_Range deny 20
!
ip nat inside source static 172.31.33.16 110.168.66.119 route-map RTP_Port_Range extendable
! send udp packet from internet host, in MacOS shell.
nc -vv -u -c -p 16383 110.168.66.119 16383
Connection to 110.168.66.119 port 16383 [udp/*] succeeded!
! tcpdump on 172.31.33.16
tcpdump -vv -i ens192 udp port 16383
20:36:25.580435 IP (tos 0x20, ttl 55, id 59277, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
20:36:25.580524 IP (tos 0x20, ttl 55, id 51359, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
20:36:25.580546 IP (tos 0x20, ttl 55, id 50055, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
20:36:25.580564 IP (tos 0x20, ttl 55, id 54183, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
09-02-2022 12:45 AM
I have same issue.
Do you find solution how fix this?
Thanks.
09-04-2018 05:48 PM
Hi, if you use a ASA, this is the solution (you need 8.4 of upper)
object network Obj-Internal-Server host 10.2.2.10 ! object service Obj-Ports-Range service tcp destination range 1000 2000
! nat (outside,inside) source static any any destination static interface Obj-Internal-Server service Obj-Ports-Range Obj-Ports-Range !
Credits and more info in the follow link:
https://www.petenetlive.com/KB/Article/0001111
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide