cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20568
Views
5
Helpful
11
Replies

Static NAT to a range tcp ports

jose_gomez
Level 1
Level 1

I want to map a range of tcp ports to an internal host from the internet. I could use the ip nat inside static tcp command for mapping an specific port, but what if I want to map the tcp port range from 8000 to 8050?, Is there a way to do that with a single command?

1 Accepted Solution

Accepted Solutions

wong34539
Level 6
Level 6

Try this:

1.create static translation:

ip nat inside source static 192.168.60.10 172.16.181.195 route-map MAP extendable

ip nat inside source static tcp 192.168.1.2 80 172.17.181.195 80 extendable

2. Define the port range

access-list 101 permit tcp host 192.168.60.10 range 8000 8050 any

route-map MAP permit 10

match ip address 101

Refer the following link to Mapping an Application with a Port Range:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d981c.html#xtocid2671616

View solution in original post

11 Replies 11

wong34539
Level 6
Level 6

Try this:

1.create static translation:

ip nat inside source static 192.168.60.10 172.16.181.195 route-map MAP extendable

ip nat inside source static tcp 192.168.1.2 80 172.17.181.195 80 extendable

2. Define the port range

access-list 101 permit tcp host 192.168.60.10 range 8000 8050 any

route-map MAP permit 10

match ip address 101

Refer the following link to Mapping an Application with a Port Range:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d981c.html#xtocid2671616

Thanks

Sorry for the Double post

I'm not quite following the address scheme here. I am attemting the same 10000 ports to one nat command, I have 192.168.1.0/24 as my inside addresses and the internet via DHCP as outside address. eth0/0 is internet (DHCP) eth0/1 is private NAT (192.168.1.0/24) I want to forward two ranges 5004-5082 udp and 10000-20000 udp to inside host 192.168.1.103. Can you give me a few pointers?

Thanks.

in your case, it would be like this:

ip nat inside source static 192.168.1.103 interface ethernet0/0 route map MAP

access-list 101 permit udp host 192.168.1.103 range 5004 5082 any

access-list 101 permit udp host 192.168.1.103 range 10000 20000 any

route-map MAP permit 10

match ip address 101

My Cisco 2611 is not accepting the command. It won't allow anything after "ethernet0/0". it is expecting the end of the line after ethernet0/0.

Any suggestions?

Hi,

Your command would go like

ip nat inside source

Cheers !

I tried

ip nat inside source route-map MAP interface ethernet0/0

with no results I also finished by adding the other configs). I'm still lost and not working.

After test, the solution is inaccurate as it opens all ports, the route-map has no effect to restrict the port range, actually it is 1:1 IP mapping.

 

There is huge security concerns.

 

Test example as below:

access-list 119 permit tcp host 172.31.33.16 range 16384 32768 any

!

route-map RTP_Port_Range permit 10
 match ip address 119
route-map RTP_Port_Range deny 20

!

ip nat inside source static 172.31.33.16 110.168.66.119 route-map RTP_Port_Range extendable

 

 

! send udp packet from internet host, in MacOS shell.

nc -vv -u -c -p 16383 110.168.66.119 16383
Connection to 110.168.66.119 port 16383 [udp/*] succeeded!

 

! tcpdump on 172.31.33.16

tcpdump -vv -i ens192 udp port 16383

20:36:25.580435 IP (tos 0x20, ttl 55, id 59277, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
20:36:25.580524 IP (tos 0x20, ttl 55, id 51359, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
20:36:25.580546 IP (tos 0x20, ttl 55, id 50055, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1
20:36:25.580564 IP (tos 0x20, ttl 55, id 54183, offset 0, flags [none], proto UDP (17), length 29)
101.229.191.121.16383 > opensipsdev.iptcloud.local.16383: [udp sum ok] UDP, length 1

I have same issue.

Do you find solution how fix this?

Thanks.

hansrodlo
Level 1
Level 1

Hi, if you use a ASA, this is the solution (you need 8.4 of upper)

 

object network Obj-Internal-Server
 host 10.2.2.10
!
object service Obj-Ports-Range
 service tcp destination range 1000 2000

!
nat (outside,inside) source static any any destination static interface Obj-Internal-Server service Obj-Ports-Range Obj-Ports-Range
!

 

Credits and more info in the follow link:

https://www.petenetlive.com/KB/Article/0001111

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: