Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

263
Views
10
Helpful
7
Replies
Gromophon
Gromophon Beginner
Beginner
‎09-16-2019 09:48 PM
‎09-16-2019 09:48 PM

Translation for range tcp ports

good day. ISR 4351/K9 IOS 16.09.04 i need  to make "ip nat inside source static" for range 5100-5200 tcp ports. i have find code, like next:

 

ip access-list extended 190
permit tcp host 192.168.0.10 range 5100 5200 any
!
route-map MAP_RST permit 10
match ip address 190

 

ip nat inside source static 192.168.0.10 92.50.234.196 route-map MAP_RST extendable

 

It works, but it doesn't limit translation to another ports.That is, like this code:

ip nat inside source static 192.168.0.10 92.50.234.196 extendable

How to make limitations? 

Labels:
Everyone's tags (2)
0 Helpful
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎09-17-2019 12:55 AM
‎09-17-2019 12:55 AM

Re: Translation for range tcp ports

Hello,

 

try the below (I made some assumptions for your inside and outside interfaces, so the IP addresses, masks, and interfaces you actually use might be different):

 

interface GigabitEthernet0/1
desccription LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0
description WAN
ip address 92.50.234.196 255.255.255.248
ip nat outside
!
ip nat pool POOL 192.168.0.10 192.168.0.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside destination list TCP_RANGE pool POOL
!
access-list 1 permit 192.168.0.0
!
ip access-list extended TCP_RANGE
permit tcp any any range 5100 5200

View solution in original post

Reply
paul driver
VIP Advisor paul driver VIP Advisor
VIP Advisor
‎09-17-2019 01:48 AM
‎09-17-2019 01:48 AM

Re: Translation for range tcp ports

Hello

Try adding an additional route-map statement to deny all other traffic .

route-map MAP_RST permit 10
match ip address 190

 

route-map MAP_RST deny 99

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Reply
7 REPLIES 7
Highlighted
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎09-17-2019 12:14 AM
‎09-17-2019 12:14 AM

Re: Translation for range tcp ports

Hello,

 

is 92.50.234.196 the IP address of the NAT outside interface (e.g. GigabitEthernet0/0)? If so, try the below:

 

ip nat inside source list 190 interface GigabitEthernet0/0 overload

0 Helpful
Reply
Gromophon
Gromophon Beginner
Beginner
‎09-17-2019 12:41 AM
‎09-17-2019 12:41 AM

Re: Translation for range tcp ports

thanks, added this code:

ip nat pool RST1-pool 92.50.234.196 92.50.234.196 netmask 255.255.255.248

ip nat inside source list 190 pool RST1-pool overload

 

but ports are still available, for example 80,443 from outside

0 Helpful
Reply
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎09-17-2019 12:55 AM
‎09-17-2019 12:55 AM

Re: Translation for range tcp ports

Hello,

 

try the below (I made some assumptions for your inside and outside interfaces, so the IP addresses, masks, and interfaces you actually use might be different):

 

interface GigabitEthernet0/1
desccription LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0
description WAN
ip address 92.50.234.196 255.255.255.248
ip nat outside
!
ip nat pool POOL 192.168.0.10 192.168.0.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside destination list TCP_RANGE pool POOL
!
access-list 1 permit 192.168.0.0
!
ip access-list extended TCP_RANGE
permit tcp any any range 5100 5200

View solution in original post

Reply
Gromophon
Gromophon Beginner
Beginner
‎09-17-2019 01:03 AM
‎09-17-2019 01:03 AM

Re: Translation for range tcp ports

I can not assign x.x.x.196 a primary address. Primary is other address.

0 Helpful
Reply
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎09-17-2019 01:35 AM
‎09-17-2019 01:35 AM

Re: Translation for range tcp ports

Hello,

 

do you need to translate to the x.x.x.196 address, or can you use the address assigned to your outside interface ?

0 Helpful
Reply
Gromophon
Gromophon Beginner
Beginner
‎09-17-2019 06:28 PM
‎09-17-2019 06:28 PM

Re: Translation for range tcp ports

Many thanks to Paul and Georg for the right advices. I solved the problem in a slightly different way: I found a way on the software to reduce the port range from 100 to 10, and registered the usual static translations. Not very beautiful, but very simple and effective.

0 Helpful
Reply
paul driver
VIP Advisor paul driver VIP Advisor
VIP Advisor
‎09-17-2019 01:48 AM
‎09-17-2019 01:48 AM

Re: Translation for range tcp ports

Hello

Try adding an additional route-map statement to deny all other traffic .

route-map MAP_RST permit 10
match ip address 190

 

route-map MAP_RST deny 99

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Reply
Latest Contents
Community Live video- Getting to know Cisco SD-WAN
Created by hiarteag on 12-13-2019 11:11 AM
0
0
0
0
Community Live video- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Wednesday 11th, December 2019 at 10hrs PDT  This sessio... view more
CDP/LLDP neighbors via SNMP - command line tools
Created by Oleg Volkov on 12-12-2019 09:07 AM
2
0
2
0
Hi!Need to find network devices but not want to open SSH and do show cdp nei, show lldp nei and then need to sh cdp nei gig0/1 det and more.... ?Now You can do from PowerShell.\cdplldp.exe -v v3 -u <SNMPv3 user> -a SHA -w <SNMPv3 authkey> -pp ... view more
Community Live slides - Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-10-2019 06:56 PM
0
0
0
0
Community Live slides- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Wednesday 11th, December 2019 at 10hrs PDT  This sessi... view more
Ask Me Anything event - Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-10-2019 06:48 PM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about the Cisco Software-Defined WAN (SD-WAN) solution, its historical roo... view more
Ask Me Anything event - Configuration, Verification, and Tro...
Created by ciscomoderator on 12-09-2019 03:03 PM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about the configuration, verification, troubleshooting and gener... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here