cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1197
Views
10
Helpful
7
Replies

Translation for range tcp ports

Gromophon
Level 1
Level 1

good day. ISR 4351/K9 IOS 16.09.04 i need  to make "ip nat inside source static" for range 5100-5200 tcp ports. i have find code, like next:

 

ip access-list extended 190
permit tcp host 192.168.0.10 range 5100 5200 any
!
route-map MAP_RST permit 10
match ip address 190

 

ip nat inside source static 192.168.0.10 92.50.234.196 route-map MAP_RST extendable

 

It works, but it doesn't limit translation to another ports.That is, like this code:

ip nat inside source static 192.168.0.10 92.50.234.196 extendable

How to make limitations? 

2 Accepted Solutions

Accepted Solutions

Hello,

 

try the below (I made some assumptions for your inside and outside interfaces, so the IP addresses, masks, and interfaces you actually use might be different):

 

interface GigabitEthernet0/1
desccription LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0
description WAN
ip address 92.50.234.196 255.255.255.248
ip nat outside
!
ip nat pool POOL 192.168.0.10 192.168.0.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside destination list TCP_RANGE pool POOL
!
access-list 1 permit 192.168.0.0
!
ip access-list extended TCP_RANGE
permit tcp any any range 5100 5200

View solution in original post

Hello

Try adding an additional route-map statement to deny all other traffic .

route-map MAP_RST permit 10
match ip address 190

 

route-map MAP_RST deny 99

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Hello,

 

is 92.50.234.196 the IP address of the NAT outside interface (e.g. GigabitEthernet0/0)? If so, try the below:

 

ip nat inside source list 190 interface GigabitEthernet0/0 overload

thanks, added this code:

ip nat pool RST1-pool 92.50.234.196 92.50.234.196 netmask 255.255.255.248

ip nat inside source list 190 pool RST1-pool overload

 

but ports are still available, for example 80,443 from outside

Hello,

 

try the below (I made some assumptions for your inside and outside interfaces, so the IP addresses, masks, and interfaces you actually use might be different):

 

interface GigabitEthernet0/1
desccription LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0
description WAN
ip address 92.50.234.196 255.255.255.248
ip nat outside
!
ip nat pool POOL 192.168.0.10 192.168.0.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside destination list TCP_RANGE pool POOL
!
access-list 1 permit 192.168.0.0
!
ip access-list extended TCP_RANGE
permit tcp any any range 5100 5200

I can not assign x.x.x.196 a primary address. Primary is other address.

Hello,

 

do you need to translate to the x.x.x.196 address, or can you use the address assigned to your outside interface ?

Many thanks to Paul and Georg for the right advices. I solved the problem in a slightly different way: I found a way on the software to reduce the port range from 100 to 10, and registered the usual static translations. Not very beautiful, but very simple and effective.

Hello

Try adding an additional route-map statement to deny all other traffic .

route-map MAP_RST permit 10
match ip address 190

 

route-map MAP_RST deny 99

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card