Solved: Re: Translation for range tcp ports

Gromophon · ‎09-16-2019

good day. ISR 4351/K9 IOS 16.09.04 i need to make "ip nat inside source static" for range 5100-5200 tcp ports. i have find code, like next:

ip access-list extended 190
permit tcp host 192.168.0.10 range 5100 5200 any
!
route-map MAP_RST permit 10
match ip address 190

ip nat inside source static 192.168.0.10 92.50.234.196 route-map MAP_RST extendable

It works, but it doesn't limit translation to another ports.That is, like this code:

ip nat inside source static 192.168.0.10 92.50.234.196 extendable

How to make limitations?

Georg Pauwen · ‎09-17-2019

Hello,

try the below (I made some assumptions for your inside and outside interfaces, so the IP addresses, masks, and interfaces you actually use might be different):

interface GigabitEthernet0/1
desccription LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0
description WAN
ip address 92.50.234.196 255.255.255.248
ip nat outside
!
ip nat pool POOL 192.168.0.10 192.168.0.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside destination list TCP_RANGE pool POOL
!
access-list 1 permit 192.168.0.0
!
ip access-list extended TCP_RANGE
permit tcp any any range 5100 5200

View solution in original post

paul driver · ‎09-17-2019

Hello

Try adding an additional route-map statement to deny all other traffic .

route-map MAP_RST permit 10
match ip address 190

route-map MAP_RST deny 99

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎09-17-2019

Hello,

is 92.50.234.196 the IP address of the NAT outside interface (e.g. GigabitEthernet0/0)? If so, try the below:

ip nat inside source list 190 interface GigabitEthernet0/0 overload

Gromophon · ‎09-17-2019

thanks, added this code:

ip nat pool RST1-pool 92.50.234.196 92.50.234.196 netmask 255.255.255.248

ip nat inside source list 190 pool RST1-pool overload

but ports are still available, for example 80,443 from outside

Georg Pauwen · ‎09-17-2019

Hello,

try the below (I made some assumptions for your inside and outside interfaces, so the IP addresses, masks, and interfaces you actually use might be different):

interface GigabitEthernet0/1
desccription LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0
description WAN
ip address 92.50.234.196 255.255.255.248
ip nat outside
!
ip nat pool POOL 192.168.0.10 192.168.0.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside destination list TCP_RANGE pool POOL
!
access-list 1 permit 192.168.0.0
!
ip access-list extended TCP_RANGE
permit tcp any any range 5100 5200

Gromophon · ‎09-17-2019

I can not assign x.x.x.196 a primary address. Primary is other address.

Georg Pauwen · ‎09-17-2019

Hello,

do you need to translate to the x.x.x.196 address, or can you use the address assigned to your outside interface ?

Gromophon · ‎09-17-2019

Many thanks to Paul and Georg for the right advices. I solved the problem in a slightly different way: I found a way on the software to reduce the port range from 100 to 10, and registered the usual static translations. Not very beautiful, but very simple and effective.

paul driver · ‎09-17-2019

Hello

Try adding an additional route-map statement to deny all other traffic .

route-map MAP_RST permit 10
match ip address 190

route-map MAP_RST deny 99

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul