Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
1
Replies

NAT port range

CSCO12065472
Level 1
Level 1

‎06-26-2013 05:19 AM - edited ‎03-07-2019 02:05 PM

I would like to forward a range of ports. To test I have setup a Static NAT with a route-map on various devices. However, every time I set it up all ports are forwarded; the route-map never gets consulted. Any advice on how to achieve this would be greatly appreciated.

Please see my lab configuration below:-

R2#sh run

Building configuration...

Current configuration : 1112 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool p1

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.254

   dns-server 8.8.8.8

!

!

no ip domain lookup

!

!

username admin privilege 15 password 0 password

!

bridge irb

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

ip address 10.0.0.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.0

ip nat outside

duplex auto

speed auto

!

!

!

ip http server

no ip http secure-server

ip nat inside source static 10.0.0.1 1.1.1.1 route-map SNAT extendable

!

ip access-list extended PORTR

permit tcp any any range 6000 7000

permit udp any any range 9000 10000

!

route-map SNAT permit 10

match ip address PORTR

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler allocate 20000 1000

end

R2#sh route-map

route-map SNAT, permit, sequence 10

  Match clauses:

    ip address (access-lists): PORTR

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

R2#sh ip access-list

Extended IP access list PORTR

    10 permit tcp any any range 6000 7000

    20 permit udp any any range 9000 10000

R2#


Labels:
0 Helpful
1 Reply 1

CSCO12065472
Level 1
Level 1

‎08-02-2013 06:40 AM

Since postingI have found a workaround. I have given the outside interface a secondary IP address and forwarded all traffic from there. In the real example I have an ACL on the outside interface to block the other ports.

This is the final config:

R2#sh run

Building configuration...

Current configuration : 1112 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool p1

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.254

   dns-server 8.8.8.8

!

!

no ip domain lookup

!

!

username admin privilege 15 password 0 password

!

bridge irb

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

ip address 10.0.0.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.0

ip address 1.1.1.2 255.255.255.0  secondary

ip nat outside

duplex auto

speed auto

!

!

!

ip http server

no ip http secure-server

ip nat inside source static 10.0.0.1 1.1.1.2

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler allocate 20000 1000

end

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card