cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1651
Views
0
Helpful
1
Replies

NAT port range

CSCO12065472
Level 1
Level 1

I would like to forward a range of ports. To test I have setup a Static NAT with a route-map on various devices. However, every time I set it up all ports are forwarded; the route-map never gets consulted. Any advice on how to achieve this would be greatly appreciated.

Please see my lab configuration below:-

R2#sh run

Building configuration...

Current configuration : 1112 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool p1

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.254

   dns-server 8.8.8.8

!

!

no ip domain lookup

!

!

username admin privilege 15 password 0 password

!

bridge irb

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

ip address 10.0.0.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.0

ip nat outside

duplex auto

speed auto

!

!

!

ip http server

no ip http secure-server

ip nat inside source static 10.0.0.1 1.1.1.1 route-map SNAT extendable

!

ip access-list extended PORTR

permit tcp any any range 6000 7000

permit udp any any range 9000 10000

!

route-map SNAT permit 10

match ip address PORTR

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler allocate 20000 1000

end

R2#sh route-map

route-map SNAT, permit, sequence 10

  Match clauses:

    ip address (access-lists): PORTR

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

R2#sh ip access-list

Extended IP access list PORTR

    10 permit tcp any any range 6000 7000

    20 permit udp any any range 9000 10000

R2#


1 Reply 1

CSCO12065472
Level 1
Level 1

Since postingI have found a workaround. I have given the outside interface a secondary IP address and forwarded all traffic from there. In the real example I have an ACL on the outside interface to block the other ports.

This is the final config:

R2#sh run

Building configuration...

Current configuration : 1112 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool p1

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.254

   dns-server 8.8.8.8

!

!

no ip domain lookup

!

!

username admin privilege 15 password 0 password

!

bridge irb

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

ip address 10.0.0.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.0

ip address 1.1.1.2 255.255.255.0  secondary

ip nat outside

duplex auto

speed auto

!

!

!

ip http server

no ip http secure-server

ip nat inside source static 10.0.0.1 1.1.1.2

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler allocate 20000 1000

end

Review Cisco Networking for a $25 gift card