Open a range of TCP ports in Cisco IOS NAT

  • ip nat inside source static 192.168.1.10 10.10.10.9 route-map RANGE
    !
    route-map RANGE permit 100
      match ip address 102
    !
    access-list 102 permit tcp host 192.168.1.10 range 3000 3389 any
    

    The configuration does not seem to work.. just creates a one to one static NAT...

    Does any one know how to open range of ports?

    I have multiple external IPs and would like to open same ports for multiple hosts using multiple external ip's and because of that the rotary method does not work.

    don't forget to also check ACLs or firewall rules on your external facing interfaces!

    Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.

    Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer.

  • (EDIT)

    It seems that inside->outside works as expected, as seen in the answer below, but outside->inside actually does not, it allows everything, as OP suggested.

    Adding 'reversible' in the NAT line it starts to honor the route-map for outside->inside, unfortunately it does not seem to work with ports:

    1. permit ip any host 194.100.7.226 works
    2. permit tcp any any works
    3. permit tcp any any eq 80 no match, does not work
    4. permit tcp any eq 80 any match, does not work
    5. permit tcp any eq 80 host 194.100.7.226 match, does not work
    6. permit tcp any eq 0 host 194.100.7.226 works

    At '194.100.7.226' I'm doing 'telnet 91.198.120.222 80', that is my source is 194.100.7.226:ephemeral destination is 91.198.120.222:80. As the example #1 works, we can conclude that reversible actually 'reverses' the ACL, so that it works in same manner both directions, which makes sense.

    When the the connection match but does not work, in 'deny any any log-input line I get this:

    .Jul 7 07:58:59.118 UTC: %SEC-6-IPACCESSLOGP: list MOO denied tcp 91.198.120.2(0) (Tunnel101 ) -> 194.100.7.226(0), 1 packet

    So it really seems like L4 protocol type is carried, but ports are not carried during the NAT reversal. So outside->inside ranges do not work.


    As suggested in question Cisco 867 forward UDP port range this works for outside->inside

    ip nat pool MOO 91.198.120.2 91.198.120.2 prefix-length 30 type rotary
    ip nat inside destination list MOO pool MOO
    ip access-list extended MOO
     permit tcp any any range 22 100
     deny   ip any any log-input
    

    It's bit ghetto I feel, as you don't have good control on the outside IP. Pool is the inside IP, outside IP is router outside IP.


    Original answer of inside->outside working with ports:

    ip nat inside source static 91.198.120.2 91.198.120.222 route-map MOO
    !
    ip access-list extended MOO
     permit icmp any any
     permit tcp any any range 22 telnet
    !
    route-map MOO permit 100
     match ip address MOO
    !
    route-map MOO deny 200
    !
    

    @91.198.120.2 I'm doing:

    • telnet testhost 22
    • telnet testhost 23
    • telnet testhost 24

    At testhost I can observe:

    1   0.000000 91.198.120.222 -> 194.100.7.226 TCP 74 50925 > ssh [SYN] Seq=0 Win=14600 Len=0 MSS=1350 SACK_PERM=1 TSval=7995067 TSecr=0 WS=128
    
    2   9.838471 91.198.120.222 -> 194.100.7.226 TCP 74 41586 > telnet [SYN] Seq=0 Win=14600 Len=0 MSS=1350 SACK_PERM=1 TSval=7997586 TSecr=0 WS=128
    
    5  16.773181 91.198.120.2 -> 194.100.7.226 TCP 74 53307 > 24 [SYN] Seq=0 Win=14600 Len=0 MSS=1350 SACK_PERM=1 TSval=7999327 TSecr=0 WS=128
    

    Tested on:

    bu.ip.fi#sh ver | i ^Cisco
    Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T5, RELEASE SOFTWARE (fc1)
    Cisco 881G (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
    bu.ip.fi#
    
  • so to fix my issue what i did was

    ip nat inside source static 91.198.120.2 91.198.120.222 route-map MOO
    !
    ip access-list extended MOO
     permit icmp any any
     permit tcp any any range 22 telnet
    !
    route-map MOO permit 100
     match ip address MOO
    !
    

    and i also included an access list 199 on my external interface

    access-list 199 permit tcp any host external_host eq 3389
    access-list 199 deny   ip any host external_host
    

    this access list takes care of the allowing all port issue.

    I was worried OP wanted to direct external n1-n2 to host1 and external n3-n4 to host2, which would preclude ACL in external. I wonder if the L4 ports SHOULD work in above example, if it's bug or intended behavior, particularly as it clearly is not 'standard' ACL, as it differentiates UDP and TCP, just ports are '0'.

    how would you use route map to map port 3389 to lets say 90001

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used