Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: NAT issue for multiple ports

NAT issue for multiple ports 9 years 9 months ago #19834

  • bryantp
  • bryantp's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
I was just wondreing if anyone had a suggestion for this issue as I can not seem to find an easier way to resolve the issue.

I have two VLAN interfaces on an 871 router.

For one I have a NAT in place.

Now normally when applying a NAT/PAT for a camera system sitting off this device I just put in the port and then allow that port/range in the ACL.

My problem is some devices/applications require a BROAD RANGE of PORTS. Now the ACL can be addressed of course with range. But is there an easier way to keep from typing in each NAT/PAT statement for each port?

I will give an example:
Int FA4 is my outside interface
INT VLAN2 is one of my inside interfaces
I have a static IP of 192.168.200.250 set aside for a server on VLAN2

interface Vlan2
ip address 192.168.200.225 255.255.255.224
ip nat inside

Interface FastEthernet4
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip access-group 199 in

MY NAT
ip nat inside source static tcp 192.168.200.250 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.200.250 3550 interface FastEthernet4 3550
ip nat inside source static tcp 192.168.200.250 4550 interface FastEthernet4 4550
ip nat inside source static tcp 192.168.200.250 5550 interface FastEthernet4 5550


access-list 199 permit tcp any eq www any
access-list 199 permit udp any eq domain any
access-list 199 permit tcp any host xxx.xxx.xxx.xxx eq 3550
access-list 199 permit tcp any host xxx.xxx.xxx.xxx eq 4550
access-list 199 permit tcp any host xxx.xxx.xxx.xxx eq 5550
access-list 199 permit tcp any eq 443 any
access-list 199 permit tcp any eq pop3 any
access-list 199 permit tcp any eq smtp any
access-list 199 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 199 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 199 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 199 deny ip any any log


Now you can see that I am allowing anything coming to the PUBLIC IP on ports 3550/4550/5550/80 to be reidrected to my SERVER of 192.168.200.250. And this does work.

The question is how do I get away from MANY STATIC NATS if I have say 130 ports to allow? With the ACL I can just do RANGE but the STATIC NATs would have to be defined individually. Keep I want the same NAT'd addresse(192.168.200.250) to have multiple ports. I have been reading and came across route-map but that looks to use portmap which isn't possible on the 871 model. It could be that I misread the route-map thing. I read several articles today.

Any thoughts or suggestions would be appreciated

Thanks in advance
The administrator has disabled public write access.

Re: NAT issue for multiple ports 9 years 9 months ago #19844

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
What you could do is to set up the device as a DMZ device and tell the router to pass everything to it, in affect NAT anything that hits your interface to the internal address. Then you just rely on the Access List to allow the required traffic through.

This can be done by a simply line;

[code:1]ip nat inside source static 192.168.200.250 interface FastEthernet4[/code:1]

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: NAT issue for multiple ports 9 years 9 months ago #19851

  • bryantp
  • bryantp's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
What you could do is to set up the device as a DMZ device and tell the router to pass everything to it, in affect NAT anything that hits your interface to the internal address. Then you just rely on the Access List to allow the required traffic through.

This can be done by a simply line;

[code:1]ip nat inside source static 192.168.200.250 interface FastEthernet4[/code:1]

Cheers

Thanks for the post/reply. However, I do not wish for everything or all traffic to pass to this device. There are 2 VLANs in this box with two seperate LAN NETs. I should have explained this earlier. As such, all traffic can not pass to this (VLAN2) LAN NET.
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup