As you might recall, I had previously taken umbrage with Cisco's inability to forward a range of ports to a particular host. Many readers have offered suggestions and links to other documents around the Internet offering various solutions, but none of them really sat quite right with me.
In hindsight, the reason none of these suggestions sat right with me is because all the examples assumed you only had one host behind the NAT configuration. Finally, reader Serge worked with me to come up with a workable solution that resolves the port range problem but still works fine with multiple hosts.
Here's what Serge sent me by way of example:
ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary ip nat inside destination list 101 pool POOL1 ip nat inside destination list 102 pool POOL2 access-list 101 permit tcp any any range 100 300 access-list 102 permit tcp any any range 500 1000
As you can see, TCP ports 100 through 300 are forwarded on to 192.168.1.1 and TCP ports 500 through 1000 go to 192.168.1.2. This solution seems workable to me. Once I got beyond the idea that there can only be one
ip nat pool, I realized that this is what I should have been doing all along.
And so, here's our re-worked configuration to allow the World of Warcraft updater to successfully pass through out Cisco IOS-based firewall.
interface FastEthernet0/0 ip address 192.168.9.1 255.255.255.0 ip nat inside ! interface FastEthernet0/1 ip address dhcp ip nat outside ! ip nat pool POOL1 192.168.9.10 192.168.9.10 netmask 255.255.255.0 type rotary ip nat inside source list 1 interface FastEthernet0/1 overload ip nat inside destination list WOW pool POOL1 ! ip access-list extended WOW permit tcp any any eq 3724 permit tcp any any range 6881 6999
Photo by Jenny Erickson.