Cisco, NAT, and Port Range Resolution

Posted on in Networking

happy (photo by windchime)As you might recall, I had previously taken umbrage with Cisco's inability to forward a range of ports to a particular host. Many readers have offered suggestions and links to other documents around the Internet offering various solutions, but none of them really sat quite right with me.

In hindsight, the reason none of these suggestions sat right with me is because all the examples assumed you only had one host behind the NAT configuration. Finally, reader Serge worked with me to come up with a workable solution that resolves the port range problem but still works fine with multiple hosts.

Here's what Serge sent me by way of example:

ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary
ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool POOL1
ip nat inside destination list 102 pool POOL2
access-list 101 permit tcp any any range 100 300
access-list 102 permit tcp any any range 500 1000

As you can see, TCP ports 100 through 300 are forwarded on to 192.168.1.1 and TCP ports 500 through 1000 go to 192.168.1.2. This solution seems workable to me. Once I got beyond the idea that there can only be one ip nat pool, I realized that this is what I should have been doing all along.

And so, here's our re-worked configuration to allow the World of Warcraft updater to successfully pass through out Cisco IOS-based firewall.

interface FastEthernet0/0
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
!
ip nat pool POOL1 192.168.9.10 192.168.9.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside destination list WOW pool POOL1
!
ip access-list extended WOW
 permit tcp any any eq 3724
 permit tcp any any range 6881 6999

Photo by Jenny Erickson.

Slaptijack's Koding Kraken