Sunday, July 6, 2014

Cisco NAT – Port Forwarding a Range of Ports

One question that comes up very often is “How do I port forward a range of ports?” Normally the answer is that you can’t or that you need to input one translation rule for each port manually

I tested this in my lab and everything worked great. Here is the topology:

image

He is the config for forwarding a range of ports (1-1024) from R2 public IP address (200.0.0.1/24) to the server internal IP address (10.0.0.1/24).

!-- IFs Config ------------------
interface FastEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
      
interface FastEthernet0/1
ip address 200.0.0.1 255.255.255.0
ip nat outside

!-- NAT - Port Range Forward --
ip nat pool PORTFWD 10.0.0.1 10.0.0.1 netmask 255.255.255.0 type rotary

ip nat inside destination list 100 pool PORTFWD
access-list 100 permit tcp any any range 1 1024

This config at glance looks a pretty stardart NAT configuration except for the “…type rotary” on the NAT pool.

Cisco’s definition for this feature is the following:

“Perform this task to configure server TCP load balancing by way of destination address rotary translation. The commands specified in the task allow you to map one virtual host to many real hosts. Each new TCP session opened with the virtual host will be translated into a session with a different real host.” [cisco]

So, the normal usage of this feature is to distribute TCP sessions for the public IP of R2 (200.0.0.1/24) across multiple internal servers as a way to do TCP Sessions Load Balancing:

you can find an example of this here.

In order to achive the port forwarding of a range of ports, instead of having a range of servers (private IPs), we only have one:

ip nat pool PORTFWD 10.0.0.1 10.0.0.1 netmask 255.255.255.0 type rotary

so all the TCP sessions are load balanced into a single host, thus achieving the port range forwarding.

Tested this on a 2691 router on GNS3.

 

For more information check out these Links: 

 

Please check out my DIY community at:

click “Like” to suport it.

No comments: