How do I configure ip nat for over 1000 ports on a Cisco 851W?

James St. John
James St. John used Ask the Experts™
on
I need to be able to setup nat for nearly 1000 ports to handle passive FTP on two servers in my office.

I'm trying to avoid having to create 1000 entries like
route-map no-vpn-nat permit 10
 match ip address 110

ip nat inside source static tcp 172.24.10.153 63000 xxx.xxx.xxx.66 63000 route-map no-vpn-nat
ip nat inside source static tcp 172.24.10.153 63001 xxx.xxx.xxx.66 63001 route-map no-vpn-nat
ip nat inside source static tcp 172.24.10.153 63002 xxx.xxx.xxx.66 63002 route-map no-vpn-nat

The only way I figure I could do that is by using nat pools, each containing only a single IP address, like
ip nat pool pool-svr1 172.24.10.153 172.24.10.153 netmask 255.255.255.0 type rotary

Then making a nat entry like
ip nat inside destination list 103 pool pool-svr1

Problem is when I do this using the CLI, the router always returns a "configuration error".  I tried accessing the FTP/RDP servers remotely, and it actually **seemed** to work, after the router was restarted from power off no one from the inside was able to access the internet - the router logged numerous entries that access lst 102 was blocking DNS, port 53.

Am I wrong is attempting to use nat pools to accomplish what I want?
If nat pools will work, how to I allow multiple remote users to accesss the same server (e.g. terminal server using RDP port 3389) simultaneously?


crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key abcdefghij address xxx.xxx.xxx.103
crypto isakmp key abcdefghij address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 set pfs group2
 match address 108
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel toxxx.xxx.xxx.103
 set peer xxx.xxx.xxx.103
 set transform-set ESP-3DES-SHA
 set pfs group2
 match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-LAN$$FW_OUTSIDE$
 ip address xxx.xxx.xxx.66 255.255.255.248
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $FW_INSIDE$
 ip address 172.24.10.11 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 permanent
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool-svr1 172.24.10.153 172.24.10.153 netmask 255.255.255.0 type rotary
ip nat pool pool-wsa  172.24.10.159 172.24.10.159 netmask 255.255.255.0 type rotary
ip nat pool pool-wsb  172.24.10.160 172.24.10.160 netmask 255.255.255.0 type rotary
ip nat pool pool-svr2 172.24.10.169 172.24.10.169 netmask 255.255.255.0 type rotary
ip nat pool pool-wsc  172.24.10.156 172.24.10.156 netmask 255.255.255.0 type rotary
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside destination list 103 pool pool-svr1
ip nat inside destination list 104 pool pool-svr2
ip nat inside destination list 105 pool pool-wsa
ip nat inside destination list 106 pool pool-wsb
ip nat inside destination list 107 pool pool-wsc
!
access-list 23 permit 172.24.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip xxx.xxx.xxx.64 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=17
access-list 102 permit gre any host xxx.xxx.xxx.66
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq 1723
access-list 102 permit udp any host xxx.xxx.xxx.66 eq isakmp
access-list 102 permit udp any host xxx.xxx.xxx.66 eq 1701
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq 3389
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq 4021
access-list 102 permit tcp any host xxx.xxx.xxx.66 range 63000 63499
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq 5021
access-list 102 permit tcp any host xxx.xxx.xxx.66 range 63500 63999
access-list 102 permit tcp any host xxx.xxx.xxx.66 range 4001 4002
access-list 102 permit tcp any host xxx.xxx.xxx.66 range 5619 5620
access-list 102 permit udp any host xxx.xxx.xxx.66 range 5619 5620
access-list 102 permit icmp any host xxx.xxx.xxx.66 echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx.66 time-exceeded
access-list 102 permit icmp any host xxx.xxx.xxx.66 unreachable
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq 443
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq 22
access-list 102 permit tcp any host xxx.xxx.xxx.66 eq cmd
access-list 102 permit tcp any any established
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark Access list - SVR1
access-list 103 remark CCP_ACL Category=3
access-list 103 remark IPSec Rule
access-list 103 deny   ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark VPN gre
access-list 103 permit gre any any
access-list 103 remark VPN pptp
access-list 103 permit tcp any any eq 1723
access-list 103 remark VPN ike
access-list 103 permit udp any any eq isakmp
access-list 103 remark VPN l2tp
access-list 103 permit udp any any eq 1701
access-list 103 remark RDP
access-list 103 permit tcp any any eq 3389
access-list 103 remark FTP
access-list 103 permit tcp any any eq 4021
access-list 103 remark FTP pasv
access-list 103 permit tcp any any range 63000 63499
access-list 104 remark Access list - SVR2
access-list 104 remark CCP_ACL Category=3
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 remark FTP
access-list 104 permit tcp any any eq 5021
access-list 104 remark FTP pasv
access-list 104 permit tcp any any range 63500 63999
access-list 105 remark Access list - WSA
access-list 105 remark CCP_ACL Category=3
access-list 105 remark IPSec Rule
access-list 105 deny   ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny   ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark Helpdesk
access-list 105 permit tcp any any eq 4000
access-list 106 remark Access list - WSB
access-list 106 remark CCP_ACL Category=3
access-list 106 remark IPSec Rule
access-list 106 deny   ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 106 remark Helpdesk
access-list 106 permit tcp any any eq 4001
access-list 106 remark pcAW
access-list 106 permit tcp any any range 5619 5620
access-list 106 remark pcAW
access-list 106 permit udp any any range 5619 5620
access-list 107 remark Access list - WSC
access-list 107 remark CCP_ACL Category=3
access-list 107 remark IPSec Rule
access-list 107 deny   ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 deny   ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 remark Helpdesk
access-list 107 permit tcp any any eq 4002
access-list 108 remark CCP_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 110 remark CCP_ACL Category=18
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.24.10.0 0.0.0.255 172.24.1.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.24.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip any any
no cdp run
route-map SDM_RMAP_4 permit 1
 match ip address 105
!
route-map SDM_RMAP_5 permit 1
 match ip address 106
!
route-map SDM_RMAP_6 permit 1
 match ip address 107
!
route-map SDM_RMAP_1 permit 1
 match ip address 110
!
route-map SDM_RMAP_2 permit 1
 match ip address 103
!
route-map SDM_RMAP_3 permit 1
 match ip address 104
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
What about creating an access-list using the range command. access-list 101 permit any any range 6000 7000. Or if it's possible, just NAT all of the ports through instead of selecting 1000 of them.

Author

Commented:
cclonga13:

If you look at access-list 102, 103, 104, 105, 106 and 107 that's what I did.

The issue I have is that the ip nat command doesn't support port ranges.

-- Jim


mikecrIT Architect/Technology Delivery Manager

Commented:
Are you only expecting traffic to go to and come from certain locations? If so I would NAT all ports but create an access list only allowing those devices that need to to have access to each other.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
mikecr:

If I'm interpreting your response correctly -- no, the traffic can come from anywhere on the Internet.
Access list 102 opens all the necessary ports on the outside, but I think I'm stymied by the fact that I need nat overload, and I have over 1000 ports to handle.

-- Jim
How about writing up a perl script to do the dirty work for you.  I have a pair of cisco pix 535i firewalls that I routinely connect to from a perl script using the Net::Telnet module.  This allows me to manage huge access lists with ease...

Note: in the code snip below you may need to slightly adjust the characters between the slashes in the $t->waitfor statements to accomidate what is being asked by your firewall....   To check this just telnet into your pix and see what characters it displays when it asks for your password, enable password, conf t, etc...

The sleep(1) in the for loop controls the speed of this process, without the sleep you may overload your pix and all of your statements may not get recorded...   When I am creating large lists and I do not want to have to wait 1 second between each iteration, I use the "use Time::HiRes qw(sleep);" which enables you to sleep for portions of a second, like: sleep(.25);

Hope this helps you out!




#!/usr/bin/perl
use Net::Telnet ();
 
$t = new Net::Telnet;
### YOUR IP GOES BELOW HERE
$t->open("1.2.3.4");
print "Session opened...\n";
 
$t->waitfor('/Password:/');
$t->print("YOURPASSWORD");
print "Authenticated...\n";
 
$t->waitfor('/>/');
$t->print("en");
 
$t->waitfor('/Password:/');
$t->print("ENABLEPASSWORD");
print "Enabled...\n";
 
$t->waitfor('/#/');
$t->print("conf t");
print "Conf t...\n";
 
foreach $num(63000..64000)  {
sleep(1);
$t->print("ip nat inside source static tcp 172.24.10.153 63000 xxx.xxx.xxx.66 63000 route-map no-vpn-nat");
}
 
print "Exiting...\n"; 
$t->print("exit");
$t->print("exit");
 
exit();

Open in new window

ARRRGGGGHHHH!!!!
Error in my code on my last post!!!

In the print statement  within the foreach loop, the port number 63000 should be replaced with $num like below:

$t->print("ip nat inside source static tcp 172.24.10.153 $num xxx.xxx.xxx.66 $num route-map no-vpn-nat");

Open in new window

Author

Commented:
onethreefour:

Just what the doctor ordered.  I'm not great at Cisco config's (yet, but I'm learning thanks to all the good folks like you at here e-e).

I thought that 1,000 nat statements would be too much for the router to handle.  But your script makes it super easy.  Too bad Cisco didn't build a feature like this into their CLI.

Thanks!
-- Jim

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial