Home » » sarlok's blog

Huboon Stomp

Have you ever had to deal with something so insanely stupid, that you just know it's going to ruin your week?
Then as time goes on, you realize that your previously-thought-to-be-over-apathetic assumptions were actually fairly conservative?
Thanks Alvarion, thanks a #$%*^)$ bunch. January 24th, and I'm already considering the year ruined.

It occurred to me today, that there has to be a better way of doing port ranges on non-asa, or non-pix type routers.
Ie;

R2# sh run | incl ip nat
ip nat inside source static tcp 10.0.0.25 5001 interface FastEthernet 0/0 5001
ip nat inside source static tcp 10.0.0.25 5002 interface FastEthernet 0/0 5002
ip nat inside source static tcp 10.0.0.25 5003 interface FastEthernet 0/0 5003
ip nat inside source static tcp 10.0.0.25 5004 interface FastEthernet 0/0 5004
...



And, here's what I came up with after a bit of screwing around:

R2(config)#do sh run | incl ip nat
ip nat pool 172-16-0-21 172.16.0.21 172.16.0.21 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside destination list 100 pool 172-16-0-21
R2(config)#do sh run | incl access-list
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 remark Test NAT port range for retarted machine
access-list 100 permit tcp any any range 5000 5010
R2(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.0.0.1:5001      172.16.0.21:5001   10.0.0.254:17855   10.0.0.254:17855
tcp 10.0.0.1:5002      172.16.0.21:5002   10.0.0.254:41679   10.0.0.254:41679
tcp 10.0.0.1:5003      172.16.0.21:5003   10.0.0.254:57521   10.0.0.254:57521
tcp 10.0.0.1:5004      172.16.0.21:5004   10.0.0.254:35512   10.0.0.254:35512
tcp 10.0.0.1:5005      172.16.0.21:5005   10.0.0.254:42845   10.0.0.254:42845
tcp 10.0.0.1:5006      172.16.0.21:5006   10.0.0.254:61046   10.0.0.254:61046
tcp 10.0.0.1:5007      172.16.0.21:5007   10.0.0.254:47539   10.0.0.254:47539

So ssh'ing to a BSD qemu host on 172.16.0.21 with sshd listening on a few dozen ports, and whammo - seems to work just fine, and that config looks so much nicer.
I don't see why UDP wouldn't work either, and you could presumably just add more fine-grained stuff to the ACL instead of a hojillion separate ip nat translation inside source static tcp <host> <port> interface <foobar> statements.
AND, you get to put remarks in an ACL. Joy of Joys!

In doing this, I also learned that enabling NAT on a 3725 in GNS is a bad plan when your router only has 128 megs of Ram. Though the fireworks display is impressive, it's not pleasant at the same time.

Horosho!