Hi there, everybody!
This post addresses the issue of a NAT port-range mapping not working correctly, as part of the Troubleshooting Series on the Community. Please see more details as you read further down this post.
PHYSICAL NETWORK TOPOLOGY
Pc needs to access the Internet.
Pc1 needs to configure a NAT server for tcp port 3443 by using global IP address 10.1.1.1.
Pc2 need to configure a nat server for tcp port 40000 to 45000 by using the global IP address 10.1.1.2.
Figure 1-1. NAT not working correctly
ISSUE DESCRIPTION
A customer can't get access to the Internet and pc2 can't do a NAT port-range mapping.
CONFIGURATION FILES
#
sysname
Router
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
nat server protocol udp global current-interface 3443 inside 192.168.1.1
3443
#
interface GigabitEthernet0/0/2
ip address 192.168.1.2 255.255.255.0
#
TROUBLESHOOTING LOCATION
Troubleshooting procedure
Step 1. Check whether Pc1 and Pc2 can ping 8.8.8.8. If they can't ping it, check the router and NAT configuration.
Step 2. To access the Internet, you need to configure NAT outbound, as follows:
Acl 3000
rule 5 permit ip
interface GigabitEthernet0/0/1
nat outbound 3000
Step 3. To configure port-range NAT mapping on PC2, you need to configure as follows:
acl 3333
rule 5 permit udp
destination-port range 40000 45000
interface GigabitEthernet0/0/1
nat server protocol udp global
10.1.1.2 inside 192.168.1.1 acl 3333
----End
ROOT CAUSE
Customer didn't configure NAT outbound for the Internet access.
On V2R7, there's a limitation if a customer wants to use port-range NAT mapping. Port range needs ACL to be define. Also, if the NAT is configured with the ACL, the global IP address can't be used for another NAT command again.
