I am looking for the best approach to organize NAT port-forwarding. The setup is simple: router with one global IP and a local network behind it. Sometimes I need to pass multiple ports into office network to provide a service. Using straightforward approach one set of rules for one service would look like
ip nat inside source static udp 10.1.1.200 28017 interface GigabitEthernet0/0/0 28017
ip nat inside source static udp 10.1.1.200 28015 interface GigabitEthernet0/0/0 28015
ip nat inside source static tcp 10.1.1.200 28083 interface GigabitEthernet0/0/0 28083
ip nat inside source static tcp 10.1.1.200 28015 interface GigabitEthernet0/0/0 28015
Using ZBFW I have to put those ports into ZBFW access-list too:
ip access-list extended pub-pri-acl
permit tcp any host 10.1.1.200 eq 28015
permit tcp any host 10.1.1.200 eq 28083
permit udp any host 10.1.1.200 eq 28015
permit udp any host 10.1.1.200 eq 28017
It is working fine, but there are multiple sets of that type and it’s a mess of 200+ ports mixed altogether, so I am looking for a way to organize them better. What I want is:
Separate each set of ports under one name to understand why those were added and which ports belong to one set to remove or add accordingly.
Prefferably describe ports for NAT and ZBFW in one access-list
Preferrably set ports in ranges
Example 1 of what I have tried so far
ip access-list extended nat-srv-acl-service
permit tcp any any eq 28015
permit udp any any eq 28015
permit udp any any eq 28017
permit tcp any any eq 28083
route-map nat-srv-rmap-service permit 10
match ip address nat-srv-acl-service
ip nat inside source static 10.1.1.200 100.64.21.3 route-map nat-srv-rmap-service
where 100.64.21.3 is external router address. But this set seem to disrupt all the network to the router itself. My best guess is route-map here works like filter, but NAT stays all-ports to all-ports
Example 2:
ip nat inside source route-map nat-srv-rmap-service interface GigabitEthernet0/0/0 overload
ip access-list extended nat-srv-acl-service
permit tcp any any eq 28015
permit udp any any eq 28015
permit udp any any eq 28017
permit tcp any any eq 28083
route-map nat-srv-rmap-service permit 10
match ip address nat-srv-acl-service
match interface GigabitEthernet0/0/0
set ip next-hop 10.1.1.200
And this one does not work at all.
Example 3 which I used to have on IOS
object-group network nat-gate-og
host 100.64.21.3
object-group service nat-service-og
tcp eq 28015
udp eq 28015
udp eq 28017
tcp eq 28083
ip access-list extended nat-service-acl
permit object-group nat-service-og any object-group nat-gate-og
ip nat pool nat-daisy-pool 10.1.1.200 10.1.1.200 netmask 255.255.255.0 type rotary
ip nat inside destination list nat-service-acl pool nat-daisy-pool
Not working on IOS XE at all. However deleting NAT entry says it is in use, but no packets are going through.
Is there any way to achieve my goals?
