(EDIT)
It seems that inside->outside works as expected, as seen in the answer below, but outside->inside actually does not, it allows everything, as OP suggested.
Adding 'reversible' in the NAT line it starts to honor the route-map for outside->inside, unfortunately it does not seem to work with ports:
- permit ip any host 194.100.7.226 works
- permit tcp any any works
- permit tcp any any eq 80 no match, does not work
- permit tcp any eq 80 any match, does not work
- permit tcp any eq 80 host 194.100.7.226 match, does not work
- permit tcp any eq 0 host 194.100.7.226 works
At '194.100.7.226' I'm doing 'telnet 91.198.120.222 80', that is my source is 194.100.7.226:ephemeral destination is 91.198.120.222:80. As the example #1 works, we can conclude that reversible actually 'reverses' the ACL, so that it works in same manner both directions, which makes sense.
When the the connection match but does not work, in 'deny any any log-input line I get this:
.Jul 7 07:58:59.118 UTC: %SEC-6-IPACCESSLOGP: list MOO denied tcp
91.198.120.2(0) (Tunnel101 ) -> 194.100.7.226(0), 1 packet
So it really seems like L4 protocol type is carried, but ports are not carried during the NAT reversal. So outside->inside ranges do not work.
As suggested in question Cisco 867 forward UDP port range this works for outside->inside
ip nat pool MOO 91.198.120.2 91.198.120.2 prefix-length 30 type rotary
ip nat inside destination list MOO pool MOO
ip access-list extended MOO
permit tcp any any range 22 100
deny ip any any log-input
It's bit ghetto I feel, as you don't have good control on the outside IP. Pool is the inside IP, outside IP is router outside IP.
Original answer of inside->outside working with ports:
ip nat inside source static 91.198.120.2 91.198.120.222 route-map MOO
!
ip access-list extended MOO
permit icmp any any
permit tcp any any range 22 telnet
!
route-map MOO permit 100
match ip address MOO
!
route-map MOO deny 200
!
@91.198.120.2 I'm doing:
- telnet testhost 22
- telnet testhost 23
- telnet testhost 24
At testhost I can observe:
1 0.000000 91.198.120.222 -> 194.100.7.226 TCP 74 50925 > ssh [SYN] Seq=0 Win=14600 Len=0 MSS=1350 SACK_PERM=1 TSval=7995067 TSecr=0 WS=128
2 9.838471 91.198.120.222 -> 194.100.7.226 TCP 74 41586 > telnet [SYN] Seq=0 Win=14600 Len=0 MSS=1350 SACK_PERM=1 TSval=7997586 TSecr=0 WS=128
5 16.773181 91.198.120.2 -> 194.100.7.226 TCP 74 53307 > 24 [SYN] Seq=0 Win=14600 Len=0 MSS=1350 SACK_PERM=1 TSval=7999327 TSecr=0 WS=128
Tested on:
bu.ip.fi#sh ver | i ^Cisco
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T5, RELEASE SOFTWARE (fc1)
Cisco 881G (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
bu.ip.fi#
Here's an example configuration for what you're looking to accomplish.
First create an object for you server:
object network SRV1
host 10.203.5.1
Next, create the PAT rule that uses your outside interface IP:
object network SRV1
nat (inside,outside) static interface service tcp 3389 10001
The packet processing order of operations on 8.2 code and below is ACL --> NAT. Post 8.3 code is NAT --> ACL, so your ACL will have a permit to the inside network IP.
Finally, create your ACL rule:(assuming your access list name is outside_access_in)
access-list outside_access_in extended permit tcp any object SRV1 eq 3389
Rinse and repeat.
Best Answer
You need to use ACLs which would stop all traffic that isn't defined in the ACL rules. If you have only
nat(inside,outside)
that will allow all traffic out and and block all traffic in. There are some specially crafted packets that might get around this but most likely to be done by an ISP.Take a look at this doc http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
You need something like this:
I don't have a router to experiment on right now but will try to pull a config segment if you can't get it going.
Here is another resource similar to your question. https://supportforums.cisco.com/discussion/11593786/nat-udp-port-range-forwarding-howto