Port Handling for Interface Overload Mapping

This feature allows you to configure the range of ports used in NAT interface overload mapping.

Information About Port Handling in Interface Overload Mapping

The Port Handling for Interface Overload Mapping feature allows you to set the port range for NAT interface overload mapping. It also allows you to block a specific port from being used in interface overload mapping. You must set the port range (see Configuring a Port Range for Interface Overload Mapping below) before specifying an interface overload mapping command; for example, ip nat inside source list list1 interface gig0/0/1.

Clearing Allocated Port Ranges

When an interface address is configured as a global address for NAT translation, the transport port manager (TPM) initially allocates ports. This ensures that applications initiated on the NAT router use different address and port combinations for communication. After all interface overload mappings are removed from the router (for example, using the no ip nat inside source list list1 interface gig0/0/1 command) this feature ensures that any unused port allocations are returned to the TPM.

Configuring a Port Range for Interface Overload Mapping

The ip nat settings interface-overload port range command sets the port range that NAT can use to request ports from the TPM. You can specify a port range within the range 1024–65535. For example, if you need to use port 4500 for IPsec and prefer not to use any ports below 4500, you can specify the port range 4501–65535.

Ensure that you configure the port range before further configuration of interface overload mapping. After an interface overload mapping has been configured, if you then try to change the range, an error message is produced.

The ip nat settings interface-overload port range command is only applicable when it occurs before an interface overload mapping command. For example, ip nat inside source list list1 interface gig0/0/1.

Blocking a Port from Interface Overload Mapping

The ip nat settings interface-overload block port command blocks a single port in the port range from being used for interface overload mapping. You can use this command for a well-known port; for example, where an application needs unrestricted access to a specific port on the NAT router. If you use this command for a port that is already part of a range used for interface overload mapping, the existing translations for the port are cleared.

Restrictions for Port Handling in Interface Overload Mapping

  • The port-related commands that are mentioned in this Port Handling for Interface Overload Mapping feature, are only for interface overload mappings. They are not intended to be used for configuring ports for a NAT pool.

  • Commands that are shown in the configuration steps for port handling set the port range for all interface-based mappings. That is, you cannot configure ports per interface.

How to Configure Interface Overload Mapping

Configuring the Port Range for Interface Overload Mapping

To configure a port range for interface overload mapping:

configure terminal

ip nat settings interface-overload port range start 5062 end 6200

You can specify a port range that starts and ends within: 1024–65535. If you do not explicitly specify the port range using this command, the range is considered as: 5602–65000.


Note

If you change the range when there are already interface overload mappings configured on the router, it results in an error. In such a situation, you can either remove all interface overload mappings and configure them again or restart the router.

Note

The ip nat settings interface-overload port range command configures the ports for all interface based mappings—you cannot set a range of ports per interface.

Verifying the Port Range for Interface Overload Mapping

Use the show ip nat portblock dynamic global detail command to verify the port ranges.

show ip nat portblock dynamic global detail

The following example output includes the 5062 - 6085 port ranges (1024 ports) that result from the previously configured range of 5062–6200.
tcp:
5062 - 6085 (config) rfcnt 1
545 - 617 (config) rfcnt 1

udp:
5062 - 6085 (config) rfcnt 1
545 - 617 (config) rfcnt 1

Blocking a Port for Interface Overload Mapping

Use the ip nat settings interface-overload block port command to block a port (within the range 1024–65535) for interface overload mapping.

The following commands block the specified ports from being used in interface overload mapping.

ip nat settings interface-overload block port tcp 5099

ip nat settings interface-overload block port udp 5060