Configuring Network Address Translation
Configuring NAT
6-12
Table 6-4.
Specifying Ports in Extended ACLs
Option
eq <port number>
gt <port number>
lt <port number>
range <first port number last port number> range of ports
neq <port number>
When you finish configuring the ACL, enter exit to return to the global
configuration mode context where you can configure the ACP.
Configuring an Extended ACL for Many-to-One NAT. You can also con-
figure an extended ACL for many-to-one NAT. You may need to use this option
if your router provides both an Internet connection and a connection to a
remote private network. If you do not want the Secure Router OS firewall to
NAT traffic sent to the remote private network, complete these steps:
1.
Create the extended ACL.
Syntax: ip access-list extended <listname>
2.
Deny traffic destined to the remote private network.
Syntax: deny <protocol> <source address> <source port> <destination address>
<destination port>
For example, enter:
ProCurve(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
3.
Enter a permit entry to select all other traffic for NAT.
Syntax: deny <protocol> <source address> [<source port>] <destination
address> [<destination port>]
Use the any option for the destination. For example, enter:
ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
4.
Configure a second ACL to select the traffic to the remote private network.
When you configure the ACP, create a NAT entry for the first ACL and
another entry to allow second ACL.
Explanation
specific port
all ports that are a larger number than the port
number you specify (not including the specified
port)
all ports that are a smaller number than the port
number you specify (not including the specified
port)
all ports except the port number you specify