NAT on Cisco Router

[pbxnkey]

Is there a way to NAT multiple ports for a single inside IP address using one outside IP address and also do it twice (because I want to do failover to another isp)?

Scenario:
ISP 1 Public IP: 1.1.1.1
ISP 2 Public IP: 2.2.2.2

Local IP: 192.168.1.10
Local IP: 192.168.1.11

192.168.1.10 Ports 40152-40190
192.168.1.11 Ports 40191-40200

I need to NAT 192.168.1.10 (49152-49190) to 1.1.1.1
and
I need to NAT 192.168.1.11 (49191-49200) to 1.1.1.1

Also
I need to NAT 192.168.1.10 (49152-49190) to 2.2.2.2
and
I need to NAT 192.168.1.11 (49191-49200) to 2.2.2.2

If ISP 1 fails I need the NAT to failover to ISP 2.
I know I can do a 1:1 NAT for each port but that is alot of entries.
I want to combine the ports so I can do fewer entries (similar to network objects in an ASA).

Example:
Route-MAP ISP1 permit 10
interface fa0/0

Route-MAP ISP2 permit 10
interface fa0/1

ip nat inside source static tcp 192.168.1.10 49152 1.1.1.1 49152 route-map ISP1

ip nat inside source static tcp 192.168.1.10 49152 2.2.2.2 49152 route-map ISP2

I can't figure a way of not having to do this with all the ports for each ISP.

 

[cflcrosland]

I have found a link that seems to describe how to do what you need.

http://slaptijack.com/networking/cisco-nat-and-port-range-resolution/

Heres the detail copied from the webpage

As you might recall, I had previously taken umbrage with Cisco's inability to forward a range of ports to a particular host. Many readers have offered suggestions and links to other documents around the Internet offering various solutions, but none of them really sat quite right with me.

In hindsight, the reason none of these suggestions sat right with me is because all the examples assumed you only had one host behind the NAT configuration. Finally, reader Serge worked with me to come up with a workable solution that resolves the port range problem but still works fine with multiple hosts.

Here's what Serge sent me by way of example:

ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary
ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool POOL1
ip nat inside destination list 102 pool POOL2
access-list 101 permit tcp any any range 100 300
access-list 102 permit tcp any any range 500 1000

As you can see, TCP ports 100 through 300 are forwarded on to 192.168.1.1 and TCP ports 500 through 1000 go to 192.168.1.2. This solution seems workable to me. Once I got beyond the idea that there can only be one ip nat pool, I realized that this is what I should have been doing all along.

And so, here's our re-worked configuration to allow the World of Warcraft updater to successfully pass through out Cisco IOS-based firewall.

interface FastEthernet0/0
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
!
ip nat pool POOL1 192.168.9.10 192.168.9.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside destination list WOW pool POOL1
!
ip access-list extended WOW
permit tcp any any eq 3724
permit tcp any any range 6881 6999

 

[pbxnkey]

We actually tried that and did not work.
Here is the working config we used:The x.x.x.x is the respective public IP's of the ISP provider.

interface GigabitEthernet0/1.3058
description Primary subinterface
encapsulation dot1Q 3058
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
service-policy output VOICE

interface FastEthernet0/0/0
description Backup sip path
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed 100



ip nat inside source route-map Primary_Static interface GigabitEthernet0/1.3058 overload
ip nat inside source route-map Backup_Static interface FastEthernet0/0/0 overload

access-list 110 permit udp host 10.0.9.5 eq 5060 host x.x.x.x eq 5060
access-list 110 permit udp host x.x.x.x eq 5060 host 10.0.9.5 eq 5060
access-list 110 permit udp host 10.0.9.6 range 49152 49183 host 146.145.6.14 range 49152 49183
access-list 110 permit udp host 10.0.9.7 range 49184 49215 host 146.145.6.14 range 49184 49215
access-list 110 permit udp host 10.0.9.8 range 49216 49247 host 146.145.6.14 range 49216 49247
access-list 110 permit udp host 10.0.9.9 range 49248 49279 host 146.145.6.14 range 49248 49279
access-list 110 permit ip 10.0.9.0 0.0.0.255 any
access-list 120 permit udp host 10.0.9.5 eq 5060 host x.x.x.x eq 5060
access-list 120 permit udp host x.x.x.x eq 5060 host 10.0.9.5 eq 5060
access-list 120 permit udp host 10.0.9.6 range 49152 49183 host 50.73.196.229 range 49152 49183
access-list 120 permit udp host 10.0.9.7 range 49184 49215 host 50.73.196.229 range 49184 49215
access-list 120 permit udp host 10.0.9.8 range 49216 49247 host 50.73.196.229 range 49216 49247
access-list 120 permit udp host 10.0.9.9 range 49248 49279 host 50.73.196.229 range 49248 49279
access-list 120 permit ip 10.0.9.0 0.0.0.255 any

Thanks for the update though, every suggestion helps.

route-map Backup_Static permit 10
match ip address 120
match interface FastEthernet0/0/0
!
route-map Primary_Static permit 10
match ip address 110
match interface GigabitEthernet0/1.3058