IOS, PAT of all inside Addresses and change of Destination Port

Unanswered Question
Mar 10th, 2008

Hi,

at first what I want to achive with a router.

1. I want to NAT all internal addresses to on external address when crossing the router, this can be easily done with PAT (overload)

2.I also want to change the destination Port (e.g. Port 80 to 8900, ...)

I saw that I can do this on a router, but just if I use static nat (1:1 NAT)

Bur its immpossibleto configure this for a few hundred hosts !!!

Is there any possibility to do this for

trffic specified by a list ?

3. I think I know that this can be done by a ASA but I also need policy-routing to change next-hop for the traffic, and this is notpossible with ASA as I know.

So I think I could achive the requested behaviour by using ASA and a Router, I would be reallyglad if somebody has an idea to do this with only one box (if possiblewith a router )

Hubert

Kind Regards

Hubert

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 03/11/2008 - 09:02

Hubert-

You could do Policy Based Routing then NAT (on the same router). You might have to send it to a loopback first, but it should work.

HTH

HUBERT RESCH Tue, 03/11/2008 - 09:12

Hi I agree with PBR and PAT so I can policy-route and masquarade all port 80/443 traffic to a certain net-hop with and nat-ing to one certain ip address. But one remaining task is to set the destination port-number from 80/443.. to 3200. I considered to do it in two nat-steps with one router using two vrfs. each of them is doing one nat (1-step: nating source-address, 2-step nating destination port)

Collin Clark Tue, 03/11/2008 - 09:18

How about a route-map for that?

Here's one we used.

ip nat inside source static tcp 192.168.208.1 38078 192.168.207.1 18965 route-map TEST-SERVER extendable

route-map TEST-SERVER permit 10

match ip address 160

access-list 160 permit ip 192.168.0 0.0.255.255 host 172.16.12.20

HUBERT RESCH Tue, 03/11/2008 - 09:28

1.which sw do you need,

I do not have the route-map option if I configure this

Router(config)#ip nat source static tcp 1.1.1.1 10 2.2.2.2 11 ?

extendable Extend this translation when used

no-alias Do not create an alias for the global address

no-payload No translation of embedded address/port in the payload

vrf Specify vrf

And as I understood what you suggested this helps only to do 1:1 static nat between of inside source addresses, I would to have to configure every seperate addresses ??

Collin Clark Tue, 03/11/2008 - 09:35

I was doing this on a 3700 series router (running Enterprise). This is a 1:1, but it uses the route-map/ACL for the source address. Do you need have hundreds of source addresses or destination addresses? Are they always changing to the same destination port (ie 80 to 8080)?

HUBERT RESCH Tue, 03/11/2008 - 09:47

Yes,

I have hundreds of inside source-addresses

All flows which have a particular destination port should be redirected to a specific next hop (this is done by PBR)

Also all this flows have to be masqueraded to a specific outside address (this can be done by ip nat inside source list nat-list interface fast 0/1 overload)

And also on all these flows which are redirected and nat-ed we should change the destination port (ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 3200).

All togehter I think cannot be achived with one nat ? Or is this not true ?

What does this

de source static tcp 1.1.1.1 80 2.2.2.2 3200 route-map test

exactly doing ?

As I understand traffic from inside source-address 1.1.1.1 and destination port 80 is nated to outside source-address 2.2.2.2 and destination port 3200.

how does in this command the route-map working ??

Collin Clark Tue, 03/11/2008 - 09:57

The route-map is identifying the source/destination address(es) that should use the NAT statement. In my example above only the host 172.16.12.20 was using the NAT translation and only to the 192.168.0.0 networks. Basically we had an application that talked to another server on port 12345. We then had to change the server and it talked on a new port, 67890. We only needed a to NAT that particular port on that particular IP so we created a couple of route-maps. With what you want to do, I think you can PBR the hundreds of addresses you mentioned with a route-map/ACL then NAT all that PBR'ed traffic.

HUBERT RESCH Tue, 03/11/2008 - 09:59

Yes,

I have hundreds of inside source-addresses

All flows which have a particular destination port should be redirected to a specific next hop (this is done by PBR)

Also all this flows have to be masqueraded to a specific outside address (this can be done by ip nat inside source list nat-list interface fast 0/1 overload)

And also on all these flows which are redirected and nat-ed we should change the destination port (ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 3200).

All togehter I think cannot be achived with one nat ? Or is this not true ?

What does this

de source static tcp 1.1.1.1 80 2.2.2.2 3200 route-map test

exactly doing ?

As I understand traffic from inside source-address 1.1.1.1 and destination port 80 is nated to outside source-address 2.2.2.2 and destination port 3200.

how does in this command the route-map working ??

Actions

This Discussion