03-10-2008 10:54 AM - edited 03-09-2019 08:17 PM
Hi,
at first what I want to achive with a router.
1. I want to NAT all internal addresses to on external address when crossing the router, this can be easily done with PAT (overload)
2.I also want to change the destination Port (e.g. Port 80 to 8900, ...)
I saw that I can do this on a router, but just if I use static nat (1:1 NAT)
Bur its immpossibleto configure this for a few hundred hosts !!!
Is there any possibility to do this for
trffic specified by a list ?
3. I think I know that this can be done by a ASA but I also need policy-routing to change next-hop for the traffic, and this is notpossible with ASA as I know.
So I think I could achive the requested behaviour by using ASA and a Router, I would be reallyglad if somebody has an idea to do this with only one box (if possiblewith a router )
Hubert
Kind Regards
Hubert
03-11-2008 09:02 AM
Hubert-
You could do Policy Based Routing then NAT (on the same router). You might have to send it to a loopback first, but it should work.
HTH
03-11-2008 09:12 AM
Hi I agree with PBR and PAT so I can policy-route and masquarade all port 80/443 traffic to a certain net-hop with and nat-ing to one certain ip address. But one remaining task is to set the destination port-number from 80/443.. to 3200. I considered to do it in two nat-steps with one router using two vrfs. each of them is doing one nat (1-step: nating source-address, 2-step nating destination port)
03-11-2008 09:18 AM
How about a route-map for that?
Here's one we used.
ip nat inside source static tcp 192.168.208.1 38078 192.168.207.1 18965 route-map TEST-SERVER extendable
route-map TEST-SERVER permit 10
match ip address 160
access-list 160 permit ip 192.168.0 0.0.255.255 host 172.16.12.20
03-11-2008 09:28 AM
1.which sw do you need,
I do not have the route-map option if I configure this
Router(config)#ip nat source static tcp 1.1.1.1 10 2.2.2.2 11 ?
extendable Extend this translation when used
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
vrf Specify vrf
And as I understood what you suggested this helps only to do 1:1 static nat between of inside source addresses, I would to have to configure every seperate addresses ??
03-11-2008 09:35 AM
I was doing this on a 3700 series router (running Enterprise). This is a 1:1, but it uses the route-map/ACL for the source address. Do you need have hundreds of source addresses or destination addresses? Are they always changing to the same destination port (ie 80 to 8080)?
03-11-2008 09:47 AM
Yes,
I have hundreds of inside source-addresses
All flows which have a particular destination port should be redirected to a specific next hop (this is done by PBR)
Also all this flows have to be masqueraded to a specific outside address (this can be done by ip nat inside source list nat-list interface fast 0/1 overload)
And also on all these flows which are redirected and nat-ed we should change the destination port (ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 3200).
All togehter I think cannot be achived with one nat ? Or is this not true ?
What does this
de source static tcp 1.1.1.1 80 2.2.2.2 3200 route-map test
exactly doing ?
As I understand traffic from inside source-address 1.1.1.1 and destination port 80 is nated to outside source-address 2.2.2.2 and destination port 3200.
how does in this command the route-map working ??
03-11-2008 09:57 AM
The route-map is identifying the source/destination address(es) that should use the NAT statement. In my example above only the host 172.16.12.20 was using the NAT translation and only to the 192.168.0.0 networks. Basically we had an application that talked to another server on port 12345. We then had to change the server and it talked on a new port, 67890. We only needed a to NAT that particular port on that particular IP so we created a couple of route-maps. With what you want to do, I think you can PBR the hundreds of addresses you mentioned with a route-map/ACL then NAT all that PBR'ed traffic.
03-11-2008 09:59 AM
Yes,
I have hundreds of inside source-addresses
All flows which have a particular destination port should be redirected to a specific next hop (this is done by PBR)
Also all this flows have to be masqueraded to a specific outside address (this can be done by ip nat inside source list nat-list interface fast 0/1 overload)
And also on all these flows which are redirected and nat-ed we should change the destination port (ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 3200).
All togehter I think cannot be achived with one nat ? Or is this not true ?
What does this
de source static tcp 1.1.1.1 80 2.2.2.2 3200 route-map test
exactly doing ?
As I understand traffic from inside source-address 1.1.1.1 and destination port 80 is nated to outside source-address 2.2.2.2 and destination port 3200.
how does in this command the route-map working ??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: