NAT - how to change destination address and port?

paa · ‎03-19-2008

Hi all!

I have a task to create a redirection from one ip-address to another. For example:

10.0.0.1 port 80 ---> 10.10.10.1 port 8080

I don't have problem with change destination ip-address (ip nat inside destination list), but - how can I change a destination port?

franklaszlo · ‎03-19-2008

Hi !

For instance :

ip nat inside source static tcp 10.0.0.1 80 10.10.10.1 8080 extendable

Regards,

Laszlo

paa · ‎03-19-2008

Ok, full task:

I have a network 10.0.0.1/24, i have a proxy server 10.0.0.10 port 3128. So, I want to do redirection from 10.0.0.1/24 to any web (destination port 80, 8080, 443) to my proxy server 10.0.0.10 port 3128. How can I do it?

franklaszlo · ‎03-19-2008

Sorry, I may not clearly understand your network setup, because it seems to me that your proxy server is on the same network as your hosts whose traffic you want to redirect, is it not ?

paa · ‎03-19-2008

Yes, sorry my first mistakes =) I want to do redirection inside one network. My proxy server and client PCs in one network 10.0.0.1/24

franklaszlo · ‎03-19-2008

Well, as far as I know, this is not possible.

NAT is always working between interfaces designated as inside and outside and are able to translate between different networks.

Laszlo

paa · ‎03-19-2008

And If it will be a different network?

For example, my proxy server ip 20.0.0.10 - how can I do changing of destination port for many hosts?

franklaszlo · ‎03-19-2008

So you want to redirect all traffic destined to specific ports but any ip address, to a specific ip address and a specific /squid/ port ?

First I thought PBR would help, but it will not change the destination IP.

What you want to do, is rather a proxy functionality, and I do not think a router would do that.

It is an interesting question and I am still thinking on it, but for now I do not have any idea.

paa · ‎03-19-2008

"So you want to redirect all traffic destined to specific ports but any ip address, to a specific ip address and a specific /squid/ port ?"

Yes, it's correct

I think about route-map and "ip nat inside" with route-map, but I still have a problem with destination port changing. Thanks for you working/thinking =)

alig.norbert · ‎07-24-2008

Hi,

Have you found a solution. I'm looking for the same workaround?

Greets,

Norbert

dhananjoy chowdhury · ‎07-24-2008

Hi,

What if we create subinterfaces on the inside interface ?

f0/0.1 - VLAN 10 - 10.0.0.0/24 - your inside LAN

f0/0.2 - VLAN 20 - 20.0.0.0/24 - NW in which your Squid proxy resides

dhananjoy chowdhury · ‎07-24-2008

create subinterfaces on the inside interface....

f0/0.1 - VLAN 10 - 10.0.0.0/24 - your inside LAN

f0/0.2 - VLAN 20 - 20.0.0.0/24 - NW in which your Squid proxy resides

Configure the Squid proxy with 2 instances one listening on port 80 and other instance listening on port 443.

Now Use route map to forward port 80 requests to Squid proxy on port 80

and forward port 443 requests to Squid on port 443

alig.norbert · ‎07-24-2008

Hi

Can this linux sample somehow be configured on an ASA or IOS-Router?

At least it should be work for the squid-box. Route-map (port 80) -> squid (port 80) -> iptables -> squid (port 8080)

Redirection

There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.

## Send incoming port-80 web traffic to our squid (transparent) proxy

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \

-j REDIRECT --to-port 8080