NAT port issue

Unanswered Question
Apr 10th, 2008

I have the following:

DSL Modem into a Cisco Wireless Router w/built in switch that goes to 2 servers

(behind NAT) and a cisco catalyst switch connected to the router for all other

network connections.

The problem is when I goto VPN into the network, it VPN's into the server I have

setup for the NAT entry ONLY. I want to be able to add another NAT entry with the

same port number for the 2nd server, which the router will not accept because of 2

servers using the same port number. I will not change the port number either on the

servers b/c this can conflict with some devices that I use outside the network to

use different features that are hosted on these servers. What can I do on the built

in cisco router switch to direct traffic of the same port number when they use the

same port #?

Is there some way around this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
a.cruea1980 Wed, 04/16/2008 - 07:28

Sure.

All you have to do is a simple statement like this:

ip nat inside source static tcp x.x.x.x 3389 interface FastEthernet0 3390

On my router, that takes the outside address on port 3390 and changes it to match an inside address on the default RDP port.

You should be able to do the same thing to VPN to your servers. Provided I understand your question correctly, of course.

bostoneo7 Wed, 04/16/2008 - 07:40

The thing is I have 2 servers and it will give me an error when I try to enter the VPN Port (1723) into 2 different nat commands.

For example for server1:

ip nat inside source static tcp x.x.x.x 1723 interface fa0 1723

Then server2:

ip nat inside source static tcp x.x.x.x 1723 interface fa0 1723

It won't accept the 2nd command because of the port number being used twice. Also, changing the port number is not an option in my case as well for VPN.

mheusing Wed, 04/16/2008 - 22:45

Hi,

The observed behaviour is not due to a deficiency of the router or IOS.

Why?

Well, the configuration

ip nat inside source static tcp x.x.x.x 1723 interface fa0 1723

basically states in words: "If a packet with a destination IP of int Fa0 arrives with TCP destination port 1723, then translate the address to x.x.x.x and forward the packet."

A router can forward a unicast IP packet only to ONE host. Therefore IOS rejects a second statement basically saying "Forward the same packet also to another host".

Note: replicating a unicast IP packet several times in a router through NAT would also not be standard compliant.

IOS does not do that.

The two options you have:

1) change the default port for the second server, as already suggested.

2) get a second outside IP address and do NAT IP address1 -> server 1 and IP address2 -> server 2

You need to talk to your provider about the second option, in case the first option is impossible for other reasons in your case.

Hope this helps! Please use the rating system.

Regards, Martin

a.cruea1980 Thu, 04/17/2008 - 06:13

If you'll notice in my example I gave you, the default port (3389) is on the inside, but on the outside, the port is 3390. This should work for you without having to change the default port for your server on the inside.

And since you don't want to change the port on the router, then you're pretty much down to getting a second address.

Just curious, why is changing the port number on the WAN of the router not an option?

a.cruea1980 Tue, 04/29/2008 - 08:10

I'm well aware what the port is for.

You will need to do a little editing to get the commands to work for your situation, ie change 3389 to 1723 for your VPN connection. It is merely an example to show you something you could do that may alleviate your problem.

Spoon-feeding you an answer isn't going to do you any good. I would suggest using the "?" in IOS to help you figure out what you need to change.

Actions

This Discussion