ACE 4710 A3 Static NAT with Port translation

Unanswered Question
Feb 9th, 2009

Hi

I am trying to configure the ACE to NAT both IP and port based on the source IP and destination port.

For example all traffic from an internal IP going to any destination to port 26 should be Natted to an external IP and the port 26 changed to 25.

At the moment when I am trying to configure

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 25 vlan 99

I get the error back:

Error: Invalid real port configured for NAT static

Any ideas anyone? I can paste the config if required.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ciscocsoc Mon, 02/09/2009 - 05:02

Hi,

The whole configuration might be useful if you are doing other things. For the case you cite you should do the NAT to the external IP address without worrying about the port and set the destination port on the rserver statements in the serverfarm definition.

serverfarm host whatever

rserver myserver1 25

inservice

rserver myserver2 25

inservice

HTH

Cathy

VictorAKur Mon, 02/09/2009 - 06:07

Hi

I have attached the relevant part of the config.

"policy-map multi-match Policy_Port26_Static" is where the static NAT with port redirection should go.

The problem is that some of our servers need to initiate outbound connections to a group of external mail servers that will only accept a connection from a certain IP. Hence the idea to intercept all the outbound traffic to the port 26 (we chose the port), NAT it to a particular Global IP and redirect the destination port from 26 to 25.

Attachment: 
ciscocsoc Mon, 02/09/2009 - 06:50

Hmm.

Under the

policy-map multi-match

Policy_Port26_Static

class Class_Port26

there should be loadbalance vip statements using policy-map Mail as well as a nat dynamic statement to do the nat.

loadbalance vip inservice

loadbalance policy Mail

loadbalance vip icmp-reply

nat dynamic x vlan 99

The trouble with partial configurations is that it is difficult to know what if anything is missing or just redacted.

Does that help?

Cathy

VictorAKur Mon, 02/09/2009 - 07:55

The missing configuration is this:

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 25 vlan 99

I get the error back:

Error: Invalid real port configured for NAT static

This is why it is not in the config I have pasted.

It is not load balancing that I am trying to achieve, it is actually outbound NAT with port redirection.

Something like this:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/nat.html#wp1084392

onlu I cannot make it work.

ciscocsoc Mon, 02/09/2009 - 23:49

The manual uses a different syntax for static nat:

The following DNAT static port redirection example specifies the nat static command as an action for a static NAT policy map:

host1/C1(config)# policy-map multi-action NAT_POLICY

host1/C1(config-pmap)# class NAT_CLASS

host1/C1(config-pmap-c)# nat static 192.168.12.0 255.255.255.0 80

vlan 101

Cathy

VictorAKur Tue, 02/10/2009 - 03:07

I have noticed that. I believe the manual is actually for the ACE module, not for the appliance. However I would think that it should work just as well.

This is the config I am trying to achieve in a nat shell:

access-list Mail_Out line 10 extended permit tcp host 172.x.x.x any eq 26

class-map match-any Class_Port26

2 match access-list Mail_Out

policy-map multi-match Policy_Port26_Static

class Class_Port26

nat static x.x.x.x netmask 255.255.255.255 25 vlan EXTERNAL

int vlan INTERNAL

service-policy input Policy_Port26_Static

When I put the "nat static x.x.x.x etc" under class Class_Port26 in the policy map it comes back with that error I described before:

Error: Invalid real port configured for NAT static

WHY??? :)

ciscocsoc Tue, 02/10/2009 - 03:27

When typing the "nat static" command, what options do you have (using ?) at each stage?

VictorAKur Tue, 02/10/2009 - 03:45

I am not sure I understand the question.

Is this what you mean?

ACE-2/TEST(config-pmap)# class Class_Port26

ACE-2/TEST(config-pmap-c)# nat static ?

Specify mapping IP address

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x ?

netmask Configure mapped netmask for translation

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 ?

<1-65535> Specify port number

tcp Tcp protocol

udp Udp protocol

vlan VLAN interface

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp ?

eq Specify tcp port number

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x <0-65535> Mapped port

ftp File Transfer Protocol (21)

http Hyper Text Transfer Protocol (80)

https HTTP over TLS/SSL (443)

irc Internet Relay Chat (194)

matip-a Matip Type A (350)

nntp Network News Transport Protocol (119)

pop2 Post Office Protocol v2 (109)

pop3 Post Office Protocol v3 (110)

rtsp Real Time Stream control Protocol (554)

smtp Simple Mail Transfer Protocol (25)

telnet Telnet (23)

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp ?

vlan VLAN interface

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan ?

<2-4094> VLAN number

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99

Error: Invalid real port configured for NAT static

ACE-2/TEST(config-pmap-c)#

**VLAN 99 is the external VLAN facing Internet

ciscocsoc Tue, 02/10/2009 - 04:00

The example in the ACE manual (which should be good for the 4710) is:

Static Port Redirection (DNAT) Configuration Example

The following DNAT configuration example shows those sections of the running configuration related to the commands necessary to configure static port redirection on your ACE. Typically, this configuration is used for DNAT, where HTTP packets that are destined to 192.0.0.0/8 and ingressing the ACE on VLAN 101 are translated to 10.0.0.0/8 and port 8080. In this example, the servers are hosting HTTP on custom port 8080.

access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0

eq 8080 any

class-map match-any NAT_CLASS

match access-list acl1

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat static 192.0.0.0 255.0.0.0 80 vlan 101

interface vlan 100

mtu 1500

ip address 192.168.1.100 255.255.255.0

service-policy input NAT_POLICY

no shutdown

interface vlan 101

mtu 1500

ip address 172.27.16.100 255.255.255.0

no shutdown

which does differ in the ACL definition etc. If this doesn't work then I'm baffled.

Cathy

VictorAKur Tue, 02/10/2009 - 04:21

This ACL specifies traffic from 10.0.0.0 255.0.0.0 with the source port of 8080

permit tcp 10.0.0.0 255.0.0.0

eq 8080 any

I am trying to redirect the destination port

permit tcp host x.x.x.x any eq 26

I am going mad here :)

VictorAKur Tue, 02/10/2009 - 04:47

I must admit - the example you mentioned confuses me. Could you explain how it works please?

Actions

This Discussion