NAT Redirection. Help!

Unanswered Question

Hi Net Pros,

My network looks like this:

LAN--(Fa1/0)Cisco(Fa2/0)--WAN

Easy!

Ok, here is the challenge. I have been assigned the IP address 12.34.56.78 by my ISP. I'd like for people to connect to 12.34.56.78 on port 443 on the WAN, and have traffic redirected to 192.168.0.78 on the LAN. This should be easy right? Also, I want host 192.168.254.78 to only see traffic coming from 12.34.56.78 and not the true host across the WAN.

It seems like this would be easy with static NAT, but I have not been able to accomplish this using a combination of NAT tricks. Thanks!

For example:

Internet Host: 23.45.67.89 connects to me over the WAN.

SA: 23.45.67.89 --> DA: 12.34.56.78:443

Then, the router takes the traffic and sends it to my host 192.168.0.78 on the LAN. My host on the LAN sees:

SA: 12.34.56.78:443 --> DA: 192.168.0.78:443

Is this possible? Thanks pros!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yagnesh_tel Mon, 08/31/2009 - 13:34

Hi Nick,

This configuration should work straight way unless you have ACL applied.

ip nat inside source static tcp 192.168.0.78 443 12.34.56.78 443

interface f0/2

ip nat outside

interface f1/0

ip nat inside

Share your router configuration if you still find problem.

I tried what you suggested, and traffic gets though. But, the host on the LAN ip nat inside (192.168.0.78) still sees traffic coming from the actual WAN host, and not the router.

So using my example, traffic is sent from an outside WAN host, to my router:

SA: 23.45.67.89:443 --> DA: 12.34.56.78:443

And my inside host sees:

SA: 23.45.67.89 --> DA: 192.168.0.78

I want my inside host to see traffic originating from the router instead of the actual source. So my inside host sees:

SA: 12.34.56.78 --> DA: 192.168.0.78

I don't want my inside host to see the IP of whatever host is connecting to it across the WAN.

Thanks for the help!

yagnesh_tel Tue, 09/01/2009 - 10:22

Hi Nick,

I apologize for not reading your requirement completely. Assuming 23.45.67.89 is the only host accessing your server-192.168.0.78 from WAN. You may achieve this by creating static NAT:

ip nat outside source static 23.45.67.89 12.34.56.78

Although conceptually I don't see issue with this setup, I am not completely convince considering same address- 12.34.56.78 is being used for two different static entries.

yagnesh_tel Wed, 09/02/2009 - 05:21

In that case, use 'ip nat outside source list' command:

Match interesting traffic:

access-list 110 permit ip 1.0.0.0 254.255.255.255 any > to permit any IP address from internet.

ip nat outside source list 110 interface Fa2/0 overload

I am not quite sure that overloading interface option works in 'ip nat outside' command. If not,you can define pool with just one IP address and attach that pool in NAT statement.

ip nat pool WANACCESS 12.34.56.78 12.34.56.78 netmask 255.255.255.0

ip nat outside source list 110 pool WANACCESS overload

I tried this, but the inside host is still seeing the IP of the actual outside host, and not the IP of the router. Here is my config:

interface FastEthernet1/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface FastEthernet2/0

ip address 12.34.56.78 255.255.255.0

ip nat outside

ip nat pool WANACCESS 12.34.56.78 12.34.56.78 netmask 255.255.255.0

ip nat inside source static tcp 192.168.0.78 443 12.34.56.78 443 extendable

ip nat outside source list 110 pool WANACCESS

!

access-list 110 permit ip 1.0.0.0 254.255.255.255 any

On a host across the WAN (23.45.67.89), I connect to 12.34.56.78:443, and it gets through to 192.168.0.78, but I don't want to see the traffic coming from 23.45.67.89 - I want the inside host to believe the traffic is coming from 12.34.56.78. Here is what I see in the inside host's 192.168.0.78 debug ip packet:

*Mar 1 00:51:28.827: IP: tableid=0, s=23.45.67.89 (FastEthernet1/0), d=192.168.0.78 (FastEthernet1/0), routed via RIB

*Mar 1 00:51:28.831: IP: s=23.45.67.89 (FastEthernet1/0), d=192.168.0.78 (FastEthernet1/0), len 44, rcvd 3

*Mar 1 00:51:28.839: IP: tableid=0, s=192.168.0.78 (local), d=23.45.67.89 (FastEthernet1/0), routed via FIB

*Mar 1 00:51:28.843: IP: s=192.168.0.78 (local), d=23.45.67.89 (FastEthernet1/0), len 44, sending

I feel we're getting close! Thanks for the help so far!

Jon Marshall Thu, 09/03/2009 - 04:29

Nick

You can't do this because you cannot overload on an outside static statement ie. you can't NAT multiple outside addresses to one inside address on an IOS router. Funnily enough this is a trivial thing to do on an ASA/pix firewall !

If however you want to hide the Internet addresses does it have to behind the 12.34.56.78 address ?

If not what you can do is create a NAT pool using private addressing on the router. This NAT pool will have to be big enough to account for all concurrent connections to the 192.168.0.78 server on port 443.

If you wanted to do this you would need to

1) Keep your existing line -

ip nat inside source static tcp 192.168.0.78 443 12.34.56.78 443 extendable

2) Create a new NAT pool eg.

nat pool NPS 172.16.5.1 172.16.5.254 netmask 255.255.255.0

3) create an acl to match the traffic

access-list 101 permit tcp any host 192.168.0.78 eq 443

4) add the NAT statement

ip nat outside source list 101 pool NPS

5) Add a static route for your NAT pool

ip route 172.16.5.0 255.255.255.0 fa2/0

this route is needed because of the order of NAT/routing in IOS

6) If you have internal routers they too will need to know where to route traffic from 172.16.5.x addresses back to but from you example above it doesn't look like this is needed.

Note that the NAT pool i have used has only 254 useable addresses but you can make it as as big as you like. As i said it needs to be big enough to cover all the concurrent connections from the Internet. For the NAT pool addressing you should use private addressing that doesn't conflict with your internal addressing.

Jon

yagnesh_tel Thu, 09/03/2009 - 04:52

One thing I noted is that even though router accept command 'ip nat outside source list' with overload option, you can not see that once command is in running-config. Even command reference doesn't mention overload option. So that makes me think that overloading option may not work in this command.(I have never experience this so someone else can correct me if I am wrong) Considering this you may need to create NAT pool using some private IP range so it can create one to one natting using that pool addresses.

Here is the example:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

Be sure to select address range for NAT pool such a way that it does not overlap with your existing IP scheme. Also it should be large enough to accommodate all connections at once. You will require to provide routing for this NAT pool range in your inside host(192.168.0.78). One static route pointing towards NAT router will be good enough for this.

I will see if I can lab up this issue.

Jon Marshall Thu, 09/03/2009 - 04:55

Yagnesh

On my version of IOS (12.4) i don't even get the option of overload when doing an "ip nat outside source list ..." statement.

"I will see if I can lab up this issue."

Just have labbed it up and it worked for me. I used the same approach as you ie. used a private address range for the NAT pool. See my previous post.

Jon

yagnesh_tel Thu, 09/03/2009 - 05:32

And MVP(Most valuable participant) of Netpro goes to Jon :). Thanks for confirming my doubt. IOS won't give you error while entering 'overload' so I was not able to perceive this issue at first glance.

Jon, thanks for your post and for clarifying!

Would it be possible to swap the inside and outside interfaces, and 1) overload any Internet IP and also 2) have the static nat statement, but maybe change it to ip nat outside source static tcp....

I'm trying to figure out if there is a way to get all Internet traffic over to this inside host and make the traffic come to and from the router. I'm currently doing this with Linux and ip masquerade, and would love to replace it with this 1811.

Thanks again Jon and Yagnesh.

Actions

This Discussion