NAT static translations with route-map (e.g. port range static NAT)

Unanswered Question
Feb 14th, 2010
User Badges:

Hi guys,


IOS version: c1841-advsecurityk9-mz.124-3c.bin


I've been triyng to publish my internal IP PBX to Inernet and want to make port translations only for specific ports and port ranges

for security reasons.


As long as I have TCP and UDP ports needed to be translated, I can't use well-known solution using rotary IP pools which works only for TCP.


I found a solution based on use route-maps to specificaly indicate what shoud be take to account while creating static translation.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

This documents explains how to manipulate static nat translations for outgoing connections, but has nothing to do of explaining of

how incoming connections will be affected.


So, I created a config:


ip nat inside source static 192.168.1.200 X.X.X.123 route-map RMAP_NAT_STATIC


route-map RMAP_NAT_STATIC permit 10
match ip address ACL_NAT_STATIC


ip access-list extended ACL_NAT_STATIC

permit tcp host 192.168.1.200 eq 443 any

permit udp host 192.168.1.200 eq 5060 any

permit udp host 192.168.1.200 range 10000 20000 any


Well, this config is supposed to staticaly map ONLY ports TCP443, UDP5060 and UDP10k-20k from 192.168.1.200 to public X.X.X.123 address. All incoming connections to other ports due to ACL configuration, should not be staticaly translated.


It looks like a correct one, but the problem is that even with route-map statement in ip nat inside source line

192.168.1.200 is translated as simple one-to-one LocalIP-ExtIP translation, ALL(!) ports TCP\UDP 1-65535


I'am confused. People from this link also noticed such behaviour:

http://slaptijack.com/networking/cisco-nat-and-port-range-resolution/


Well, interesting thing is that even if I delete all statements in ACL_NAT_STATIC or having in ACL something like that:


ip access-list extended ACL_NAT_STATIC

permit ip host 255.255.255.255 any


in order to create a "placeholter" and theoreticaly turn off any static translation, I will still have a one-to-one unrestricted translation...


What am I doing wrong or it is a some malfunction in IOS?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 02/15/2010 - 11:58
User Badges:
  • Green, 3000 points or more

Hi,


Can you test applying the route-map to the incoming interface as well? (not only applied to the STATIC NAT statement).


Federico.

Sergey Yakovets Tue, 02/16/2010 - 07:08
User Badges:

Hi,


Just a route-map with only "match ip address" statement and no "set" statements?

Actions

This Discussion