cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2475
Views
0
Helpful
2
Replies

NAT static translations with route-map (e.g. port range static NAT)

Sergey Yakovets
Level 1
Level 1

Hi guys,

IOS version: c1841-advsecurityk9-mz.124-3c.bin

I've been triyng to publish my internal IP PBX to Inernet and want to make port translations only for specific ports and port ranges

for security reasons.

As long as I have TCP and UDP ports needed to be translated, I can't use well-known solution using rotary IP pools which works only for TCP.

I found a solution based on use route-maps to specificaly indicate what shoud be take to account while creating static translation.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

This documents explains how to manipulate static nat translations for outgoing connections, but has nothing to do of explaining of

how incoming connections will be affected.

So, I created a config:

ip nat inside source static 192.168.1.200 X.X.X.123 route-map RMAP_NAT_STATIC

route-map RMAP_NAT_STATIC permit 10
match ip address ACL_NAT_STATIC

ip access-list extended ACL_NAT_STATIC

permit tcp host 192.168.1.200 eq 443 any

permit udp host 192.168.1.200 eq 5060 any

permit udp host 192.168.1.200 range 10000 20000 any

Well, this config is supposed to staticaly map ONLY ports TCP443, UDP5060 and UDP10k-20k from 192.168.1.200 to public X.X.X.123 address. All incoming connections to other ports due to ACL configuration, should not be staticaly translated.

It looks like a correct one, but the problem is that even with route-map statement in ip nat inside source line

192.168.1.200 is translated as simple one-to-one LocalIP-ExtIP translation, ALL(!) ports TCP\UDP 1-65535

I'am confused. People from this link also noticed such behaviour:

http://slaptijack.com/networking/cisco-nat-and-port-range-resolution/

Well, interesting thing is that even if I delete all statements in ACL_NAT_STATIC or having in ACL something like that:

ip access-list extended ACL_NAT_STATIC

permit ip host 255.255.255.255 any

in order to create a "placeholter" and theoreticaly turn off any static translation, I will still have a one-to-one unrestricted translation...

What am I doing wrong or it is a some malfunction in IOS?

Thanks in advance.

2 Replies 2

Hi,

Can you test applying the route-map to the incoming interface as well? (not only applied to the STATIC NAT statement).

Federico.

Hi,

Just a route-map with only "match ip address" statement and no "set" statements?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: