Nat every port on a public IP to particular port on private IP?

Unanswered Question
May 31st, 2010
User Badges:

Need to NAT all ports on a given public IP to a particular port on a private IP ,on router platform.

for example.    Public IP 1.1.1.1 ports 1-65XXX get forwarded to Private IP 10.1.1.1 port 8888.

Thanks and Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Tue, 06/01/2010 - 00:21
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Need to NAT all ports on a given public IP to a particular port on a private IP ,on router platform.

for example.    Public IP 1.1.1.1 ports 1-65XXX get forwarded to Private IP 10.1.1.1 port 8888.

Thanks and Regards.


Check out the below link for port forwarding using nat


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Calin Chiorean Tue, 06/01/2010 - 01:13
User Badges:
  • Silver, 250 points or more

Hi there!


You configure like this.


On the public interface (1.1.1.1)

ip nat outside

On the internat interface (10.1.1.x)

ip nat inside


then


ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 8888 extendable


This one to one port translation,


Now, either you want this, either you type wrong something, but if you need all the porst 1-65535 to be forwarded to one internal IP, that's more a DMZ concept and you can achieve it like this:


ip nat inside source static 10.1.1.1 1.1.1.1


Then everything what's coming to external 10.1.1.1 is forwarded automatically 1.1.1.1


I hope this helps!

ciscohamid Tue, 06/01/2010 - 03:41
User Badges:

Thank you guys for your reply , but you didnt get it right what i wanted to convey .

in case of static nat ,there will be a one-to-one mapping between  ports ,like 1.1.1.1:8080 translates to corresponding port 10.1.1.1:8080.

8888 to 8888

9999 to 9999

etc.


but what i am looking for is , every port on the public IP gets translated to a particular port on the private IP like

8888 to 8888

9999 to 8888

80     to 8888


etc

I hope i am clear this time.


Thanks.

Calin Chiorean Tue, 06/01/2010 - 06:15
User Badges:
  • Silver, 250 points or more

Maybe it's not my business, but why you want such thing?

That would mean that everything which arrives on the NAT router (TCP, UDP, different ports and so on...) will be forwarded to one internal IP on one port (10.1.1.1:8888 if you want). What application / process can you run on 10.1.1.1 to listen on 8888 and to understand all traffic?


Now, if you use:

ip nat inside source static 10.1.1.1 1.1.1.1

You will forward all the traffic to 1.1.1.1, but you cannot control the ports, as the decision is at L3


With:

ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 8888 extendable

You are making the decision at L4 and you can control the ports, but you need about 65356 rules, multiply by 2 (TCP and UDP) if you want ALL the ports.


Of course for 3-4 ports is ok, and I would be something like this:


ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 8888 extendable

ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 80 extendable

ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 9999 extendable


I don't know Cisco to support a command like:

ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 1-65535 extendable


Calin

ciscohamid Wed, 06/02/2010 - 05:12
User Badges:

Dear calin,

i appreciate your input,Thanks

Anyone else would like to add something towards the resolution of this task.

Thanks

Ronit Bhattacharjee Wed, 06/02/2010 - 13:33
User Badges:
  • Bronze, 100 points or more

Calin already gave you a resolution



ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 1 extendable

ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 2 extendable

ip nat inside source static tcp 10.1.1.1 8888 1.1.1.1 3 extendable


Do the same for all ports till 65535 and do the same all over for UDP. I guess by this time your router DRAM would be crying and your NVRAM would be shot to hell.


The reason why there's no easier way to do this is because no one wants to do this. The requirement is ridiculous, because no application works like this.


If you have specific requirements, it would be better if you develop your own OS for this (or maybe a new OSI standard)

Actions

This Discussion