Is it possible for PAT to pick a different port for different destinations coming from a single sour...

albertho · ‎08-07-2010

I have PAT configured (pooled) on a single external IP (11.102.35.39)

Here's the translation

Pro Inside global Inside local Outside local Outside global

udp 11.102.35.39:50573 192.168.103.17:50573 11.230.248.149:16385 11.230.248.149:16385

udp 11.102.35.39:50573 192.168.103.17:50573 11.230.248.149:16386 11.230.248.149:16386

udp 11.102.35.39:50573 192.168.103.17:50573 11.230.248.150:16387 11.230.248.150:16387

I would like outgoing traffic to 11.230.248.150 to be a from a totally different port than 50573

(e.g.):

udp 11.102.35.39:50573 192.168.103.17:50573 11.230.248.149:16385 11.230.248.149:16385

udp 11.102.35.39:50573 192.168.103.17:50573 11.230.248.149:16386 11.230.248.149:16386

udp 11.102.35.39:<not 50573> 192.168.103.17:<not 50573> 11.230.248.150:16387 11.230.248.150:16387

I'm writing some NAT punch through software, and I need a configuration that does the above so I can simulate symmettric NAT conditions. I've been pulling my hair out for weeks trying to find a solution for this. I'm currently using a Cisco Series 892 router.

gatlin007 · ‎08-07-2010

I've never tried this command, but it may be worth a try if you are running IOS that supports it. I found it in IOS 12.4.

ip nat service port-randomization

###########

ip nat service

To specify a port other than the default port, use the ip nat service command in global configuration mode. To disable the port, use the no form of this command.

ip nat service {H225 | allow-h323-even-rtp-ports | allow-h323-keepalive | allow-sip-even-rtp-ports | allow-skinny-even-rtp-ports | fullrange {tcp | udp} port port-number | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | alg {tcp | udp} dns | allow-multipart | enable-mib | mgcp | nbar | port-randomization | ras | rtsp | sip {tcp | udp} port port-number | skinny tcp port port-number}

no ip nat service {H225 | allow-h323-even-rtp-ports | allow-h323-keepalive | allow-sip-even-rtp-ports | allow-skinny-even-rtp-ports | fullrange {tcp | udp} port port-number | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | alg {tcp | udp} dns | allow-multipart | enable-mib | mgcp | nbar | port-randomization | ras | rtsp | sip {tcp | udp} port port-number | skinny tcp port port-number}

Syntax Description


H225	H.323-H.225 protocol.
allow-h323-even-rtp-ports	Even-numbered RTP ports for the H.323 protocol.
allow-h323-keepalive	H.323 keepalive.
allow-sip-even-rtp-ports	Even-numbered RTP ports for the Session Initiation Protocol (SIP).
allow-skinny-even-rtp-ports	Even-numbered RTP ports for the skinny protocol.
fullrange	All available ports. The range is from 1 to 65535.
tcp	TCP.
udp	User Datagram Protocol (UDP).
port port-number	Port other than the default port in the range from 1 to 65533.
list access-list-number	Standard access list number in the range from 1 to 199.
access-list-name	Name of a standard IP access list.
ESP	Security Parameter Index (SPI) matching IPsec pass-through.
spi-match	SPI matching IPsec pass-through. The ESP endpoints must also have SPI matching enabled.
IKE	Preserve Internet Key Exchange (IKE) port, as required by some IPsec servers.
preserve-port	Preserve the UDP port in IKE packets.
ftp	FTP.
mgcp	Media gateway control protocol (MGCP).
alg {tcp \| upd} dns	Enables Domain Name Service (DNS) processing with an Application-Level Gateway (ALG) for either TCP or UDP.
allow-multipart	SIP multipart processing.
enable-mib	Enables NAT MIB support.
nbar	Network-Based Application Recognition.
port-randomization	Ports are allocated randomly for NAT, instead of sequentially.
ras	H.323-RAS (Registration, Admission, and Status) protocol.
rtsp	Real Time Streaming Protocol. This protocol is enabled by default on port 554 and requires NBAR.
sip	Session Initiation Protocol (SIP). This protocol is enabled by default on port 5060.
skinny	Skinny protocol.

Command Default

RTSP is enabled and requires NBAR.
SIP is enabled on port 5060.
H.323 even-numbered RTP port allocation is enabled.
SIP even-numbered RTP port allocation is enabled.
Skinny even-numbered RTP port allocation is enabled.
Port randomization is disabled.
DNS ALG processing is enabled for TCP and UDP.
SIP multipart processing is disabled.

Command Modes

Global configuration (config)

Command History


Release	Modification
11.3	This command was introduced.
12.1(5)T	The skinny keyword was added.
12.2(8)T	The sip keyword was added.
12.2(15)T	The ESP and spi-match keywords were added to enable SPI matching on outside IPsec gateways. The ike and preserve-port keywords were added to enable outside IPsec gateways that require IKE source port 500.
12.3(7)T	The rtsp and mgcp keywords were added.
12.3(11)T	The allow-sip-even-rtp-ports keyword was added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4	The nbar keyword was added.
12.4(24)T	The port-randomization keyword was added.
15.0(1)M	The alg, dns, and allow-multipart keywords were added.
15.0(1)M2	The enable-mib keyword was added.
15.0(1)M3	The enable-mib keyword was removed.
15.0(1)S	This command was integrated into Cisco IOS Release 15.0(1)S.

Usage Guidelines

A host with an FTP server using a port other than the default port can have an FTP client using the default FTP control port. When a port other than the default port is configured for an FTP server, Network Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server. If an FTP server uses the default port and a port other than the default port, both ports need to be configured using the ip nat service command.

NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the CallManager uses a port other than the default port, that port needs to be configured using the ip nat service command.

Use the no ip nat service H225 command to disable support of H.225 packets by NAT.

Use the no ip nat service allow-h323-even-rtp-ports command to force odd-numbered RTP port allocation for H.323.

Use the no ip nat service allow-sip-even-rtp-ports command to force odd-numbered RTP port allocation for SIP.

Use the no ip nat service allow-skinny-even-rtp-ports command to force odd-numbered RTP port allocation for the skinny protocol.

Use the no ip nat service rtsp command to disable support of RTSP packets by NAT. RSTP uses port 554.

By default SIP is enabled on port 5060; therefore NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to

Nagaraja Thanthry · ‎08-07-2010

Hello,

Can you please explain "I would like outgoing traffic to 11.230.248.150 to be a from a totally different port than 50573" part? Also, are you using dynamic PAT on the router? Please post relevant configurations here so it would be easier to analyze what you require.

Regards,

NT

albertho · ‎08-07-2010

Thanks.

Essentially I want all my outgoing traffic to be port address translated on a different port when I talk to different destinations. The current config has my client using the same port. My current traffic, for example, will use a single port (e.g., 50573) when talking to two different destinations. I want a different port for each different destination.

Here is the snippet of my configuration:

interface FastEthernet8

ip address 172.16.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan2

description $FE0-PoE$

ip address 192.168.102.1 255.255.255.0

ip access-group acl-vlan2 in

ip access-group 102 out

ip nat inside

ip inspect rtrfirewall in

ip virtual-reassembly

!

ip nat pool fe8load1 172.16.1.11 172.16.1.11 prefix-length 24

ip nat pool fe8nat1 172.16.1.20 172.16.1.23 prefix-length 24

ip nat inside source list 61 interface FastEthernet8 overload

Nagaraja Thanthry · ‎08-07-2010

Hello,

Are you looking to configure NAT such that when the traffic goes to .150

address the source port should be changed to something other than 50573?

Typically, the port assignment is done by the router and the router assigns

the first available port unless you have configured a port-map. Also, all

port assignments are symmetric in nature i.e. if the destination device

returns traffic to that public IP with that port, the router will translate

it back to the internal device. Can you check to see if you have enabled

endpoint agnostic symmetric port allocation on the router?

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_endpoi

ntagnostic_ps6441_TSD_Products_Configuration_Guide_Chapter.html

You can try the following:

access-list 199 permit ip host 192.168.103.17 host 11.230.248.150

access-list 10 permit host 192.168.103.17

route-map NAT

match ip address 199

ip nat inside source list 10 route-map NAT interface overload

Hope this helps.

Regards,

NT

albertho · ‎08-07-2010

Thanks for your response. Ultimately what I'm trying to do is to configure my router as a symmetric NAT:

http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_7-3/anatomy_figure_5.gif

[from article]

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html

Nagaraja Thanthry · ‎08-07-2010

Hello,

By default the router will act as a symmetric NAT device. It will allow only the device that was contacted by the inside device to respond on that port. I think you might have configured Endpoint Agnostic Port Allocation feature on the router. Can you check your configuration to see if "ip nat service enable-sym-port" command is present? If it is, can you remove it and then check the port allocation again?

Hope this helps.

Regards,

NT

albertho · ‎08-07-2010

Hi. I appreciate your patience in helping me with this issue. I've been chasing this issue for a month now...

ip nat service enable-sym-port is not in the configuration. I believe that the default behavior of the router does not do symmettric nat because it does not prevent traffic from the same destination address but different port. I can confirm this because we test servers in the cloud that can do exactly what is described in the diagram below.

If you look at the diagram of the symmettric nat, it shows that this should not happen. If you look at Host B in the diagram, you'll notice that the device was able to talk to Host B on port 90. However, if Host B tries to communicate back via port 91, it is blocked.

http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_7-3/anatomy_figure_5.gif

I was asking on how to configure PAT so that every call to a destination results in a different source. If I can get PAT to behave this way then our servers will not be able to initiate traffic back to the device.

Thanks.

Nagaraja Thanthry · ‎08-08-2010

Hello Albert,

What code version you are running on the router?

Regards,

NT

Nagaraja Thanthry · ‎08-08-2010

Hello,

Also, can you post here the router configuration (x out all public IP/user

information)?

Regards,

NT

albertho · ‎08-08-2010

Hi Nagaraja.

Version:

Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.0(1)M2, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 11-Mar-10 04:36 by prod_rel_team

Config:

router#show config

Using 10276 out of 262136 bytes

!

! Last configuration change at 05:26:24 UTC Mon Jul 19 2010 by me

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RTR892K9-A

!

boot-start-marker

boot system flash c890-universalk9-mz.150-1.M2.bin

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-2485414680

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2485414680

revocation-check none

rsakeypair TP-self-signed-2485414680

!

crypto pki certificate chain TP-self-signed-2485414680

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

ip source-route

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

ip inspect name rtrfirewall tcp

ip inspect name rtrfirewall udp

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO892-K9 sn FHK142174D0

!