09-11-2013 02:40 PM - edited 03-11-2019 07:37 PM
Someone save me from my confusion.
I'm familiar with the classic use case of NAT/PAT, where internal hosts use many-to-one or one-to-one nat when going outbound. What I'm not as familiar with is what can I use if I have a 10,000 port range that external hosts request inbound to a host and I want my firewall to forward to that 10,000 port range to a single port.
inbound port range: 10,000-20,000
destination ip: 10.10.10.15 "internal host, public IP accesible IP"
translated port: 440
translaed ip: 10.10.10.15 "same as original"
source ip: any "internet"
Basically, port forwarding for a range of ports to a single port.
Where I think I'm getting caught at is the basics of tcp/ip where a client chooses a random port for its source port and sets the destination as the destination port, in my case 10,100. This hits my firewall with the destination port 10,100 and a source port randomly chosen by client, lets say 4570. The firewall would then say, I want to translate this 10,100 to the destination port of 440 and point it at my internal host 10.10.10.15. When the packet arrives at 10.10.10.15 it arrives with a source port of the now translated port 440. The firewall would not know how to get back to the original client that requested with source port 4570, thus my original request is not possible? This is where I'm at in my mind on why this doesn't work, but then again, I'm thinking that a PAT table could keep track of these connection mappings and broker the connection.
09-11-2013 02:54 PM
Hi,
I would imagine that you would need to have a firewall running a software level 8.3 or newer.
What you could try is the following
object network REAL-HOST
host 10.10.10.15
object network MAPPED-HOST
host 1.1.1.1
object service REAL-PORT
service tcp source eq 440
object service MAPPED-PORT-RAGE
service tcp source range 10000 20000
nat (inside,outside) source static REAL-HOST MAPPED-HOST service REAL-PORT MAPPED-PORT-RANGE
Where the 1.1.1.1 is the public NAT IP address.
This configuration would essentially mean that any connectiong coming to the destination IP address 1.1.1.1 on the destination port TCP/10000 - 20000 would be forwarded to the actual host 10.10.10.15 on destination port TCP/440
I have personally never had the need to even think about a configuration like this so I am not sure what you are going to use this for. That being said, I have not tested this other than with "packet-tracer" command to test that it performs as its suppsed to.
- Jouni
09-11-2013 03:30 PM
I'll test in lab this evening. I'm testing this as an option to funnel sip traffic to a single service port, thinking it could increase security, but in the end if I have to open a 10,000 port range for the translation to function, I've ultimately done nothing to increase security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide