Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
2
Replies

Reverse PAT/NAT?

pele_cisco
Level 1
Level 1

‎09-11-2013 02:40 PM - edited ‎03-11-2019 07:37 PM

Someone save me from my confusion.

I'm familiar with the classic use case of NAT/PAT, where internal hosts use many-to-one or one-to-one nat when going outbound. What I'm not as familiar with is what can I use if I have a 10,000 port range that external hosts request inbound to a host and I want my firewall to forward to that 10,000 port range to a single port.

inbound port range: 10,000-20,000

destination ip: 10.10.10.15 "internal host, public IP accesible IP"

translated port: 440

translaed ip: 10.10.10.15 "same as original"

source ip: any "internet"

Basically, port forwarding for a range of ports to a single port.

Where I think I'm getting caught at is the basics of tcp/ip where a client chooses a random port for its source port and sets the destination as the destination port, in my case 10,100. This hits my firewall with the destination port 10,100 and a source port randomly chosen by client, lets say 4570. The firewall would then say, I want to translate this 10,100 to the destination port of 440 and point it at my internal host 10.10.10.15. When the packet arrives at 10.10.10.15 it arrives with a source port of the now translated port 440. The firewall would not know how to get back to the original client that requested with source port 4570, thus my original request is not possible? This is where I'm at in my mind on why this doesn't work, but then again, I'm thinking that a PAT table could keep track of these connection mappings and broker the connection.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎09-11-2013 02:54 PM

Hi,

I would imagine that you would need to have a firewall running a software level 8.3 or newer.

What you could try is the following

object network REAL-HOST

host 10.10.10.15

object network MAPPED-HOST

host 1.1.1.1

object service REAL-PORT

service tcp source eq 440

object service MAPPED-PORT-RAGE

service tcp source range 10000 20000

nat (inside,outside) source static REAL-HOST MAPPED-HOST service REAL-PORT MAPPED-PORT-RANGE

Where the 1.1.1.1 is the public NAT IP address.

This configuration would essentially mean that any connectiong coming to the destination IP address 1.1.1.1 on the destination port TCP/10000 - 20000 would be forwarded to the actual host 10.10.10.15 on destination port TCP/440

I have personally never had the need to even think about a configuration like this so I am not sure what you are going to use this for. That being said, I have not tested this other than with "packet-tracer" command to test that it performs as its suppsed to.

- Jouni

0 Helpful

pele_cisco
Level 1
Level 1
In response to Jouni Forss

‎09-11-2013 03:30 PM

I'll test in lab this evening. I'm testing this as an option to funnel sip traffic to a single service port, thinking it could increase security, but in the end if I have to open a 10,000 port range for the translation to function, I've ultimately done nothing to increase security.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card