Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Reverse PAT/NAT?

Someone save me from my confusion.

I'm familiar with the classic use case of NAT/PAT, where internal hosts use many-to-one or one-to-one nat when going outbound. What I'm not as familiar with is what can I use if I have a 10,000 port range that external hosts request inbound to a host and I want my firewall to forward to that 10,000 port range to a single port.

inbound port range: 10,000-20,000

destination ip: "internal host, public IP accesible IP"

translated port: 440

translaed ip: "same as original"

source ip: any "internet"

Basically, port forwarding for a range of ports to a single port.

Where I think I'm getting caught at is the basics of tcp/ip where a client chooses a random port for its source port and sets the destination as the destination port, in my case 10,100. This hits my firewall with the destination port 10,100 and a source port randomly chosen by client, lets say 4570. The firewall would then say, I want to translate this 10,100 to the destination port of 440 and point it at my internal host When the packet arrives at it arrives with a source port of the now translated port 440. The firewall would not know how to get back to the original client that requested with source port 4570, thus my original request is not possible? This is where I'm at in my mind on why this doesn't work, but then again, I'm thinking that a PAT table could keep track of these connection mappings and broker the connection.

Super Bronze

Reverse PAT/NAT?


I would imagine that you would need to have a firewall running a software level 8.3 or newer.

What you could try is the following

object network REAL-HOST


object network MAPPED-HOST


object service REAL-PORT

service tcp source eq 440

object service MAPPED-PORT-RAGE

service tcp source range 10000 20000

nat (inside,outside) source static REAL-HOST MAPPED-HOST service REAL-PORT MAPPED-PORT-RANGE

Where the is the public NAT IP address.

This configuration would essentially mean that any connectiong coming to the destination IP address on the destination port TCP/10000 - 20000 would be forwarded to the actual host on destination port TCP/440

I have personally never had the need to even think about a configuration like this so I am not sure what you are going to use this for. That being said, I have not tested this other than with "packet-tracer" command to test that it performs as its suppsed to.

- Jouni

Community Member

Reverse PAT/NAT?

I'll test in lab this evening. I'm testing this as an option to funnel sip traffic to a single service port, thinking it could increase security, but in the end if I have to open a 10,000 port range for the translation to function, I've ultimately done nothing to increase security.

CreatePlease to create content