Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
3
Helpful
4
Replies

Mixed NAT

noakley
Level 1
Level 1

‎05-28-2003 04:27 AM - edited ‎03-02-2019 07:41 AM

Can someone please advise if it is possible to do the following. I have a Cisco router attached on one interface to a broadband connection that provides 32 public IP host addresses. On the local connection I want to offer a NAT service overloaded to one of the public IP addresses and pass through to local hosts the public host addresses. I have this working providing mixed static and dynamic NAT however ideally I would like to offer a range of 192.168.1.x NAT addresses and 195.147.x.x public addresses on the same port.

Thanks

Labels:
0 Helpful
4 Replies 4

mdoldan
Level 1
Level 1

‎05-28-2003 10:58 AM

If you want to permit connectivity from the Internet to specific hosts within your network (not recommended) you must use a static one to one translation.

The NAT overload is known as Port Address Translation (PAT). Some applications (such as VPN) may have issues with PAT. (Cisco uses a wrapper technology to mitigate the PAT issue on their VPN).

PAT works by assigning specific high port values (above 1024) to outbound requests. This permits multiple internal hosts to originate from a single IP address. The router maintains a table of the port translations and is therefor able to direct reponses to the appropriate host.

None of this translates the external address the client is connecting to so your hosts should be seeing the "public host addresses" when connecting. Unless you have configured a NAT/PAT of Internet addresses as well.

An example conversation:

Inside Host 192.168.1.100 originating from port 3000

connects to

198.133.219.25 on port 80 (HTTP)

NAT/PAT changes source IP address to 195.147.1.100 and source port 6513 and forwards on to 198.133.219.25 on port 80

198.133.219.25 recieves packet on port 80 and responds to 195.147.1.100 on port 6513

NAT/PAT recieves response from 198.133.219.25 originating from port 80 and destined to 195.147.1.100 on port 6513

NAT/PAT translates destination address to 192.168.1.100 and destination port to 3000 and forwards the packet on to the inside host.

Inside host receives response from 198.133.219.25 originating from port 80 and destined to 192.168.1.00 on port 3000

noakley
Level 1
Level 1
In response to mdoldan

‎05-29-2003 11:15 AM

Thanks for your help but I need to know what happens on a static translation. The issue is as follows. I have a user who wants to connect to a VPN server which is on the public internet. The VPN application they are using is checkpoint secure remote. When he trys to conect the key exchange works fine but the company firewall rejects any subsequent packets. My suspicion is due to the fact they have been altered through the NAT process. So the question is will using static translations overcome this problem or can I transparently forward the connection through the router and use a public IP address on my local network whilst also providing a NAT'd service on the same network

0 Helpful

dgower
Level 1
Level 1
In response to noakley

‎05-29-2003 12:08 PM

I believe that a static NAT with an ACL to limit what ports to what addresses you need for this VPN to work should do the trick. Do you have any IDS sensors? If not make sure you log your hits to the ACL so you can track the traffic on the outside. You want to limit the exposure to the staticly NATed addresses.

I hope this is helpful.

0 Helpful

noakley
Level 1
Level 1
In response to dgower

‎05-30-2003 11:02 AM

Still struggling with this. Tried a static NAT and the remote VPN firewall is still rejecting the session. Does the key exchange fine then ignores everything else. SecureRemote and the Firewall are configured to be NAT aware and they work fine with other NAT implementations. I know it is not preferable but is there anyway to transport a public IP host address across the router transparently. The ADSL bridge the router is connected to provides 32 public IP addresses and I want to be able to access one of these on the private side of the router transparently.

Basically I want on the private network side on a single ethernet interface to provide a NAT range 192.168.x.x overloaded to a single public IP address (I know how to do that) and also let a host with a public IP address 195.147.x.x get straight through the router transparently without any address translation.

Thanks for your help with this

0 Helpful
Customers Also Viewed These Support Documents