We have a 1720 router with an ethernet interface in subnet 192.168.1.0/24. We have a device on this subnet with IP address of 192.168.1.50, which we are NATting into 10.216.1.2 as it goes to the outside interface and then across the WAN. This portion is working fine.
This device (192.168.1.50), wants to initiate a TCP session with a server across the WAN, with IP address of 184.108.40.206, port # 4444. We need to translate this destination port # of 4444, in the 1720 router, to a different number. How can we do this in the 1720 ? I am enclosing portions of the config, and a sample show command output.
Router config from 1720, followed by show command output:
service timestamps debug uptime
service timestamps log uptime
logging buffered 4096 debugging
memory-size iomem 25
no ip domain-lookup
ip dhcp excluded-address 192.168.1.1 192.168.1.25
ip dhcp excluded-address 192.168.1.240 192.168.1.254
! ip dhcp pool store-inside-dhcp-pool
network 192.168.1.0 255.255.255.0
lease 0 1
description 56K Frame Relay
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
frame-relay lmi-type cisco
interface Serial0.101 point-to-point
description Mini Store PVC to SAL HDQ DS1-5057889
ip address 10.216.255.2 255.255.255.252
ip nat outside
frame-relay interface-dlci 101
interface Serial0.102 point-to-point
description Mini Store Shadow PVC to DS1-3555060
ip address 10.216.255.6 255.255.255.252
ip nat outside
frame-relay interface-dlci 102
ip address 10.216.1.1 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0
ip accounting output-packets
ip nat inside
no ip address
ip nat outside
dialer rotary-group 1
async default routing
async mode interactive no cdp enable
ip address negotiated
ip nat outside
dialer string 918884477089
no cdp enable
ppp authentication pap callin
router eigrp 1
distribute-list 30 out
ip nat pool store-inside 10.216.1.13 10.216.1.14 netmask 255.255.255.240
ip nat inside source list 3 pool store-inside overload
ip nat inside source static 192.168.1.50 10.216.1.2 extendable
ip route 0.0.0.0 0.0.0.0 10.215.6.1 220
ip route 10.215.6.1 255.255.255.255 Dialer1 220
no ip http server
access-list 3 permit 192.168.0.0 0.0.255.255
access-list 20 deny 0.0.0.0
access-list 20 deny 10.215.6.0 0.0.0.255
access-list 20 deny 192.168.0.0 0.0.255.255
access-list 20 permit any
access-list 30 deny 0.0.0.0
access-list 30 deny 10.215.0.0 0.0.255.255
access-list 30 deny 192.168.0.0 0.0.255.255
access-list 30 permit any
access-list 75 permit 10.216.1.0 0.0.0.255 log
access-list 75 permit 192.168.1.0 0.0.0.255 log
access-list 100 deny eigrp any any
access-list 100 deny ip any host 220.127.116.11
access-list 100 deny udp any any eq ntp
access-list 100 deny ip any host 255.255.255.255
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
access-list 100 permit ip any any
dialer-list 1 protocol ip list 100
line con 0
exec-timeout 60 0
line aux 0
modem autoconfigure type usr_sportster
transport input all
line vty 0 4
no scheduler allocate
MiniStore#show ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 10.216.1.2 192.168.1.50 --- ---
16:52:04: NAT: i: tcp (192.168.1.50, 1861) -> (18.104.22.168, 4444) 
16:52:04: NAT: s=192.168.1.50->10.216.1.2, d=22.214.171.124 
16:52:10: NAT: i: tcp (192.168.1.50, 1861) -> (126.96.36.199, 4444) 
16:52:10: NAT: s=192.168.1.50->10.216.1.2, d=188.8.131.52 
You might want to check this out:
This is for translating at the receiving end. Haven't found an equivalent for the sending end.
We have tried the following:
ip nat outside source static tcp 184.108.40.206 8401 220.127.116.11 4444
This did not work as we had hoped it would. The originator of the session is from the device on the inside interface in the 1721, and the 18.104.22.168 device is it's destination. Everything I have read shows the session originating from the outside interface to the inside interface, when using nat outside as above. We want to originate from the inside, and change the destination port as it goes outside.
Yes, all of the example configs where I have seen a destination port being translated was done at the receiving end. I don't think the command you tried above is a valid one. But why is it important that the port be translated outbound? As long as it gets tranlated before it hits 22.214.171.124 on the inbound side, what's the difference? Is something looking at that port before it gets to the server? Or do you not have a means to do it on the inbound side? Or do you not like the fact that the source port of the server will also be translated as a consequence of translating the destination port on the inbound side?
Here is what we are trying to accomplish, and why.
We will be installing a 1721 router in each of our 230+ stores. we will also install a controller at each store, attached to the 1721 ethernet interface. This controller will come to us preconfigured with the following info:
IP address - 192.168.1.50
Destination IP address 126.96.36.199
Destination port 4444
Every controller will have this same config info, thus we can use any controller at any store, without having to customize the controller.
The controller will initiate a session to the 188.8.131.52 server. However, each request that hits the 184.108.40.206 server from a store's 1721 router, must have a unique port number. So what we are hoping to do, is to have the 1721 router translate the destination port number of 4444, to a unique number by store (1 per 1721 router). In this router's case, we want to translate the destination port from 4444 to 8401, before it leaves the 1721 router, and have it translated back by the 1721 router when the return packet comes back.
The 220.127.116.11 server's application is requiring the unique destination port for each store.
Therefore, when the packet starts out from the store's 1721 router, with source of 192.168.1.50, and destination of 18.104.22.168 4444, we want the 1721 router to change this to source 10.216.x.x and destination 22.214.171.124 8xxx, where the 10.216.x.x will be unique by 1721, and the 8xxx will be unique by 1721. Hope this helps explain what and why.
That helps quite a bit. I'm no server expert by any means, but I'm surprised that it would require a unique port as opposed to a unique socket - which is comprised of an IP address/TCP port number combination. If every site will appear to the server to have a unique IP through the use of NAT, why worry about the port number? Again, no server expert here, but that does sound a little odd. Think of port 80 and how many times a web server re-uses that with potentially hundreds of unique client IPs at any given moment.
The 1720 router was running IOS 12.1.8a. I loaded IOS 12.2.7c, and it is now working fine. The outbound packet destination port is getting translated per the "ip nat ouside source static tcp ..." documentation.
Thank you for your help with this issue.
That must be hot off the presses because it isn't in the 12.2 command reference master index. I'll try it out next time I upgrade. Thanks.