Outside Source NAT Based on Destination Port

b-cunningham · ‎04-29-2011

Hello,

I am trying to use outside source NAT to modify a source IP address based on destination port for a downstream load balancer and can’t seem to get it to work. I would like to have my load balancer see the following, and my ftp source to be unaffected.

10.200.41.1 è 10.150.9.11 eq 20070

10.190.254.6 è 10.150.9.11 eq 20074

Here’s the config I’m trying to use.

interface FastEthernet0/0

ip address 10.200.41.105 255.255.255.0

ip access-group JH1in in

ip nat outside

!

interface Serial0/1/0

ip address 10.190.254.6 255.255.255.252

ip nat inside

!

ip access-list extended JH1in

permit tcp host 10.200.41.1 host 10.150.9.11 eq 20070

permit tcp host 10.200.41.1 host 10.150.9.11 eq 20074

permit tcp host 10.200.41.1 range ftp-data ftp host 10.127.9.42

!

ip access-list extended RT_redir_74

10 permit tcp host 10.200.41.1 host 10.150.9.11 eq 20074

!

ip nat pool RT-Host-74 10.190.254.6 10.190.254.6 netmask 255.255.255.252

ip nat outside source route-map rt_redir74 pool RT-Host-74

!

ip access-list extended RT_redir_74
10 permit tcp host 10.200.41.1 host 10.150.9.11 eq 20074
!

route-map rt_redir74 permit 10

match ip address RT_redir_74

Any suggestions would be greatly appreciated.

Thank you.
Brad

lacirasella · ‎11-09-2011

hello,

we are facing somehow the same problem: source NAT based on IP destination

Have you go further with this problem?

Thanks

kasper123 · ‎02-22-2012

Did any one of you manage to get this working?

Regards.

Peter Paluch · ‎02-22-2012

Gentlemen,

I have not tried to configure this personally but I see one major problem with this configuration: you are trying to perform NAT to the IP address of the inside interface itself. Now, according to the document at

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

when a packet comes in the "inside-to-outside" direction, the routing is performed first, and only if the packet is deemed to be routed out some "outside" interface, it goes through the NAT process. However, in this case, the response from the internal device will be addressed to the router's inside interface itself. Therefore, the routing will determine that the packet should not be forwarded anywhere, thereby preventing the answer from inside to be ever delivered back.

I suggest changing the IP address in the NAT pool to a separate unused IP address within the scope of the internal interface's network.

Best regards,

Peter

kasper123 · ‎02-22-2012

Hi Peter,

I tried doing this with an unused pool of IP addresses but it didn't work.

Regards.

Peter Paluch · ‎02-22-2012

Hi,

Let me ask differently: what are you trying to achieve? What is the goal you want to accomplish?

Best regards,

Peter

kasper123 · ‎02-22-2012

Hi,

I want to be able to change the source IP address for traffic that is destined to a certain server inside the network.

The problem is that behind the router I'm configuring there is a firewall that has another router as it's default gateway.

So when traffic would come through the router that I want to configure, the reply from the server would go through the ASA and through another router (the default gateway of the ASA).

My idea is to change the source address of the incomming traffic destined for that server to some NAT pool and than have a static route on the ASA for that pool so that it will return the traffic through the router it came from (and not through the ASA's default gateway).

Peter Paluch · ‎02-22-2012

Hello,

This should work:

Use a NAT pool with a unique IP space. Make sure it does not overlap with any other network in your topology.
Define this NAT pool using the add-route keyword. This will create an automatic route for this pool to NVI0 interface, forcing the return packets through the NAT path
The remaining configuration is as shown in the original post
Make sure that the routing towards the network in the NAT pool follows the path back to the NATting router

An example:

interface FastEthernet0/0

ip address 10.0.12.2 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.0.23.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto !

ip nat pool POOL 10.0.13.11 10.0.13.19 netmask 255.255.255.0 add-route

ip nat outside source route-map NAT pool POOL

!

ip access-list extended NAT

permit tcp host 10.0.23.3 host 10.0.12.1 eq telnet

!

route-map NAT permit 10

match ip address NAT

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     10.0.0.0/24 is subnetted, 3 subnets
C       10.0.12.0 is directly connected, FastEthernet0/0
S       10.0.13.0 [0/0] via 0.0.0.0, NVI0
C       10.0.23.0 is directly connected, FastEthernet0/1
R2#

Now, the machine 10.0.23.3 can telnet into 10.0.12.1. The machine 10.0.12.1 has a route towards 10.0.13.0/24 (the NAT pool network) but does not know about the network 10.0.23.0/24, yet the communication succeeds.

Best regards,

Peter

kasper123 · ‎02-24-2012

Thank you very much Peter.

I got it working.

That "add-route" was the key but I had to put it at the end of the ip nat command like this:

ip nat outside source route-map NAT pool POOL add-route

When placed at the end of the pool definition like you suggested it didn't work.

Thank you again!

Peter Paluch · ‎02-24-2012

Hello,

I am glad you got it running!

Best regards,

Peter