With a Cisco 877 Router I want to make a setup in which the outside address is translated when using port forwarding to an the inside address.
The port forwarding is working like it should, but I don't know if it's possible to combine this with the NAT of the outside address. I guess it should have some 'Static NAT' on the outside (ip nat outside source ...) but this has to be combined with an access-list which is already used in combination with the "ip nat inside source"-command...
Can this be done, preferably for specific port translations ?
At the moment the port forwarding is made with the following commands:
ip nat inside source static tcp 192.168.100.2 8234 interface Dialer1 8234
ip nat inside source static udp 192.168.100.2 8234 interface Dialer1 8234
ip nat inside source static tcp 192.168.100.3 4321 interface Dialer1 4321
ip nat inside source static tcp 192.168.100.3 4421 interface Dialer1 4421
Can I establish that for the 4321 & 4421 the 'server' retrieves the address of the router (or one of the NAT-pool) ; and on the other server it may be the original external address (but if this isn't possible ; translation may be always...).
I hope the questions is clear enough, so anyone can help me...
I just labbed this quick to make sure I was going to answer correctly. Per your config above, both servers above will use an IP from the NAT pool you have configured. Only when there is a full NAT will it use the source IP of that NAT statement.
Hope that helps.
Thanks for the reply, but actually I didn't define a pool yet. I'm a not sure what inside or outside is in this matter. For the port mapping I must use the 'nat inside' command (as I translate an inside port) ; but for the pooling I guess it has to be 'nat outside'. But I don't know for sure how to trigger and combine this...
It has also to do with the zone-security the router applied itself that it looks confusing to me. Should I make a simple access-rule for this which is than made more strict by the port mapping or the zone security ?
You'll be source NATing your addresses (inside), so your pool will look something like this-
ip nat inside source list 50 interface dailer0 overload
Then configure the ACL. It should include your internal network(s) that you want NAT'd.
access-list 50 permit 192.168.1.0
I have a line
ip nat inside source list 101 interface Dialer1 overload
and the access-list behind is:
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
but this from inside to outside ; and the outside address isn't translated with this.
Would this require an extra line
access-list 101 permit ip any 192.168.100.0 0.0.0.255
And wouldn't this open everything than ? Or is this where the zone-security applies ?
However, I'm not able to test this before monday, so this is based on the current settings & experience, and the problems I think of...
I don't think we're on the same page. I'm confused on this statement, and the outside address isn't translated with this. Can you explain this in a little more detail?
The line means I would like to have the outside address translated, so the server behind the 'published port' sees the address of the router, i.s.o. the address of the external client.
The real reason is that the router isn't the default gateway for this specific server, so when a unknown address connects (not manually defined in it's routing table), the server tries to use it's default gateway.
An internet client xx.xx.xx.xx connects to the external address of the router yy.yy.yy.yy port 4321
At the moment the router passes this request to 192.168.100.3 port 4321 ; and 192.168.100.3 sees that the request is coming from xx.xx.xx.xx
If the server knows the address xx.xx.xx.xx is behind the router, it'll answer correctly, if he doesn't know it, he'll try to reply via it's default gateway.
So I want to achieve that the server would see the address of the router (192.168.100.1 in this case ; or one defined in a pool so I can make this routable), so the replies also go back to the router (and to the original client).
Gotch ya. Are you having a production problem with this? It should never go to the default gateway, it should go to the router where the connection was established.
I think this is normal behaviour for any device that it won't route back, if the ip-address isn't defined in that path...
(if it would just use the mac-address it might work, but this doesn't seem to be the case, and still, arp-data isn't kept forever).
Maybe it's more that the server drops the connection, because of the fact that it doesn't expect the address at that network card (oops ... writing this reminds me that I didn't mention that the default gateway is on another NIC) ; so it's considered spoofing...
As long as the 2nd NIC on the server and the NAT router are on the same IP subnet, it will work. When a packet goes to the server (and comes from the router) after translation, the source IP will be the router, the source MAC will also be the router. Return traffic for that TCP session will go back to the router and the router will then translate it back to the outside address. To the server, it looks like it's communicating with some machine on the local network.
Sorry I didn't come back to this earlier, but what your writing is not the case with my current config, and exactly the problem I have.
The external address isn't translated ; it's the inside port that is translated with such a config. And I would like to combine them...(internal port translation, and external IP translation)