Solved: HelloSomething like this

Hitesh Vinzoda · ‎05-26-2014

Hi,

I am trying to figure out destination NAT for all DNS traffic where destination address can be any public IP traversing through the router and it should get natted to specific IP address located on network present out of outside interface

IPtables equivalent configuration is

iptables -t nat -A PREROUTING -p tcp --dport port -j DNAT --to-destination ip:port

Can we have a configuration in Cisco where it just NAT's destination IP address of the any UDP traffic on port 80 or 53

Thanks in advance

Hitesh

paul driver · ‎05-27-2014

Hello

Something like this?

access-list 100 permit udp any eq 80 any eq 80
access-list 100 permit udp any eq 53 any eq 53

or

access-list 100 permit udp any eq 80 host x.x.x.x public ip) eq 80
access-list 100 permit udp any eq 53 host x.x.x.x public ip) eq 53

ip nat pool LOCAL 192.168.1.1 192.168.1.1 prefix-length 24
ip nat outside source list 100 pool LOCAL

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎05-27-2014

Hello

Something like this?

access-list 100 permit udp any eq 80 any eq 80
access-list 100 permit udp any eq 53 any eq 53

or

access-list 100 permit udp any eq 80 host x.x.x.x public ip) eq 80
access-list 100 permit udp any eq 53 host x.x.x.x public ip) eq 53

ip nat pool LOCAL 192.168.1.1 192.168.1.1 prefix-length 24
ip nat outside source list 100 pool LOCAL

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hitesh Vinzoda · ‎05-28-2014

Hi Paul,

Thanks for your reply i tried it and it worked ok.

the access-list has to be as below

access-list 101 permit tcp any any eq telnet

and it matches the traffic from inside to outside and outside to inside as well.

Thanks for the hint.!

Cheers

Hitesh

Hitesh Vinzoda · ‎05-28-2014

Hi There,

I tried this in production but when traffic is travelling from inside to outside the destination is not translating.

Any pointers?

TIA

Hitesh

Hitesh Vinzoda · ‎05-28-2014

i think this makes more sense

"The major difference between using the ip nat outside source list command (dynamic NAT) instead of the ip nat outside source static command (static NAT) is that there are no entries in the translation table until the router (configured for NAT) verifies the translation criteria of the packet. In the example above, the packet with the SA 172.16.88.1 (which comes into the outside interface of Router 2514X) satisfies access-list 1, the criteria used by the ip nat outside source list command. For this reason, packets must originate from the outside network before packets from the inside network can communicate with the Router 2514W loopback0 interface"

Means the traffic should be received on outside first.. in my case the traffic originates from the inside first.

other option left is to do inside destination NAT

Enabling translation of inside destination addresses

ip nat inside destination { list <acl> pool <name>

I cant find option to specify VRF at the end with the same as for outside source looks like vrf option is only available when we are translating source ?

Destination NAT from inside to outside - DNS Traffic

i think this makes more sense

Means the traffic should be received on outside first.. in my case the traffic originates from the inside first.

other option left is to do inside destination NAT

Enabling translation of inside destination addresses

ip nat inside destination { list <acl> pool <name>

I cant find option to specify VRF at the end with the same as for outside source looks like vrf option is only available when we are translating source ?

any other workaround?

Cheers

Hitesh