topic NAT based on the Source IP in Routing and SD-WAN

NAT based on the Source IP

butterfass — Tue, 05 Mar 2019 17:47:59 GMT

Howdy,

I want to setup NAT based on the Source IP.. so let's say

when User A from 111.1.1.11 connects to 155.5.5.5 with port 3389 he should be redirected to Server A 192.168.1.2 Port 3389

when User B from 112.2.2.22 connects to 155.5.5.5 with port 3389 he should be redirected to Server B 192.168.1.3 port 3389

and so on..

I can only use 1 public IP and can't map any ports..

(Currently experimenting on Cisco 2821 with 12.4, but any Cisco IOS Version would do (no ASA though))

I've tried for days now and so far I've only found outdated forum posts without a solution,
I would appreciate if anyone has a link to a solution or can show me an example.

Re: NAT based on the Source IP

paul driver — Fri, 19 Jan 2018 17:14:52 GMT

Hello

Can you clarify the location of server A/B in trlstion to the source hosts

maybe you could provide a small topology

res

paul

Re: NAT based on the Source IP

butterfass — Fri, 19 Jan 2018 17:45:14 GMT

Hi Paul,

thanks for your reply,

I've attached an example.jpg with a small topology to the post, can you see it?

If yes, can you please elaborate on what infos you need?

Greetings

butterfass

Re: NAT based on the Source IP

paul driver — Sat, 20 Jan 2018 08:10:37 GMT

Hello

PBR and nat would be applicable - Can you post your configuration

res
Paul

Re: NAT based on the Source IP

butterfass — Fri, 19 Jan 2018 18:58:29 GMT

I added the NAT rules, but I'm still unable to RDP to the Server, do I need to set anything else? I'm probably missing some kind of ACL i guess?

My config looks like this:

!
interface GigabitEthernet0/0
description WAN
ip address 155.5.5.5 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat outside source static tcp 111.1.1.11 3389 192.168.1.2 3389 extendable add-route
ip nat outside source static tcp 112.2.2.22 3389 192.168.1.3 3389 extendable add-route
!

Re: NAT based on the Source IP

paul driver — Sun, 21 Jan 2018 10:31:55 GMT

Hello
Okay understand now apologies -
The only issue is that PAT and dual static mapping to the interface(gloabl ip) and port isn't allowed

if you could use another port or additional global ip for of the mapping then it would be applicable and you then could apply some policy based routing to each server

But as you only have one global up You could try the example below using two different ports

Access-list 100 permit ip 192.168.1.0 0.0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 x.x.x.x ( isp next hop)
ip nat inside source list 100 interface GigabitEthernet0/0

ip nat inside source static tcp 192.168.1.3 3389 15.1.1.1 3389

ip nat inside source static tcp 192.168.1.4 3390 15.1.1.1 3390

Lastly if you did have two global ips to use then you could also incorporate some PBR

Like below
access-list 103 permit tcp host 111.1.1.11 host 192.168.1.3 eq 3389
access-list 104 permit tcp host 112.2.2.22 host 192.168.1.4 eq 3389

route-map PBR permit 10
match ip address 103
set ip next hop 192.168.1.3

route-map PBR permit 20
match ip address 104
set ip next hop 192.168.1.4

int gig0/0
Description WAN
ip policy route-map PBR

res
Paul

Re: NAT based on the Source IP

butterfass — Fri, 19 Jan 2018 19:36:33 GMT

Thanks for bearing with me..

Sorry I guess the info I provided were misleading,

for simplification all WAN addresses are on the same subnet (new topology in attachement).

My config looks like this now:

!
interface GigabitEthernet0/0
description WAN
ip address 111.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat outside source static tcp 111.1.1.2 3389 192.168.1.2 3389 extendable add-route
ip nat outside source static tcp 111.1.1.3 3389 192.168.1.3 3389 extendable add-route
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!

(nat inside added the "overload" option automatically)

Re: NAT based on the Source IP

paul driver — Fri, 19 Jan 2018 19:48:39 GMT

Hello

when you initiate the connection from the outside hosts can you access the internal servers?

Can you post the output from

sh ip nat translations

res
Paul

Re: NAT based on the Source IP

butterfass — Fri, 19 Jan 2018 20:06:01 GMT

No I can't estabish a connection at all, the output is this:

Pro Inside global   Inside local   Outside local          Outside global
tcp ---                  ---       192.168.1.2:3389    111.1.1.2:3389
tcp ---                  ---               192.168.1.3:3389   111.1.1.3:3389

Re: NAT based on the Source IP

butterfass — Fri, 19 Jan 2018 20:36:13 GMT

Also I just noticed that I'm now getting a "Duplicate address 192.168.1.2 on GigabitEthernet0/1"

Re: NAT based on the Source IP

paul driver — Sat, 20 Jan 2018 20:18:52 GMT

Hello

For now and testing proposes remove the static nat entries and confirm you are initiating the connection from OUTSIDE your network and not inside

Do you have reachability to 155.5.5.5 and can you ping 155.5.5.5 ?

Please review the previous configuration i posted -

res
Paul

Re: NAT based on the Source IP

butterfass — Fri, 19 Jan 2018 22:01:46 GMT

Ok, i deleted the static entry for 111.1.1.3.

My test setup consists of 2x windows clients, of which I change the IPs accordingly to test the NAT configuration:

Currently it is setup as:

Client A on OUTSIDE interface with IP: 111.1.1.2/24 can ping OUTSIDE interface 111.1.1.1

and

Server A on INSIDE interface with IP: 192.168.1.2/24 can ping INSIDE interface 192.168.1.1

however when i try to establish a RDP session from Client A to 111.1.1.1 nothing happens. (RDP is functional on the machine/no Firewall or sth like that..)

Re: NAT based on the Source IP

butterfass — Sun, 21 Jan 2018 19:23:39 GMT

Oh, I did not see that you answered already, I always just checked the bottom of the page...

I was afraid you'd say that, unfortunately I need multiple static mappings for the same IP.
The initial idea was that due to a large number of users, not everyone had to be provided with their own IP.

Thank you very much for your help and the tip with PAT/PBR!