Solved: NAT from outside in

Doug Charboneau · ‎05-07-2013

We have a public address scheme that is a .224, so we have a handfull of addresses. We currently nat overload to distribute addresses to our users for the internet. But we use the rest of our addresses for web servers and such. I am trying to figure out how I can nat an outside address with a specific port to an inside address with the original port. But I also need to inside address when browsing to the web to pat to the regular outside ip.

fictional addresses below but you get the idea

So I want 192.168.0.5 -> 67.0.1.5 going to and from the internet

But I also want 67.0.1.7:55556 -> 192.168.0.5:55556

I thought that setting up a nat (outside,inside) would do it. If I am on the right track help point me in the right direction.

There is a nat (insdie,outside) after-auto source dynamic any interface dns at the end for all out going traffic.

Julio Carvajal · ‎05-07-2013

Hello Doug,

All you need is the following nat

Object network HTTP_Server

host 192.168.12.2

object network Outside_HTTP_Server

host 3.3.3.3

object service HTTP_Real

service tcp source eq 80

Object service HTTP_Fake

service tcp source eq 1880

nat (inside,outside) 1 source static HTTP_Server Outside_HTTP_Server service HTTP_Real HTTP_Fake

Remember the ACL on the outside interface permitting traffic to 192.168.12.2 eq 80

The fake port was 1880 in my example

The Dynamic NAT you already have there will do the rest

Remember to rate all of the helpul posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎05-07-2013

Hi,

If I understood you correctly, you want

To have host 192.168.0.5 use PAT interface IP address for Internet traffic
To have host 192.168.0.5 reachable through the PAT interface IP address from the Internet with port 55556 (TCP or UDP or both?)

If this is true then you could configure

For TCP

object network STATIC-PAT-TCP55556

host 192.168.0.5

nat (inside,outside) static interface service tcp 55556 55556

For UDP

object network STATIC-PAT-UDP55556

host 192.168.0.5

nat (inside,outside) static interface service udp 55556 55556

This should work if there is no other NAT configuration that might potentially overlap this configuration and make it therefore useless.

Naturally this can be confirmed with testing after configurations or showing us the configurations.

Hope this helps

Please remember to mark the question as answered if it did and/or rate helpfull answers.

Naturally ask more if needed.

- Jouni

Julio Carvajal · ‎05-07-2013

Hello Doug,

All you need is the following nat

Object network HTTP_Server

host 192.168.12.2

object network Outside_HTTP_Server

host 3.3.3.3

object service HTTP_Real

service tcp source eq 80

Object service HTTP_Fake

service tcp source eq 1880

nat (inside,outside) 1 source static HTTP_Server Outside_HTTP_Server service HTTP_Real HTTP_Fake

Remember the ACL on the outside interface permitting traffic to 192.168.12.2 eq 80

The fake port was 1880 in my example

The Dynamic NAT you already have there will do the rest

Remember to rate all of the helpul posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Doug Charboneau · ‎05-07-2013

This evening after hours I will give this a try. Thank you for your help.

Doug Charboneau · ‎05-08-2013

Your explination was great. Thank you for your help.

Julio Carvajal · ‎05-08-2013

Hello Doug,

My pleasure to help

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC