Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
3
Replies

PAT limitation

Go to solution
lcaruso
Level 6
Level 6

‎12-24-2012 10:26 AM - edited ‎03-11-2019 05:40 PM

Hi,

I'm pretty sure the answer to this is that only one-to-one NAT will do, but in case I've missed a trick, please let me know. I have several internal devices that need to use PAT (due to limited global ip addresses) as shown below where incoming tcp 2201 is translated to ssh and directed to the first device, tcp 2201 gets translated and directed the the 2nd device, and so on.

object network device1

host 10.1.10.35

nat (inside,outside) static 12.x.y.z service tcp 22 2201

object network device2

host 10.2.10.35

nat (inside,outside) static 12.x.y.z service tcp 22 2202

object network device3

host 10.3.10.35

nat (inside,outside) static 12.x.y.z service tcp 22 2203

The vendor of these devices would like to see the return traffic, which is not ssh but udp 500 and udp 4500, egress the same address above 12.x.y.z

Is there a way to do that without one-to-one NAT?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to lcaruso

‎12-24-2012 06:09 PM

Hello,

Well as the oubound connection will be in place because of the inbound connection as you said there is no way to make that happen

Sorry to tell you that my friend

Merry Christmas

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-24-2012 03:43 PM

Hello,

So why dont you perform a destination Port-forwarding but in this case saying any packet being sourced from port 500 or 4500 look like 12.x.y.z??

Also what do you mean by a reply? are those packets going to start on the outside world or this devices will start the Isakmp connections?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Julio Carvajal

‎12-24-2012 05:40 PM

My example description is wrong, but maybe you picked up on that.

From the outside inbound...

tcp 2201 translates to ssh and is sent to device1

tcp 2202 ssh to device2

tcp 2203 ssh to device3

These devices accept ssh connections and then initiate a tunnel outbound with udp 500 and udp 4500.

Given the PAT config already in place, I'm not sure how to code your suggestion.

Can you give me an example?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to lcaruso

‎12-24-2012 06:09 PM

Hello,

Well as the oubound connection will be in place because of the inbound connection as you said there is no way to make that happen

Sorry to tell you that my friend

Merry Christmas

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card