Port address translation in 1720 router of TCP destination port

joe.head · ‎06-04-2002

We have a 1720 router with an ethernet interface in subnet 192.168.1.0/24. We have a device on this subnet with IP address of 192.168.1.50, which we are NATting into 10.216.1.2 as it goes to the outside interface and then across the WAN. This portion is working fine.

This device (192.168.1.50), wants to initiate a TCP session with a server across the WAN, with IP address of 204.194.133.37, port # 4444. We need to translate this destination port # of 4444, in the 1720 router, to a different number. How can we do this in the 1720 ? I am enclosing portions of the config, and a sample show command output.

Router config from 1720, followed by show command output:

version 12.1

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname MiniStore

!

logging buffered 4096 debugging

!

memory-size iomem 25

ip subnet-zero

no ip domain-lookup

ip dhcp excluded-address 192.168.1.1 192.168.1.25

ip dhcp excluded-address 192.168.1.240 192.168.1.254

! ip dhcp pool store-inside-dhcp-pool

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

lease 0 1

!

interface Serial0

description 56K Frame Relay

bandwidth 56

no ip address

encapsulation frame-relay IETF

logging event subif-link-status

logging event dlci-status-change

frame-relay lmi-type cisco

!

interface Serial0.101 point-to-point

description Mini Store PVC to SAL HDQ DS1-5057889

bandwidth 56

ip address 10.216.255.2 255.255.255.252

ip nat outside

frame-relay interface-dlci 101

!

interface Serial0.102 point-to-point

description Mini Store Shadow PVC to DS1-3555060

bandwidth 1

ip address 10.216.255.6 255.255.255.252

ip nat outside

frame-relay interface-dlci 102

!

interface FastEthernet0

ip address 10.216.1.1 255.255.255.0 secondary

ip address 192.168.1.254 255.255.255.0

ip accounting output-packets

ip nat inside

speed auto

!

interface Async5

no ip address

ip nat outside

encapsulation ppp

dialer in-band

dialer rotary-group 1

async default routing

async mode interactive no cdp enable

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer in-band

dialer string 918884477089

dialer-group 1

no cdp enable

ppp authentication pap callin

router eigrp 1

network 10.0.0.0

distribute-list 30 out

no auto-summary

eigrp log-neighbor-changes

!

ip nat pool store-inside 10.216.1.13 10.216.1.14 netmask 255.255.255.240

ip nat inside source list 3 pool store-inside overload

ip nat inside source static 192.168.1.50 10.216.1.2 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 10.215.6.1 220

ip route 10.215.6.1 255.255.255.255 Dialer1 220

no ip http server

!

access-list 3 permit 192.168.0.0 0.0.255.255

access-list 20 deny 0.0.0.0

access-list 20 deny 10.215.6.0 0.0.0.255

access-list 20 deny 192.168.0.0 0.0.255.255

access-list 20 permit any

access-list 30 deny 0.0.0.0

access-list 30 deny 10.215.0.0 0.0.255.255

access-list 30 deny 192.168.0.0 0.0.255.255

access-list 30 permit any

access-list 75 permit 10.216.1.0 0.0.0.255 log

access-list 75 permit 192.168.1.0 0.0.0.255 log

access-list 100 deny eigrp any any

access-list 100 deny ip any host 224.0.0.10

access-list 100 deny udp any any eq ntp

access-list 100 deny ip any host 255.255.255.255

access-list 100 deny udp any any eq snmp

access-list 100 deny udp any any eq snmptrap

access-list 100 permit ip any any

dialer-list 1 protocol ip list 100

!

line con 0

exec-timeout 60 0

login

line aux 0

login

modem InOut

modem autoconfigure type usr_sportster

transport input all

autoselect during-login

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

login

!

no scheduler allocate

end

MiniStore#show ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 10.216.1.2 192.168.1.50 --- ---

MiniStore#

16:52:04: NAT: i: tcp (192.168.1.50, 1861) -> (204.194.133.37, 4444) [14786]

16:52:04: NAT: s=192.168.1.50->10.216.1.2, d=204.194.133.37 [14786]

16:52:10: NAT: i: tcp (192.168.1.50, 1861) -> (204.194.133.37, 4444) [14788]

16:52:10: NAT: s=192.168.1.50->10.216.1.2, d=204.194.133.37 [14788]

svermill · ‎06-04-2002

You might want to check this out:

http://www.cisco.com/warp/public/556/12.html#4

This is for translating at the receiving end. Haven't found an equivalent for the sending end.

joe.head · ‎06-04-2002

We have tried the following:

ip nat outside source static tcp 204.194.133.37 8401 204.194.133.37 4444

This did not work as we had hoped it would. The originator of the session is from the device on the inside interface in the 1721, and the 204.194.133.37 device is it's destination. Everything I have read shows the session originating from the outside interface to the inside interface, when using nat outside as above. We want to originate from the inside, and change the destination port as it goes outside.

svermill · ‎06-04-2002

Yes, all of the example configs where I have seen a destination port being translated was done at the receiving end. I don't think the command you tried above is a valid one. But why is it important that the port be translated outbound? As long as it gets tranlated before it hits 204.194.133.37 on the inbound side, what's the difference? Is something looking at that port before it gets to the server? Or do you not have a means to do it on the inbound side? Or do you not like the fact that the source port of the server will also be translated as a consequence of translating the destination port on the inbound side?

joe.head · ‎06-05-2002

Here is what we are trying to accomplish, and why.

We will be installing a 1721 router in each of our 230+ stores. we will also install a controller at each store, attached to the 1721 ethernet interface. This controller will come to us preconfigured with the following info:

IP address - 192.168.1.50

Destination IP address 204.194.133.37

Destination port 4444

Every controller will have this same config info, thus we can use any controller at any store, without having to customize the controller.

The controller will initiate a session to the 204.194.133.37 server. However, each request that hits the 204.194.133.37 server from a store's 1721 router, must have a unique port number. So what we are hoping to do, is to have the 1721 router translate the destination port number of 4444, to a unique number by store (1 per 1721 router). In this router's case, we want to translate the destination port from 4444 to 8401, before it leaves the 1721 router, and have it translated back by the 1721 router when the return packet comes back.

The 204.194.133.37 server's application is requiring the unique destination port for each store.

Therefore, when the packet starts out from the store's 1721 router, with source of 192.168.1.50, and destination of 204.194.133.37 4444, we want the 1721 router to change this to source 10.216.x.x and destination 204.194.133.37 8xxx, where the 10.216.x.x will be unique by 1721, and the 8xxx will be unique by 1721. Hope this helps explain what and why.

svermill · ‎06-05-2002

That helps quite a bit. I'm no server expert by any means, but I'm surprised that it would require a unique port as opposed to a unique socket - which is comprised of an IP address/TCP port number combination. If every site will appear to the server to have a unique IP through the use of NAT, why worry about the port number? Again, no server expert here, but that does sound a little odd. Think of port 80 and how many times a web server re-uses that with potentially hundreds of unique client IPs at any given moment.

joe.head · ‎06-05-2002

The 1720 router was running IOS 12.1.8a. I loaded IOS 12.2.7c, and it is now working fine. The outbound packet destination port is getting translated per the "ip nat ouside source static tcp ..." documentation.

Thank you for your help with this issue.

svermill · ‎06-05-2002

That must be hot off the presses because it isn't in the 12.2 command reference master index. I'll try it out next time I upgrade. Thanks.