Re: Combine PAT and port forwarding - Page 2

michal-miac · ‎08-14-2024

Hi,

I have a network with one router and two hosts, each in a different subnet. For Host 1 (192.168.1.1) to reach Host 2 (192.168.2.2), it must connect to the router's f1/0 interface IP address with destination port 1234. The router should then forward the connection out through its f0/0 interface to Host 2. However, be patient, as the outgoing connection should use the f0/0 interface's source IP address and destination port 5678.

I tried to combine port forwarding and PAT, but it doesn't work. Does anyone have any ideas? Here is my configuration:

# ip nat inside source static tcp 192.168.2.2 5678 interface f1/0 1234
# ip nat inside source list ACL-NAT-CAPABLE interface f0/0 overload
# ip access-list standard ACL-NAT-CAPABLE
# permit 192.168.1.0 0.0.0.255
# int f0/0 - ip nat outside
# int f1/0 - ip nat inside

MHM Cisco World · ‎08-19-2024

This is the reason why I told you explicit, in your project R2 should initiate a connection with R1's f0/0 ip address 10.0.0.1 Let us make no compromise, let us say this is mandatory for my project to work!!

If yoh want to initiate traffic from R2 then why you not use ip nat inside instead of io nat outside? this simple static NAT make any host in internet access server internal use NAT router outside interface IP with l4 port.

So why not ip nat inside?

Ip nat outside is config to hidden the outside IP from internal host' that only use of ip nat outside

MHM

michal-miac · ‎08-19-2024

Yes, there is no problem with it, it does not matter if H1 or H2 is on the internet or in your case R1 or R3, but the crucial point here is to combine PAT with port forwarding. @MHM Cisco World let us simplify it, just try to make the project exactly as I showed you, and you will see that it is not working. But why?

MHM Cisco World · ‎08-19-2024

The problem not use both static abd dynamic' the problem you use ip nat outside not correctly

See below cisco doc. It easy config what you need only config ip nat inisde source static Instead of ip nat outside source

Or use ip nat outside and follow step I mention before

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13778-9.html

MHM

michal-miac · ‎08-19-2024

@MHM Cisco World I am getting confused.
Why can't you just show me all this config on my topology. I don't understand what you have done before and it does not work for me. If it is so easy for you, then why don't you just do it with my topology. Here, show me my friend:

paul driver · ‎08-15-2024

Hello

@michal-miac wrote:

Hi,

I have a network with one router and two hosts, each in a different subnet. For Host 1 (192.168.1.1) to reach Host 2 (192.168.2.2), it must connect to the router's f1/0 interface IP address with destination port 1234. The router should then forward the connection out through its f0/0 interface to Host 2. However, be patient, as the outgoing connection should use the f0/0 interface's source IP address and destination port 5678.

Can you elaborate on this, what type of connection you mean, as you do not really require NAT to map a host to a service/application port this can be accomplished with a port mapping and not NAT

Example
access-list 1 permit 192.168.1.1
ip port map xxx 5678 list 1

access-list 2 permit 192.168.2.2
ip port map xxx 1234 list 2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

michal-miac · ‎08-16-2024

Hi @paul driver ,
I thought that ip port-map command does not perform port forwarding or port translation. It only informs the router to recognize certain traffic on non-standard ports for specific protocols.

Can you elaborate on this, what type of connection you mean

For test purposes, right now, I am using netcat, or do you mean something else?

@MHM Cisco World was right about the config. The correct config should be:
# ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678
# ip access-list standard ACL-NAT-CAPABLE
# permit 192.168.1.0 0.0.0.255
# ip nat inside source list ACL-NAT-CAPABLE int f0/0 overload

To all you kind people, can you please test this scenario for me on your own labs? Here below is the network diagram.

paul driver · ‎08-16-2024

Hello
In your topology you dont not require NAT to port forward, the ends host can be can be configured to accept traffic on specific ports you stipulate without using NAT,

Nat is used when you wish to "hide " a network address masking it with a translate addressing, and port forwarding then can be used on the natted address, but the end hosts still need to accept traffic on the ports you stipulate in the translation

Hence I raised the question do you really need NAT in this instance?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

michal-miac · ‎08-16-2024

Hi @paul driver
which one of these could be left out?
# ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678
Start connection sourced by 192.168.1.1 with destination port 1234 and destination ip address 192.168.1.2 on f1/0. Then router forwards connection to destination ip address 192.168.2.2 and destination port 5678 out of f0/0.
# ip access-list standard ACL-NAT-CAPABLE
# permit 192.168.1.0 0.0.0.255
# ip nat inside source list ACL-NAT-CAPABLE int f0/0 overload
When forwarding the packet out of f0/0 to ip address 192.168.2.2 and destination port 5678, here be careful, with source ip address of f0/0 192.168.2.1

Have a look at the drawing: