Combine PAT and port forwarding

michal-miac · ‎08-14-2024

Hi,

I have a network with one router and two hosts, each in a different subnet. For Host 1 (192.168.1.1) to reach Host 2 (192.168.2.2), it must connect to the router's f1/0 interface IP address with destination port 1234. The router should then forward the connection out through its f0/0 interface to Host 2. However, be patient, as the outgoing connection should use the f0/0 interface's source IP address and destination port 5678.

I tried to combine port forwarding and PAT, but it doesn't work. Does anyone have any ideas? Here is my configuration:

# ip nat inside source static tcp 192.168.2.2 5678 interface f1/0 1234
# ip nat inside source list ACL-NAT-CAPABLE interface f0/0 overload
# ip access-list standard ACL-NAT-CAPABLE
# permit 192.168.1.0 0.0.0.255
# int f0/0 - ip nat outside
# int f1/0 - ip nat inside

MHM Cisco World · ‎08-14-2024

# ip access-list standard ACL-NAT-CAPABLE
# permit 192.168.2.0 0.0.0.255 <<- it can work together the wrong here is ACl you use for NAT it must be .2 not .1

MHM

michal-miac · ‎08-15-2024

Hi,
To make sure we're both talking about same things, I've included the diagram below. Your suggestion surprises me a bit because I thought that my ACL rule meant that 192.168.1.0 was the source address. And 192.168.2.0 would not be the source address in my case. How am I supposed to understand that?
I also wanted to ask you, would it be correct in my case if I configured f1/0 as ip nat inside and int f0/0 as ip nat outside, or would it be correct the other way around?

MHM Cisco World · ‎08-15-2024

thanks this need to config then

michal-miac · ‎08-15-2024

Hi, unfortunately not working,
this is my config:
Step 1 config on router:
# int f1/0
# ip nat inside
# int f0/0
# ip nat outside
Step 2 config on router
# ip access-list standard ACL-NAT-CAPABLE
# permit 192.168.1.0 0.0.0.255
# ip nat inside source list ACL-NAT-CAPABLE int f0/0 overload
Output when try to ping from H1 with destination ip 192.168.2.2:
Pro Inside global Inside local Outside local Outside global
icmp 192.168.2.1:8604 192.168.1.1:8604 192.168.2.2:8604 192.168.2.2:8604
Step 3 config on router
ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678
Output when try to connect from H1 with destination ip 192.168.1.2 port 1234:
Pro Inside global Inside local Outside local Outside global
tcp --- --- 192.168.2.2:5678 192.168.1.2:1234

In this output i cannot see connection flow on the link between f0/0 and H2. In my opinion the last config should be flipped:
Step 4 config on router
# no ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678
# ip nat outside source static tcp 192.168.2.2 5678 192.168.1.2 1234
Output when try to connect from H1 with destination ip 192.168.1.2 port 1234:
Pro Inside global Inside local Outside local Outside global
tcp --- --- 192.168.1.2:1234 192.168.2.2:5678

But this alo does not generate any traffic on the link between H2 and f0/0 either

What next?

MHM Cisco World · ‎08-15-2024

# no ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678 <<- this correct and you use NO command?
# ip nat outside source static tcp 192.168.2.2 5678 192.168.1.2 1234 <<- This not correct

MHM Cisco World · ‎08-15-2024

Also how you test this config?

MHM

michal-miac · ‎08-15-2024

Please read again STEP 3 and after that STEP 4:

Step 3 config on router
ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678

Output when try to connect from H1 with destination ip 192.168.1.2 port 1234:
Pro Inside global Inside local Outside local Outside global
tcp --- --- 192.168.2.2:5678 192.168.1.2:1234

In this output i cannot see connection flow on the link between f0/0 and H2. In my opinion the last config should be flipped and therefore I go to Step 4:
Step 4 config on router
# no ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678
# ip nat outside source static tcp 192.168.2.2 5678 192.168.1.2 1234

And what do you mean by how i test it? I do it in GNS3, the router is either 7200 or CSR1000V. On both this config does not generate the desired output.
Any suggestions? Can you test this config by yourself and confirm that it is working? Thanks.

MHM Cisco World · ‎08-15-2024

this static NAT and use specific port how you test NAT ??
ping can not use here since you use NAT TCP so only way to test this is using telnet with port

and again this correct

ip nat outside source static tcp 192.168.1.2 1234 192.168.2.2 5678

MHM

michal-miac · ‎08-15-2024

@MHM Cisco World I tried to PING in STEP 2 just for TEST purpose, just to show that the MAPPING in STEP 2 was configured correctly. Then I went over to STEP 3 where I tried the connection NOT WITH PING, but in my case with NETCAT with destination 192.168.1.2 and port 1234. And because I find the mapping output of STEP 3 somehow wrong, in STEP 4 i flipped the configuration. @MHM Cisco World tell me, don't you think that the mapping output of STEP 4 looks rather correct than the output of STEP 3? The mapping output of STEP 3 says: Outside local: 192.168.2.2:5678 Outside global 192.168.1.2:1234 Can this be right?
And again can you test it be yourself?

MHM Cisco World · ‎08-18-2024

You are correct we need to config first outside local then outside global

the lab and it work

R1#show running-config
Building configuration...

Current configuration : 1344 bytes
!
! Last configuration change at 11:50:45 UTC Sun Aug 18 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
ip nat inside
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
ip nat inside source list 10 interface FastEthernet1/1 overload
ip nat outside source static 3.3.3.3 33.33.33.33 add-route <<-the solution I found in lab is this "add-route"
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 3.3.3.3 255.255.255.255 200.0.0.3
!
access-list 10 permit 100.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#show running-config
Building configuration...

Current configuration : 1129 bytes
!
! Last configuration change at 11:39:43 UTC Sun Aug 18 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#show run
R3#show running-config
Building configuration...

Current configuration : 1211 bytes
!
! Last configuration change at 11:39:44 UTC Sun Aug 18 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password mhm
login
rotary 5
!
!
end

paul driver · ‎08-19-2024

Hello @MHM Cisco World
This is reverting back to static nat statements !,
What you show is default for nat traffic originating on the outside domain (nat order)
The rtr will NAT first before performing a route lookup on the translated address, so when the nat rtr is wanting to reply to the outside source from its inside interface it will not have a entry for the natted address so it will drop the packet.

To negate failure, you have two options
1 -apply static route on nat rtr for natted address
2- add-route appended to static outside nat statement

TBH ive lost track now on the OP, just vaguely remember a comment on 1-2-1 is only applicable with static map statements which isnt 100% correct, as this can be achieved dynamically with reversible nat, if this isnt the what the OP requires then multiple static nat statements is applicable.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

michal-miac · ‎08-19-2024

Hi @MHM Cisco World

thank you for trying to replicate it in the lab, but unfortunately I have to say that it is not what I am looking for and that this configuration woll not work for me.
The two hosts in my case are not routers. They are machines. And in my case H1 establishes a connection by choosing the IP ADDRESS OF THE ROUTER'S INTERFACE F1/0 as the DESTINATION address and not 33.33.33.33. Imagine that in your case it would be ip address 100.0.0.1, the f0/0 interface.

What I managed to do is this config:
# ip nat inside source static tcp 192.168.2.2 4444 interface f1/0 1234
This correctly forwards the connection with the correct port number. The problem that still remains is that it doesn't take the source address of the f0/0. I think that it has something to do with what @paul driver says, with the NAT order, what do you think about that @paul driver ?

Hi @paul driver ,

When it comes to the source port numbers, the connection can be many to many as far as I am concerned. But when it comes to the destination ports, it is not a many to many connection but a one to one. I would like to explicitly map destination port 1234 to port 5678.

MHM Cisco World · ‎08-19-2024

Friend,

the issue is you use direct connect IP as outside local and that not work
here other lab two host no router to see how you config the NAT correctly

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 100.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
ip nat inside source list 10 interface FastEthernet1/1 overload
ip nat outside source static 100.0.0.3 3.3.3.3 add-route <<- this NAT I use 3.3.3.3 as OUTside Local, you can use any IP you want, the internal Host 10.0.0.2 will use this IP to access to 100.0.0.3, the router will NAT the 3.3.3.3-> into 100.0.0.3 and it work, understand NAT is key here, do same in your lab and dont forget add-route, this need IF YOU DONT CONFIG STATIC ROUTE FOR 3.3.3.3
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 10 permit 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

michal-miac · ‎08-19-2024

My dear friend @MHM Cisco World ,

you want to initiate a connection from R2 with destination address 3.3.3.3, but this is not possible for me! Believe, I cannot do this, because in my real life production R2 is on the internet. This is the reason why I told you explicit, in your project R2 should initiate a connection with R1's f0/0 ip address 10.0.0.1 Let us make no compromise, let us say this is mandatory for my project to work!!! And therefore it will be nothing with ip nat outside ...