02-26-2018 12:47 PM - edited 03-05-2019 09:59 AM
Hi folks,
I would like to discuss a scenario where I do need to perform port forwarding in order to get to a device from the Internet, being the challenge that the device has no access to the Internet.
Allow me to illustrate with the following network diagram: https://imgur.com/a/ZQ5ZA
What I want to achieve:
- Access from Internet to my ASR907 via SSH. In order to achieve this, I perform port forwarding on my 3G 1941 router. However, neither the L2 switch nor the ASR907 have a route pointing towards the Internet (which is intended and it will remain as it is), therefore whenever I try a connection, the device will see an IP packet from a public IP address which cannot get to, discarding the packet.
Is there any way to, somehow, combine some kind of outside NAT + port forwarding on my 3g router in order to nat the incoming source address into an IP from my internal VLAN (10.164.198.0/24) and still get the port forwarding to work?
Pretty sure this is doable as I have already seen it on other vendors such as uSyscom, where by default the NAT keeps the internal IP from the 3G itself, but I ain't having no luck with the Cisco box.
I appreciate your attention and help.
Regards, Iván.
Solved! Go to Solution.
02-27-2018 12:45 AM - edited 02-27-2018 12:50 AM
I'm trying the following configuration even though wouldn't be scalable, with no success:
ip nat outside source static [my_public_ip] 10.164.198.1 extendable
ip nat inside source static tcp 10.164.198.64 22 interface Dialer1 8200
The debug spills this output, which seems totally correct to me:
Router3G_1941_1#
Feb 27 09:38:25 CET: NAT*: o: tcp ([my_public_ip], 65204) -> ([Dialer1_public_ip], 8200) [28297]
Feb 27 09:38:25 CET: NAT*: TCP s=65204, d=8200->22
Feb 27 09:38:25 CET: NAT*: s=[my_public_ip]->10.164.198.1, d=[Dialer1_public_ip] [28297]
Feb 27 09:38:25 CET: NAT*: s=10.164.198.1, d=[Dialer1_public_ip]->10.164.198.64 [28297]
At this point, my guess is the box is performing the port forwarding before the source NAT based on the previous output.
03-02-2018 04:44 AM
This was solved by using NVI instead of traditional NAT.
02-27-2018 12:45 AM - edited 02-27-2018 12:50 AM
I'm trying the following configuration even though wouldn't be scalable, with no success:
ip nat outside source static [my_public_ip] 10.164.198.1 extendable
ip nat inside source static tcp 10.164.198.64 22 interface Dialer1 8200
The debug spills this output, which seems totally correct to me:
Router3G_1941_1#
Feb 27 09:38:25 CET: NAT*: o: tcp ([my_public_ip], 65204) -> ([Dialer1_public_ip], 8200) [28297]
Feb 27 09:38:25 CET: NAT*: TCP s=65204, d=8200->22
Feb 27 09:38:25 CET: NAT*: s=[my_public_ip]->10.164.198.1, d=[Dialer1_public_ip] [28297]
Feb 27 09:38:25 CET: NAT*: s=10.164.198.1, d=[Dialer1_public_ip]->10.164.198.64 [28297]
At this point, my guess is the box is performing the port forwarding before the source NAT based on the previous output.
03-02-2018 04:44 AM
This was solved by using NVI instead of traditional NAT.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: