Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1498
Views
0
Helpful
2
Replies

Combine port forwarding with NAT (Cisco 1941)

Go to solution
zeytako
Level 1
Level 1

‎02-26-2018 12:47 PM - edited ‎03-05-2019 09:59 AM

Hi folks,

 

I would like to discuss a scenario where I do need to perform port forwarding in order to get to a device from the Internet, being the challenge that the device has no access to the Internet.

 

Allow me to illustrate with the following network diagram: https://imgur.com/a/ZQ5ZA

 

What I want to achieve:

- Access from Internet to my ASR907 via SSH. In order to achieve this, I perform port forwarding on my 3G 1941 router. However, neither the L2 switch nor the ASR907 have a route pointing towards the Internet (which is intended and it will remain as it is), therefore whenever I try a connection, the device will see an IP packet from a public IP address which cannot get to, discarding the packet.

 

Is there any way to, somehow, combine some kind of outside NAT + port forwarding on my 3g router in order to nat the incoming source address into an IP from my internal VLAN (10.164.198.0/24) and still get the port forwarding to work?

 

Pretty sure this is doable as I have already seen it on other vendors such as uSyscom, where by default the NAT keeps the internal IP from the 3G itself, but I ain't having no luck with the Cisco box.

 

I appreciate your attention and help.

 

Regards, Iván.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
zeytako
Level 1
Level 1

‎02-27-2018 12:45 AM - edited ‎02-27-2018 12:50 AM

I'm trying the following configuration even though wouldn't be scalable, with no success:

 

ip nat outside source static [my_public_ip] 10.164.198.1 extendable

ip nat inside source static tcp 10.164.198.64 22 interface Dialer1 8200

 

The debug spills this output, which seems totally correct to me:

 

Router3G_1941_1#
Feb 27 09:38:25 CET: NAT*: o: tcp ([my_public_ip], 65204) -> ([Dialer1_public_ip], 8200) [28297]
Feb 27 09:38:25 CET: NAT*: TCP s=65204, d=8200->22
Feb 27 09:38:25 CET: NAT*: s=[my_public_ip]->10.164.198.1, d=[Dialer1_public_ip] [28297]
Feb 27 09:38:25 CET: NAT*: s=10.164.198.1, d=[Dialer1_public_ip]->10.164.198.64 [28297]

 

At this point, my guess is the box is performing the port forwarding before the source NAT based on the previous output.

View solution in original post

0 Helpful

Go to solution
zeytako
Level 1
Level 1
In response to zeytako

‎03-02-2018 04:44 AM

This was solved by using NVI instead of traditional NAT.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
zeytako
Level 1
Level 1

‎02-27-2018 12:45 AM - edited ‎02-27-2018 12:50 AM

I'm trying the following configuration even though wouldn't be scalable, with no success:

 

ip nat outside source static [my_public_ip] 10.164.198.1 extendable

ip nat inside source static tcp 10.164.198.64 22 interface Dialer1 8200

 

The debug spills this output, which seems totally correct to me:

 

Router3G_1941_1#
Feb 27 09:38:25 CET: NAT*: o: tcp ([my_public_ip], 65204) -> ([Dialer1_public_ip], 8200) [28297]
Feb 27 09:38:25 CET: NAT*: TCP s=65204, d=8200->22
Feb 27 09:38:25 CET: NAT*: s=[my_public_ip]->10.164.198.1, d=[Dialer1_public_ip] [28297]
Feb 27 09:38:25 CET: NAT*: s=10.164.198.1, d=[Dialer1_public_ip]->10.164.198.64 [28297]

 

At this point, my guess is the box is performing the port forwarding before the source NAT based on the previous output.

0 Helpful

Go to solution
zeytako
Level 1
Level 1
In response to zeytako

‎03-02-2018 04:44 AM

This was solved by using NVI instead of traditional NAT.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card