cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1498
Views
0
Helpful
2
Replies

Combine port forwarding with NAT (Cisco 1941)

zeytako
Level 1
Level 1

Hi folks,

 

I would like to discuss a scenario where I do need to perform port forwarding in order to get to a device from the Internet, being the challenge that the device has no access to the Internet.

 

Allow me to illustrate with the following network diagram: https://imgur.com/a/ZQ5ZA

 

What I want to achieve:

- Access from Internet to my ASR907 via SSH. In order to achieve this, I perform port forwarding on my 3G 1941 router. However, neither the L2 switch nor the ASR907 have a route pointing towards the Internet (which is intended and it will remain as it is), therefore whenever I try a connection, the device will see an IP packet from a public IP address which cannot get to, discarding the packet.

 

Is there any way to, somehow, combine some kind of outside NAT + port forwarding on my 3g router in order to nat the incoming source address into an IP from my internal VLAN (10.164.198.0/24) and still get the port forwarding to work?

 

Pretty sure this is doable as I have already seen it on other vendors such as uSyscom, where by default the NAT keeps the internal IP from the 3G itself, but I ain't having no luck with the Cisco box.

 

I appreciate your attention and help.

 

Regards, Iván.

2 Accepted Solutions

Accepted Solutions

zeytako
Level 1
Level 1

I'm trying the following configuration even though wouldn't be scalable, with no success:

 

ip nat outside source static [my_public_ip] 10.164.198.1 extendable

ip nat inside source static tcp 10.164.198.64 22 interface Dialer1 8200

 

The debug spills this output, which seems totally correct to me:

 

Router3G_1941_1#
Feb 27 09:38:25 CET: NAT*: o: tcp ([my_public_ip], 65204) -> ([Dialer1_public_ip], 8200) [28297]
Feb 27 09:38:25 CET: NAT*: TCP s=65204, d=8200->22
Feb 27 09:38:25 CET: NAT*: s=[my_public_ip]->10.164.198.1, d=[Dialer1_public_ip] [28297]
Feb 27 09:38:25 CET: NAT*: s=10.164.198.1, d=[Dialer1_public_ip]->10.164.198.64 [28297]

 

At this point, my guess is the box is performing the port forwarding before the source NAT based on the previous output.

View solution in original post

This was solved by using NVI instead of traditional NAT.

View solution in original post

2 Replies 2

zeytako
Level 1
Level 1

I'm trying the following configuration even though wouldn't be scalable, with no success:

 

ip nat outside source static [my_public_ip] 10.164.198.1 extendable

ip nat inside source static tcp 10.164.198.64 22 interface Dialer1 8200

 

The debug spills this output, which seems totally correct to me:

 

Router3G_1941_1#
Feb 27 09:38:25 CET: NAT*: o: tcp ([my_public_ip], 65204) -> ([Dialer1_public_ip], 8200) [28297]
Feb 27 09:38:25 CET: NAT*: TCP s=65204, d=8200->22
Feb 27 09:38:25 CET: NAT*: s=[my_public_ip]->10.164.198.1, d=[Dialer1_public_ip] [28297]
Feb 27 09:38:25 CET: NAT*: s=10.164.198.1, d=[Dialer1_public_ip]->10.164.198.64 [28297]

 

At this point, my guess is the box is performing the port forwarding before the source NAT based on the previous output.

This was solved by using NVI instead of traditional NAT.

Review Cisco Networking for a $25 gift card