Configuring incoming PAT/NAT in specific port CISCO Router

EduardR · ‎08-14-2019

Hello fellow experts,

We are having a pretty rough time trying to configure a NAT/PAT in one of our internet routers, and i think someone here can help us with some ideas. The scenario is this:

We have a router connected to internet and performing NAT overload to allow our users to navigate with the public IP address (just one) while masking our internal private IPs.
We need to expose one service to internet over the same IP address (lets say some webpage at port 8080), and need to configure the incoming connections to be routed to some specific internal IP without disrupting our users internet connectivity.

Sadly, we dont have other public IP address to NAT the connection over other IP, and we are looking at many examples over the internet but we dont find some suitable method to configure a NAT pool or ACL to allow the incoming connection specifically. Can someone advice something to us about this?

Our router working configuration is this (similar, btw):

interface GigabitEthernet0/0/0
  description OUTSIDE_ADDRESS
  ip address <<OUTSIDE PRIVATE ADDRESS>>
  ip nat outside
interface GigabitEthernet0/0/1.1
 description INSIDE_ADDRESS
 encapsulation dot1Q 1
 ip address <<INSIDE PRIVATE ADDRESS>>
 ip nat inside
ip nat pool NAME <<PUBLIC IP>> <<PUBLIC IP>> netmask <<MASK>>
ip nat inside source list 3 pool NAME overload
ip route 0.0.0.0 0.0.0.0 <<OUTSIDE PRIVATE ADDRESS NEXT-HOP>>
access-list 3 permit <<INSIDE PRIVATE ADDRESS>> <<MASK>>

And we need to allo that someone outside can open some webpage at <<PUBLIC IP>>:8080 that will be routed to some internal private IP address.

Is this even possible?

Thanks at advance and best regards!

luis_cordova · ‎08-14-2019

Hi @EduardR ,

Try this:

no ip nat pool NAME <<PUBLIC IP>> <<PUBLIC IP>> netmask <<MASK>>

no ip nat inside source list 3 pool NAME overload

ip nat inside source list 3 interface g0/0/0 overload

ip nat inside source static tcp <<IP WEB SERVER>> 8080 <<PUBLIC IP>> 8080 extendable

Check this link:

https://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12905-827spat.html

Regards

EduardR · ‎08-15-2019

Thank you for the advice, we will try it.

I have another question, we are trying to get another public IP address for another user group and the configuration will look like this one:

interface GigabitEthernet0/0/0
  description OUTSIDE_ADDRESS
  ip address <<OUTSIDE PRIVATE ADDRESS>>
  ip nat outside
interface GigabitEthernet0/0/1.1
 description INSIDE_ADDRESS_1
 encapsulation dot1Q 1
interface GigabitEthernet0/0/1.2
 description INSIDE_ADDRESS_2
 encapsulation dot1Q 2
 ip address <<INSIDE PRIVATE ADDRESS>>
 ip nat inside
ip nat pool NAME_1 <<PUBLIC IP 1>> <<PUBLIC IP 1>> netmask <<MASK>>
ip nat pool NAME_2 <<PUBLIC IP 2>> <<PUBLIC IP 2>> netmask <<MASK>>
ip nat inside source list 3 pool NAME_1 overload
ip nat inside source list 4 pool NAME_2 overload
ip route 0.0.0.0 0.0.0.0 <<OUTSIDE PRIVATE ADDRESS NEXT-HOP>>
access-list 3 permit <<INSIDE PRIVATE ADDRESS_1>> <<MASK>>
access-list 4 permit <<INSIDE PRIVATE ADDRESS_2>> <<MASK>>

Both public IP uses the same private outside connection. It is possible to use the same scheme for this scenario? I am not pretty sure about this line:

ip  nat inside source list 3 interface g0/0/0 overload

Because both public IP will use the g0/0/0.

luis_cordova · ‎08-15-2019

Hi @EduardR ,

In this second scenario, you can try the settings you indicate, but, adding this configuration:

ip nat inside source static tcp <<IP WEB SERVER>> 8080 <<PUBLIC IP>> 8080 extendable

Regards

Configuring incoming PAT/NAT in specific port CISCO Router

【原创】Cisco Nexus 5000 trobleshooting Troubleshooting Port Specific Issues

SEG: SLR(Specific License Reservation)の利用方法

How many specific numbers can I block form incoming calls?

Intelligent Capture にて AP Stats Capture の Specific を選択できない

ACI: Port-Channel/vPC port で incoming traffic の SPAN ができない