cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2588
Views
0
Helpful
4
Replies

Destination NAT from inside to outside - DNS Traffic

Hitesh Vinzoda
Level 4
Level 4

Hi,

I am trying to figure out destination NAT for all DNS traffic where destination address can be any public IP traversing through the router and it should get natted to specific IP address located on network present out of outside interface

IPtables equivalent configuration is 

iptables -t nat -A PREROUTING -p tcp --dport port -j DNAT --to-destination ip:port

Can we have a configuration in Cisco where it just NAT's destination IP address of the any UDP traffic on port 80 or 53

 

Thanks in advance

Hitesh


 
1 Accepted Solution

Accepted Solutions

Hello

Something like this?


access-list 100 permit udp any eq 80 any eq 80
access-list 100 permit udp any eq 53 any eq 53

or

access-list 100 permit udp any eq 80 host x.x.x.x public ip) eq 80
access-list 100 permit udp any eq 53 host x.x.x.x public ip) eq 53

ip nat pool LOCAL 192.168.1.1 192.168.1.1 prefix-length 24
ip nat outside source list 100 pool LOCAL

 

res

Paul
 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

View solution in original post

4 Replies 4

Hello

Something like this?


access-list 100 permit udp any eq 80 any eq 80
access-list 100 permit udp any eq 53 any eq 53

or

access-list 100 permit udp any eq 80 host x.x.x.x public ip) eq 80
access-list 100 permit udp any eq 53 host x.x.x.x public ip) eq 53

ip nat pool LOCAL 192.168.1.1 192.168.1.1 prefix-length 24
ip nat outside source list 100 pool LOCAL

 

res

Paul
 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

Hi Paul,

Thanks for your reply i tried it and it worked ok.

the access-list has to be as below

 

access-list 101 permit tcp any any eq telnet

 

and it matches the traffic from inside to outside and outside to inside as well.

 

Thanks for the hint.!

 

Cheers

Hitesh

 

Hi There,

 

I  tried this in production but when traffic is travelling from inside to outside the destination is not translating.

 

Any pointers?

 

TIA

Hitesh

 

i think this makes more sense
 
"The major difference between using the ip nat outside source list command (dynamic NAT) instead of the ip nat outside source static command (static NAT) is that there are no entries in the translation table until the router (configured for NAT) verifies the translation criteria of the packet. In the example above, the packet with the SA 172.16.88.1 (which comes into the outside interface of Router 2514X) satisfies access-list 1, the criteria used by the ip nat outside source list command. For this reason, packets must originate from the outside network before packets from the inside network can communicate with the Router 2514W loopback0 interface"
 
Means the traffic should be received on outside first.. in my case the traffic originates from the inside first.
other option left is to do inside destination NAT
 
 Enabling translation of inside destination addresses
ip nat inside destination { list <acl> pool <name>
 
I cant find option to specify VRF at the end with the same as for outside source looks like vrf option is only available when we are translating source ?
 
any other workaround?
 
Cheers
Hitesh
 
 
Review Cisco Networking for a $25 gift card