Solved: I think what you said just

cisco · ‎03-17-2015

I have a static NAT mapping from an internal IP to a public IP to allow RDP access to an internal host from the Internet.

ip nat inside source static tcp 10.10.10.35 3389 24.90.6.133 5222 route-map RDP_Gateway_Map extendable

Works great until I want to force all outgoing traffic from the internal IP through the same public IP.

ip nat inside source static 10.10.10.35 24.90.6.133 route-map RDP_Gateway_outbound extendable

The NAT table then shows this entry.

Pro Inside global Inside local Outside local Outside global

--- 24.90.6.133 10.10.10.35 --- ---

So when the internal host 10.10.10.35 opens Google.com in the browser, we get a dyanmic NAT entry like this.

Pro Inside global Inside local Outside local Outside global
tcp 24.90.6.133:49175 10.10.10.35:49175 216.58.216.78:80 216.58.216.78:80
tcp 24.90.6.133:49176 10.10.10.35:49176 216.58.216.78:80 216.58.216.78:80
tcp 24.90.6.133:49177 10.10.10.35:49177 216.58.216.78:80 216.58.216.78:80
tcp 24.90.6.133:49178 10.10.10.35:49178 216.58.216.78:80 216.58.216.78:80

The problem... At this point, I can, from any public IP use RDP port 3389 to 24.90.6.133 and it will connect to my internal 10.10.10.35 host, even though I have only port 5222 on the static entry for the public IP.

Is there a way to filter the incoming traffic to the NAT translation so only the inbound ports that are defined work and not just any listening port on the internal host is allowed to flow from an outside IP?

OR, am I just doing this all wrong?

I need to forward specific ports from public IP's to private IP's, and also limit those private IP's to only use the specified public IP addresses for outbound traffic. For example, say a mail server must use a specific public IP for outgoing mail and incoming mail, but I don't want to expose all listening ports to the public IP.

Thanks,

Chuck

Jon Marshall · ‎03-17-2015

Chuck

For example, say a mail server must use a specific public IP for outgoing mail and incoming mail, but I don't want to expose all listening ports to the public IP.

If you only want to open certain ports then don't have the second NAT statement.

Or are you saying you want the mail server to be able to access devices on the internet with any port and you want it to use the same public IP ?

Jon

View solution in original post

Jon Marshall · ‎03-17-2015

Chuck

For example, say a mail server must use a specific public IP for outgoing mail and incoming mail, but I don't want to expose all listening ports to the public IP.

If you only want to open certain ports then don't have the second NAT statement.

Or are you saying you want the mail server to be able to access devices on the internet with any port and you want it to use the same public IP ?

Jon

cisco · ‎03-17-2015

I think what you said just made sense to me.

So basically, why should I care what public IP the server's outgoing traffic uses.

In theory, any incoming connection is going to go out the same connection via NAT translation, so the connections made using the static mapping will always communicate over that public IP.

So for instance my RDP port 5222 is the only static mapping and all outgoing traffic from that private IP will use the default NAT pool IP.

For some reason I had it in my head I had to force all IP traffic in and out from the private IP through the dedicated public IP. I don't now that you made me think about it. ;-)

Thank you.

Jon Marshall · ‎03-18-2015

For some reason I had it in my head I had to force all IP traffic in and out from the private IP through the dedicated public IP. I don't now that you made me think about it. ;-)

Yes, exactly :-)

Just for your info you could if you want force the mail server to use the same IP for all it's connections and still not open up all ports by using a dynamic NAT instead of a static NAT statement but unless you really need it then you may as well use the same IP as everything else.

Jon

dynamic NAT inbound traffic filtering