03-17-2015 03:03 PM - edited 03-05-2019 01:02 AM
I have a static NAT mapping from an internal IP to a public IP to allow RDP access to an internal host from the Internet.
ip nat inside source static tcp 10.10.10.35 3389 24.90.6.133 5222 route-map RDP_Gateway_Map extendable
Works great until I want to force all outgoing traffic from the internal IP through the same public IP.
ip nat inside source static 10.10.10.35 24.90.6.133 route-map RDP_Gateway_outbound extendable
The NAT table then shows this entry.
Pro Inside global Inside local Outside local Outside global
--- 24.90.6.133 10.10.10.35 --- ---
So when the internal host 10.10.10.35 opens Google.com in the browser, we get a dyanmic NAT entry like this.
Pro Inside global Inside local Outside local Outside global
tcp 24.90.6.133:49175 10.10.10.35:49175 216.58.216.78:80 216.58.216.78:80
tcp 24.90.6.133:49176 10.10.10.35:49176 216.58.216.78:80 216.58.216.78:80
tcp 24.90.6.133:49177 10.10.10.35:49177 216.58.216.78:80 216.58.216.78:80
tcp 24.90.6.133:49178 10.10.10.35:49178 216.58.216.78:80 216.58.216.78:80
The problem... At this point, I can, from any public IP use RDP port 3389 to 24.90.6.133 and it will connect to my internal 10.10.10.35 host, even though I have only port 5222 on the static entry for the public IP.
Is there a way to filter the incoming traffic to the NAT translation so only the inbound ports that are defined work and not just any listening port on the internal host is allowed to flow from an outside IP?
OR, am I just doing this all wrong?
I need to forward specific ports from public IP's to private IP's, and also limit those private IP's to only use the specified public IP addresses for outbound traffic. For example, say a mail server must use a specific public IP for outgoing mail and incoming mail, but I don't want to expose all listening ports to the public IP.
Thanks,
Chuck
Solved! Go to Solution.
03-17-2015 03:13 PM
Chuck
For example, say a mail server must use a specific public IP for outgoing mail and incoming mail, but I don't want to expose all listening ports to the public IP.
If you only want to open certain ports then don't have the second NAT statement.
Or are you saying you want the mail server to be able to access devices on the internet with any port and you want it to use the same public IP ?
Jon
03-17-2015 03:13 PM
Chuck
For example, say a mail server must use a specific public IP for outgoing mail and incoming mail, but I don't want to expose all listening ports to the public IP.
If you only want to open certain ports then don't have the second NAT statement.
Or are you saying you want the mail server to be able to access devices on the internet with any port and you want it to use the same public IP ?
Jon
03-17-2015 03:24 PM
I think what you said just made sense to me.
So basically, why should I care what public IP the server's outgoing traffic uses.
In theory, any incoming connection is going to go out the same connection via NAT translation, so the connections made using the static mapping will always communicate over that public IP.
So for instance my RDP port 5222 is the only static mapping and all outgoing traffic from that private IP will use the default NAT pool IP.
For some reason I had it in my head I had to force all IP traffic in and out from the private IP through the dedicated public IP. I don't now that you made me think about it. ;-)
Thank you.
03-18-2015 12:14 PM
For some reason I had it in my head I had to force all IP traffic in and out from the private IP through the dedicated public IP. I don't now that you made me think about it. ;-)
Yes, exactly :-)
Just for your info you could if you want force the mail server to use the same IP for all it's connections and still not open up all ports by using a dynamic NAT instead of a static NAT statement but unless you really need it then you may as well use the same IP as everything else.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide