08-07-2010 01:53 PM - edited 03-04-2019 09:21 AM
I have PAT configured (pooled) on a single external IP (11.102.35.39)
Here's the translation
I'm writing some NAT punch through software, and I need a configuration that does the above so I can simulate symmettric NAT conditions. I've been pulling my hair out for weeks trying to find a solution for this. I'm currently using a Cisco Series 892 router.
08-07-2010 02:55 PM
I've never tried this command, but it may be worth a try if you are running IOS that supports it. I found it in IOS 12.4.
ip nat service port-randomization
###########
To specify a port other than the default port, use the ip nat service command in global configuration mode. To disable the port, use the no form of this command.
ip nat service {H225 | allow-h323-even-rtp-ports | allow-h323-keepalive | allow-sip-even-rtp-ports | allow-skinny-even-rtp-ports | fullrange {tcp | udp} port port-number | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | alg {tcp | udp} dns | allow-multipart | enable-mib | mgcp | nbar | port-randomization | ras | rtsp | sip {tcp | udp} port port-number | skinny tcp port port-number}
no ip nat service {H225 | allow-h323-even-rtp-ports | allow-h323-keepalive | allow-sip-even-rtp-ports | allow-skinny-even-rtp-ports | fullrange {tcp | udp} port port-number | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | alg {tcp | udp} dns | allow-multipart | enable-mib | mgcp | nbar | port-randomization | ras | rtsp | sip {tcp | udp} port port-number | skinny tcp port port-number}
RTSP is enabled and requires NBAR.
SIP is enabled on port 5060.
H.323 even-numbered RTP port allocation is enabled.
SIP even-numbered RTP port allocation is enabled.
Skinny even-numbered RTP port allocation is enabled.
Port randomization is disabled.
DNS ALG processing is enabled for TCP and UDP.
SIP multipart processing is disabled.
Global configuration (config)
A host with an FTP server using a port other than the default port can have an FTP client using the default FTP control port. When a port other than the default port is configured for an FTP server, Network Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server. If an FTP server uses the default port and a port other than the default port, both ports need to be configured using the ip nat service command.
NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the CallManager uses a port other than the default port, that port needs to be configured using the ip nat service command.
Use the no ip nat service H225 command to disable support of H.225 packets by NAT.
Use the no ip nat service allow-h323-even-rtp-ports command to force odd-numbered RTP port allocation for H.323.
Use the no ip nat service allow-sip-even-rtp-ports command to force odd-numbered RTP port allocation for SIP.
Use the no ip nat service allow-skinny-even-rtp-ports command to force odd-numbered RTP port allocation for the skinny protocol.
Use the no ip nat service rtsp command to disable support of RTSP packets by NAT. RSTP uses port 554.
By default SIP is enabled on port 5060; therefore NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to
08-07-2010 03:09 PM
Hello,
Can you please explain "I would like outgoing traffic to 11.230.248.150 to be a from a totally different port than 50573" part? Also, are you using dynamic PAT on the router? Please post relevant configurations here so it would be easier to analyze what you require.
Regards,
NT
08-07-2010 05:28 PM
Thanks.
Essentially I want all my outgoing traffic to be port address translated on a different port when I talk to different destinations. The current config has my client using the same port. My current traffic, for example, will use a single port (e.g., 50573) when talking to two different destinations. I want a different port for each different destination.
Here is the snippet of my configuration:
interface FastEthernet8
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
description $FE0-PoE$
ip address 192.168.102.1 255.255.255.0
ip access-group acl-vlan2 in
ip access-group 102 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
ip nat pool fe8load1 172.16.1.11 172.16.1.11 prefix-length 24
ip nat pool fe8nat1 172.16.1.20 172.16.1.23 prefix-length 24
ip nat inside source list 61 interface FastEthernet8 overload
08-07-2010 05:55 PM
Hello,
Are you looking to configure NAT such that when the traffic goes to .150
address the source port should be changed to something other than 50573?
Typically, the port assignment is done by the router and the router assigns
the first available port unless you have configured a port-map. Also, all
port assignments are symmetric in nature i.e. if the destination device
returns traffic to that public IP with that port, the router will translate
it back to the internal device. Can you check to see if you have enabled
endpoint agnostic symmetric port allocation on the router?
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_endpoi
ntagnostic_ps6441_TSD_Products_Configuration_Guide_Chapter.html
You can try the following:
access-list 199 permit ip host 192.168.103.17 host 11.230.248.150
access-list 10 permit host 192.168.103.17
route-map NAT
match ip address 199
ip nat inside source list 10 route-map NAT interface overload
Hope this helps.
Regards,
NT
08-07-2010 05:59 PM
Thanks for your response. Ultimately what I'm trying to do is to configure my router as a symmetric NAT:
http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_7-3/anatomy_figure_5.gif
[from article]
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html
08-07-2010 06:04 PM
Hello,
By default the router will act as a symmetric NAT device. It will allow only the device that was contacted by the inside device to respond on that port. I think you might have configured Endpoint Agnostic Port Allocation feature on the router. Can you check your configuration to see if "ip nat service enable-sym-port" command is present? If it is, can you remove it and then check the port allocation again?
Hope this helps.
Regards,
NT
08-07-2010 08:53 PM
Hi. I appreciate your patience in helping me with this issue. I've been chasing this issue for a month now...
ip nat service enable-sym-port is not in the configuration. I believe that the default behavior of the router does not do symmettric nat because it does not prevent traffic from the same destination address but different port. I can confirm this because we test servers in the cloud that can do exactly what is described in the diagram below.
If you look at the diagram of the symmettric nat, it shows that this should not happen. If you look at Host B in the diagram, you'll notice that the device was able to talk to Host B on port 90. However, if Host B tries to communicate back via port 91, it is blocked.
http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_7-3/anatomy_figure_5.gif
I was asking on how to configure PAT so that every call to a destination
Thanks.
08-08-2010 08:32 AM
Hello Albert,
What code version you are running on the router?
Regards,
NT
08-08-2010 08:52 AM
Hello,
Also, can you post here the router configuration (x out all public IP/user
information)?
Regards,
NT
08-08-2010 11:45 AM
Hi Nagaraja.
Version:
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.0(1)M2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 11-Mar-10 04:36 by prod_rel_team
Config:
router#show config
Using 10276 out of 262136 bytes
!
! Last configuration change at 05:26:24 UTC Mon Jul 19 2010 by me
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR892K9-A
!
boot-start-marker
boot system flash c890-universalk9-mz.150-1.M2.bin
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
crypto pki trustpoint TP-self-signed-2485414680
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2485414680
revocation-check none
rsakeypair TP-self-signed-2485414680
!
!
crypto pki certificate chain TP-self-signed-2485414680
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip inspect name rtrfirewall tcp
ip inspect name rtrfirewall udp
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FHK142174D0
!
!
archive
log config
hidekeys
<--snip-->
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
switchport access vlan 2
!
!
interface FastEthernet1
switchport access vlan 3
!
!
interface FastEthernet2
switchport access vlan 4
!
!
interface FastEthernet3
switchport access vlan 5
!
!
interface FastEthernet4
switchport access vlan 6
!
!
interface FastEthernet5
switchport access vlan 7
!
!
interface FastEthernet6
switchport access vlan 8
!
!
interface FastEthernet7
!
!
interface FastEthernet8
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
ip address 172.16.2.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
!
interface Vlan2
description $FE0-PoE$
ip address 192.168.102.1 255.255.255.0
ip access-group acl-vlan2 in
ip access-group 102 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
interface Vlan3
description $FE1-PoE$
ip address 192.168.103.1 255.255.255.0
ip access-group acl-vlan3 in
ip access-group 103 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
interface Vlan4
description $FE2-PoE$
ip address 192.168.104.1 255.255.255.0
ip access-group acl-vlan4 in
ip access-group 104 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
interface Vlan5
description $FE3-PoE$
ip address 192.168.105.1 255.255.255.0
ip access-group acl-vlan5 in
ip access-group 105 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
interface Vlan6
description $ FE4 $
ip address 192.168.106.1 255.255.255.0
ip access-group acl-vlan6 in
ip access-group 106 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
interface Vlan7
description $ FE5 $
ip address 192.168.107.1 255.255.255.0
ip access-group acl-vlan7 in
ip access-group 107 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
interface Vlan8
description $ FE6 $
ip address 192.168.108.1 255.255.255.0
ip access-group acl-vlan8 in
ip access-group 108 out
ip nat inside
ip inspect rtrfirewall in
ip virtual-reassembly
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool fe8load1 172.16.1.11 172.16.1.11 prefix-length 24
ip nat pool fe8nat1 172.16.1.20 172.16.1.23 prefix-length 24
ip nat inside source list 61 interface FastEthernet8 overload
ip nat inside source list 62 pool fe8load1 overload
ip nat inside source list 63 pool fe8nat1
ip nat inside source list 71 interface GigabitEthernet0 overload
!
ip access-list extended acl-vlan2
permit icmp any any
deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.102.0 0.0.0.255 192.168.104.0 0.0.0.255
deny ip 192.168.102.0 0.0.0.255 192.168.105.0 0.0.0.255
deny ip 192.168.102.0 0.0.0.255 192.168.106.0 0.0.0.255
deny ip 192.168.102.0 0.0.0.255 192.168.107.0 0.0.0.255
deny ip 192.168.102.0 0.0.0.255 192.168.108.0 0.0.0.255
permit tcp 192.168.102.0 0.0.0.255 any
permit udp 192.168.102.0 0.0.0.255 any
ip access-list extended acl-vlan3
permit icmp any any
deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.105.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.107.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.108.0 0.0.0.255
permit tcp 192.168.103.0 0.0.0.255 any
permit udp 192.168.103.0 0.0.0.255 any
ip access-list extended acl-vlan4
permit icmp any any
deny ip 192.168.104.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.106.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.107.0 0.0.0.255
deny ip 192.168.104.0 0.0.0.255 192.168.108.0 0.0.0.255
permit tcp 192.168.104.0 0.0.0.255 any
permit udp 192.168.104.0 0.0.0.255 any
ip access-list extended acl-vlan5
permit icmp any any
deny ip 192.168.105.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.104.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.106.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.107.0 0.0.0.255
deny ip 192.168.105.0 0.0.0.255 192.168.108.0 0.0.0.255
permit tcp 192.168.105.0 0.0.0.255 any
permit udp 192.168.105.0 0.0.0.255 any
ip access-list extended acl-vlan6
permit icmp any any
deny ip 192.168.106.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.106.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.106.0 0.0.0.255 192.168.104.0 0.0.0.255
deny ip 192.168.106.0 0.0.0.255 192.168.105.0 0.0.0.255
deny ip 192.168.106.0 0.0.0.255 192.168.107.0 0.0.0.255
deny ip 192.168.106.0 0.0.0.255 192.168.108.0 0.0.0.255
permit tcp 192.168.106.0 0.0.0.255 any
permit udp 192.168.106.0 0.0.0.255 any
ip access-list extended acl-vlan7
permit icmp any any
deny ip 192.168.107.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.107.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.107.0 0.0.0.255 192.168.104.0 0.0.0.255
deny ip 192.168.107.0 0.0.0.255 192.168.105.0 0.0.0.255
deny ip 192.168.107.0 0.0.0.255 192.168.106.0 0.0.0.255
deny ip 192.168.107.0 0.0.0.255 192.168.108.0 0.0.0.255
permit tcp 192.168.107.0 0.0.0.255 any
permit udp 192.168.107.0 0.0.0.255 any
ip access-list extended acl-vlan8
permit icmp any any
deny ip 192.168.108.0 0.0.0.255 192.168.102.0 0.0.0.255
deny ip 192.168.108.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 192.168.108.0 0.0.0.255 192.168.104.0 0.0.0.255
deny ip 192.168.108.0 0.0.0.255 192.168.105.0 0.0.0.255
deny ip 192.168.108.0 0.0.0.255 192.168.106.0 0.0.0.255
deny ip 192.168.108.0 0.0.0.255 192.168.107.0 0.0.0.255
permit tcp 192.168.108.0 0.0.0.255 any
permit udp 192.168.108.0 0.0.0.255 any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 61 permit 192.168.102.16 0.0.0.7
access-list 61 permit 192.168.103.16 0.0.0.7
access-list 61 permit 192.168.104.16 0.0.0.7
access-list 61 permit 192.168.105.16 0.0.0.7
access-list 61 permit 192.168.106.16 0.0.0.7
access-list 61 permit 192.168.107.16 0.0.0.7
access-list 61 permit 192.168.108.16 0.0.0.7
access-list 62 permit 192.168.102.32 0.0.0.7
access-list 62 permit 192.168.103.32 0.0.0.7
access-list 62 permit 192.168.104.32 0.0.0.7
access-list 62 permit 192.168.105.32 0.0.0.7
access-list 62 permit 192.168.106.32 0.0.0.7
access-list 62 permit 192.168.107.32 0.0.0.7
access-list 62 permit 192.168.108.32 0.0.0.7
access-list 63 permit 192.168.102.64 0.0.0.7
access-list 63 permit 192.168.103.64 0.0.0.7
access-list 63 permit 192.168.104.64 0.0.0.7
access-list 63 permit 192.168.105.64 0.0.0.7
access-list 63 permit 192.168.106.64 0.0.0.7
access-list 63 permit 192.168.107.64 0.0.0.7
access-list 63 permit 192.168.108.64 0.0.0.7
access-list 71 permit 192.168.102.8 0.0.0.3
access-list 71 permit 192.168.103.8 0.0.0.3
access-list 71 permit 192.168.104.8 0.0.0.3
access-list 71 permit 192.168.105.8 0.0.0.3
access-list 71 permit 192.168.106.8 0.0.0.3
access-list 71 permit 192.168.107.8 0.0.0.3
access-list 71 permit 192.168.108.8 0.0.0.3
access-list 102 deny tcp any 192.168.102.0 0.0.0.255
access-list 102 deny udp any 192.168.102.0 0.0.0.255
access-list 102 permit icmp any 192.168.102.0 0.0.0.255
access-list 103 deny tcp any 192.168.103.0 0.0.0.255
access-list 103 deny udp any 192.168.103.0 0.0.0.255
access-list 103 permit icmp any 192.168.103.0 0.0.0.255
access-list 104 deny tcp any 192.168.104.0 0.0.0.255
access-list 104 deny udp any 192.168.104.0 0.0.0.255
access-list 104 permit icmp any 192.168.104.0 0.0.0.255
access-list 105 deny tcp any 192.168.105.0 0.0.0.255
access-list 105 deny udp any 192.168.105.0 0.0.0.255
access-list 105 permit icmp any 192.168.105.0 0.0.0.255
access-list 106 deny tcp any 192.168.106.0 0.0.0.255
access-list 106 deny udp any 192.168.106.0 0.0.0.255
access-list 106 permit icmp any 192.168.106.0 0.0.0.255
access-list 107 deny tcp any 192.168.107.0 0.0.0.255
access-list 107 deny udp any 192.168.107.0 0.0.0.255
access-list 107 permit icmp any 192.168.107.0 0.0.0.255
access-list 108 deny tcp any 192.168.108.0 0.0.0.255
access-list 108 deny udp any 192.168.108.0 0.0.0.255
access-list 108 permit icmp any 192.168.108.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
line con 0.0.0.3
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide