Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
0
Helpful
4
Replies

Is it possible to do a Static PAT to a loopback address?

Go to solution
Steph1963
Level 1
Level 1

‎02-23-2011 10:31 AM - edited ‎03-04-2019 11:32 AM

Hi to All,

Question 1

Is it possible to used a loopback interface with the ip nat inside source static command.

In other words, could we used a loopback interface as an IP gloabal address is such a way that all
traffic with a destination corresponding to the loopback IP address gets translate to a local address.

Regular PAT

Int fa0/0
  ip nat inside
Int fa0/1
  ip nat outside
ip nat inside source static udp 172.22.0.70 4500 interface FastEthernet1/0 4500
ip nat inside source static esp 172.22.0.70 interface FastEthernet1/0
ip nat inside source static udp 172.22.0.70 500 interface FastEthernet1/0 500

Proposed PAT

int fa0/0
  ip nat inside
int fa0/1
  ip nat outside ??
int loopback0
  ip nat outside ??

ip nat inside source static udp 172.22.0.70 4500 interface Loopback0 4500
ip nat inside source static esp 172.22.0.70 interface Loopback0
ip nat inside source static udp 172.22.0.70 500 interface Loopback0 500

Question 2

When the command:

(1) ip nat inside source static udp 172.22.0.70 4500 interface FastEthernet1/0 4500

is used as opposed to

(2) ip nat inside source static tcp  172.16.1.6 172.22.0.70

Can we say that (2) is totally transparent, so ICMP,IP,ESP,GRE traffic will get translated while none
of this traffic will go through exept IP traffic using UDP port4500 with command (1)

Sans titre.bmp

Thanks for your help

Stéphane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Steph1963

‎02-23-2011 12:15 PM

Hello Stéphane,

Yes, you are completely correct. With the command

ip nat inside source static tcp  172.16.1.6 172.22.0.70

only TCP flows would be translated. GRE, ICMP, IPsec would not work here because they are not TCP-based. The second command, namely:

ip nat inside source static  172.16.1.6 172.22.0.70

would perform 1:1 translation for any communication sourced from inside address 172.16.1.6 going out, or destined to 172.22.0.70 from outside going in, with no particular respect to transport protocols, ports etc.

Best regards,

Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎02-23-2011 11:16 AM

Hello Stéphane,

Question 1
Is it possible to used a loopback interface with the ip nat inside source static command.
In other words, could we used a loopback interface as an IP gloabal address is such a way that all
traffic with a destination corresponding to the loopback IP address gets translate to a local address.

Yes, absolutely. The configuration would be absolutely identical to a normal NAT/PAT, only the name of the interface would refer to the loopback instead of a physical interface. The loopback interface itself should not be configured as ip nat inside or ip nat outside because there is no traffic passing through that interface at all.

So, the configuration would be:

int lo0
 ip address X.X.X.X M.M.M.M
Int fa0/0
  ip nat inside
Int fa0/1
  ip nat outside
ip nat inside source static udp 172.22.0.70 4500 interface Loopback0 4500
ip nat inside source static esp 172.22.0.70 interface Loopback0
ip nat inside source static udp 172.22.0.70 500 interface Loopback0 500
When the command:
(1) ip nat inside source static udp 172.22.0.70 4500 interface FastEthernet1/0 4500
is used as opposed to
(2) ip nat inside source static tcp  172.16.1.6 172.22.0.70

The first command defines a static PAT only for a selected IP address, transport protocol and transport port. Traffic sourced by 172.22.0.70, UDP port 4500, would be translated to the Fa1/0's IP address and the same UDP port. The return traffic would be translated back accordingly. Other traffic would not be translated according to that rule, and if there were no other ip nat commands, it would not be translated at all.

The second command defines a static NAT mapping for all TCP ports between an inside address (172.16.1.6) and the outside address (172.22.0.70; note that the first command used this address as the inside address - possible typo on your part), i.e. it is not specific to a particular TCP port. All TCP communication sourced from 172.16.1.6 going from inside and headed towards outside networks will be translated to 172.22.0.70, and vice versa.

Feel welcome to ask further!

Best regards,

Peter

0 Helpful

Go to solution
Steph1963
Level 1
Level 1
In response to Peter Paluch

‎02-23-2011 12:10 PM

Hi Peter,

Does this means that it would not possible to ping, establish a GRE tunnel or do IPsec with the following command

ip nat inside source static tcp  172.16.1.6 172.22.0.70

but there would be no restrictions with

ip nat inside source static  172.16.1.6 172.22.0.70

Thanks for your help
Stéphane

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Steph1963

‎02-23-2011 12:15 PM

Hello Stéphane,

Yes, you are completely correct. With the command

ip nat inside source static tcp  172.16.1.6 172.22.0.70

only TCP flows would be translated. GRE, ICMP, IPsec would not work here because they are not TCP-based. The second command, namely:

ip nat inside source static  172.16.1.6 172.22.0.70

would perform 1:1 translation for any communication sourced from inside address 172.16.1.6 going out, or destined to 172.22.0.70 from outside going in, with no particular respect to transport protocols, ports etc.

Best regards,

Peter

0 Helpful

Go to solution
Steph1963
Level 1
Level 1
In response to Peter Paluch

‎02-23-2011 12:45 PM

Hi Peter,

Thanks a lot for your help

Stephane

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card