cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1780
Views
25
Helpful
12
Replies

NAT based on the Source IP

butterfass
Level 1
Level 1

Howdy,

 

I want to setup NAT based on the Source IP.. so let's say

when User A from 111.1.1.11 connects to 155.5.5.5 with port 3389 he should be redirected to Server A 192.168.1.2 Port 3389

when User B from 112.2.2.22 connects to 155.5.5.5 with port 3389 he should be redirected to Server B 192.168.1.3 port 3389

and so on..


I can only use 1 public IP and can't map any ports..

(Currently experimenting on Cisco 2821 with 12.4, but any Cisco IOS Version would do (no ASA though))

I've tried for days now and so far I've only found outdated forum posts without a solution,
I would appreciate if anyone has a link to a solution or can show me an example.

1 Accepted Solution

Accepted Solutions

Hello
Okay understand now apologies -
The only issue is that PAT and dual static mapping to the interface(gloabl ip) and port isn't allowed

 

if you could use another port or additional global ip for of the mapping then it would be applicable and you then could apply some policy based routing to each server


But as you only have one global up You could try the example below using two different ports

 


Access-list 100 permit ip 192.168.1.0 0.0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 x.x.x.x ( isp next hop)
ip nat inside source list 100 interface GigabitEthernet0/0

ip nat inside source static tcp 192.168.1.3 3389 15.1.1.1 3389 

 

ip nat inside source static tcp 192.168.1.4 3390 15.1.1.1 3390 

 

Lastly if you did have two global ips to use then you could also incorporate some PBR

Like below 
access-list 103 permit tcp host 111.1.1.11 host 192.168.1.3 eq 3389
access-list 104 permit tcp host 112.2.2.22 host 192.168.1.4 eq 3389

route-map PBR permit 10
match ip address 103
set ip next hop 192.168.1.3

route-map PBR permit 20
match ip address 104
set ip next hop 192.168.1.4

int gig0/0
Description WAN
ip policy route-map PBR


res
Paul

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

12 Replies 12

Hello 

Can you  clarify the location of server A/B in trlstion to the source hosts

 

maybe you could provide  a small topology 

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

thanks for your reply,

I've attached an example.jpg with a small topology to the post, can you see it?

If yes, can you please elaborate on what infos you need?

 

Greetings

butterfass

Hello

 

PBR and nat would be applicable - Can you post your configuration

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I added the NAT rules, but I'm still unable to RDP to the Server, do I need to set anything else? I'm probably missing some kind of ACL i guess?

My config looks like this:

!
interface GigabitEthernet0/0
description WAN
ip address 155.5.5.5 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat outside source static tcp 111.1.1.11 3389 192.168.1.2 3389 extendable add-route
ip nat outside source static tcp 112.2.2.22 3389 192.168.1.3 3389 extendable add-route
!

Hello
Okay understand now apologies -
The only issue is that PAT and dual static mapping to the interface(gloabl ip) and port isn't allowed

 

if you could use another port or additional global ip for of the mapping then it would be applicable and you then could apply some policy based routing to each server


But as you only have one global up You could try the example below using two different ports

 


Access-list 100 permit ip 192.168.1.0 0.0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 x.x.x.x ( isp next hop)
ip nat inside source list 100 interface GigabitEthernet0/0

ip nat inside source static tcp 192.168.1.3 3389 15.1.1.1 3389 

 

ip nat inside source static tcp 192.168.1.4 3390 15.1.1.1 3390 

 

Lastly if you did have two global ips to use then you could also incorporate some PBR

Like below 
access-list 103 permit tcp host 111.1.1.11 host 192.168.1.3 eq 3389
access-list 104 permit tcp host 112.2.2.22 host 192.168.1.4 eq 3389

route-map PBR permit 10
match ip address 103
set ip next hop 192.168.1.3

route-map PBR permit 20
match ip address 104
set ip next hop 192.168.1.4

int gig0/0
Description WAN
ip policy route-map PBR


res
Paul

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for bearing with me..

Sorry I guess the info I provided were misleading,

for simplification all WAN addresses are on the same subnet (new topology in attachement).

 

My config looks like this now:

 

!
interface GigabitEthernet0/0
description WAN
ip address 111.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat outside source static tcp 111.1.1.2 3389 192.168.1.2 3389 extendable add-route
ip nat outside source static tcp 111.1.1.3 3389 192.168.1.3 3389 extendable add-route
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!

 

(nat inside added the "overload" option automatically)

 

Hello

when you initiate the connection from the outside hosts can you access the internal servers?

 

Can you post the output from

sh ip nat translations

res
Paul




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

No I can't estabish a connection at all, the output is this:

Pro Inside global    Inside local    Outside local            Outside global    
tcp ---                  ---               192.168.1.2:3389    111.1.1.2:3389
tcp ---                  ---               192.168.1.3:3389    111.1.1.3:3389

 

 

Also I just noticed that I'm now getting a "Duplicate address 192.168.1.2 on GigabitEthernet0/1"

Hello

For now and testing proposes remove  the static nat entries and confirm  you are initiating the  connection from OUTSIDE your network and not inside

 

Do you have reachability to 155.5.5.5 and can you ping 155.5.5.5 ?

 

Please review the previous configuration i posted -

 
res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ok, i deleted the static entry for 111.1.1.3.

My test setup consists of 2x windows clients, of which I change the IPs accordingly to test the NAT configuration:

Currently it is setup as:

Client A on OUTSIDE interface with IP: 111.1.1.2/24 can ping OUTSIDE interface 111.1.1.1

and

Server A on INSIDE interface with IP: 192.168.1.2/24 can ping INSIDE interface 192.168.1.1

 

however when i try to establish a RDP session from Client A to 111.1.1.1 nothing happens. (RDP is functional on the machine/no Firewall or sth like that..)

Oh, I did not see that you answered already, I always just checked the bottom of the page...


I was afraid you'd say that, unfortunately I need multiple static mappings for the same IP.
The initial idea was that due to a large number of users, not everyone had to be provided with their own IP.

Thank you very much for your help and the tip with PAT/PBR!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco