Solved: NAT - port redirection?

MATTH1187 · ‎03-16-2012

Not sure if the title is appropriate or if im in correct forum but, im looking for insight on this, TIA:

To translate an outside port to a differnt inside port. i was told by someone thats not possible but the thing is that a lot of cheapo broadband routers have this option, linksys, dlinks, bunch others, so surely IOS has got to be able to do this!

For example, we all know RDP is port 3389.

Im trying to add a nat rule to allows me to connect to 192.168.3.11:3389 from outside using public ip x.x.x.x:3390

below is the not working config.

ip nat inside source static tcp 192.168.3.11 3389 interface FastEthernet0/1 3390

ip access-list extended IN

permit tcp any host 192.168.3.11 eq 3390

Matt.

John Blakley · ‎03-16-2012

Here's a document that walks through the order of operation for nat:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH, John *** Please rate all useful posts ***

View solution in original post

MATTH1187 · ‎03-16-2012

Well SOB, i have figured it out....

access list should be port 3389, not 3390.

I assume NAT first then ACL second?

so nat translates 3390 to 3389, router allows 3389?

Can someone confirm the assumption, NAT first, ACL second?

Thank you!!

John Blakley · ‎03-16-2012

Here's a document that walks through the order of operation for nat:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH, John *** Please rate all useful posts ***

MATTH1187 · ‎03-16-2012

Wonderful, that is exactly what i was looking for.

Im using a ZBFW (zone pair>policy map>class map>acl). Based on that document would the ACL tied to ZBFW be considerd Policy Routing? Even though zbfw is successor of cbac, Im hestent to say cbac because there are no policy maps or acl's stricly tied to cbac.

Thank you Thank you!

John Blakley · ‎03-16-2012

I wouldn't consider it policy routing. The types of policies are different between policy routing and zbfw. The policy maps used in zbfw allow you to inspect traffic, but I don't think they can be used to route traffic in any way. They're only there to either pass/deny traffic. Here's another document in case you're interested:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

HTH, John *** Please rate all useful posts ***

MATTH1187 · ‎03-16-2012

Understood. Its used for classification.

I guess what im fuzzy on is the order of operation of nat, Perhaps its just that document is outdated.

Based on my experiences above, i would say the port was first translated/redirected then matched against the ACL.

Therefore the ACL would have to kick inafter the NAT translation, and the list below shows what happens after NAT.

Perhaps i could look at the list and replace cbac with zbfw? Unless im confusing the zbfw as being in instead of out. When i get a few i will go over the last document about zbfws.

If IPSec then check input access list

decryption - for CET or IPSec

check input access list

check input rate limits

input accounting

redirect to web cache

NAT outside to inside (global to local translation)

policy routing

routing

crypto (check map and mark for encryption)

check output access list

inspect CBAC

TCP intercept

encryption

Queueing

j.blakley, i value your efforts in corresponding with me as they help me gain a better understanding of cisco technology. Go cisco!

Matt