03-16-2012 11:01 AM - edited 03-04-2019 03:41 PM
Not sure if the title is appropriate or if im in correct forum but, im looking for insight on this, TIA:
To translate an outside port to a differnt inside port. i was told by someone thats not possible but the thing is that a lot of cheapo broadband routers have this option, linksys, dlinks, bunch others, so surely IOS has got to be able to do this!
For example, we all know RDP is port 3389.
Im trying to add a nat rule to allows me to connect to 192.168.3.11:3389 from outside using public ip x.x.x.x:3390
below is the not working config.
ip nat inside source static tcp 192.168.3.11 3389 interface FastEthernet0/1 3390
ip access-list extended IN
permit tcp any host 192.168.3.11 eq 3390
Matt.
Solved! Go to Solution.
03-16-2012 11:59 AM
Here's a document that walks through the order of operation for nat:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
03-16-2012 11:05 AM
Well SOB, i have figured it out....
access list should be port 3389, not 3390.
I assume NAT first then ACL second?
so nat translates 3390 to 3389, router allows 3389?
Can someone confirm the assumption, NAT first, ACL second?
Thank you!!
03-16-2012 11:59 AM
Here's a document that walks through the order of operation for nat:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
03-16-2012 12:49 PM
Wonderful, that is exactly what i was looking for.
Im using a ZBFW (zone pair>policy map>class map>acl). Based on that document would the ACL tied to ZBFW be considerd Policy Routing? Even though zbfw is successor of cbac, Im hestent to say cbac because there are no policy maps or acl's stricly tied to cbac.
Thank you Thank you!
03-16-2012 01:12 PM
I wouldn't consider it policy routing. The types of policies are different between policy routing and zbfw. The policy maps used in zbfw allow you to inspect traffic, but I don't think they can be used to route traffic in any way. They're only there to either pass/deny traffic. Here's another document in case you're interested:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
03-16-2012 01:47 PM
Understood. Its used for classification.
I guess what im fuzzy on is the order of operation of nat, Perhaps its just that document is outdated.
Based on my experiences above, i would say the port was first translated/redirected then matched against the ACL.
Therefore the ACL would have to kick inafter the NAT translation, and the list below shows what happens after NAT.
Perhaps i could look at the list and replace cbac with zbfw? Unless im confusing the zbfw as being in instead of out. When i get a few i will go over the last document about zbfws.
If IPSec then check input access list
decryption - for CET or IPSec
check input access list
check input rate limits
input accounting
redirect to web cache
NAT outside to inside (global to local translation)
policy routing
routing
crypto (check map and mark for encryption)
check output access list
inspect CBAC
TCP intercept
encryption
Queueing
j.blakley, i value your efforts in corresponding with me as they help me gain a better understanding of cisco technology. Go cisco!
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide