cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1902
Views
0
Helpful
7
Replies

PORT FORWARDING BASED ON SOURCE

dpsw120
Level 1
Level 1

Hello All,

I have same problem so i have nat forwarding already in place :

 

ip nat inside source static tcp 192.168.1.1 443 192.168.10.1 443 extendable

 

and i want to spesisific ip pub accessing 192.168.10.1 443 will be redirect to 192.168.1.2 443

 

Can someone knwo how to do this?

i tried this config but still the traffic will be direct to 192.168.1.1

 

ip access-list extended PORT-FORWARD-HTTPS
permit tcp host 1.1.1.1 host 192.168.1.2 eq 443

 

route-map NAT-MAP-HTTPS permit 10
match ip address PORT-FORWARD-HTTPS

 

ip nat inside source static 192.168.1.2 192.168.10.1 route-map NAT-MAP-HTTPS extendable

 

Im using Cisco 4320 Ios version 16.3.

 

Thank you!

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

is there any reason you like to do forward to another Private IP address rather directly from Public IP address to private IP address.

 

if all in the same network and reachable ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

is there any reason you like to do forward to another Private IP address rather directly from Public IP address to private IP address.

yes, because my public ip already asigned to domain and to split the custommer to different local server, our custommer already hit us with domain.

if all in the same network and reachable ?

the lan yes, same network and reachable and both 443 opened.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   The entries in the NAT table need to be unique, thus you can't make 192.168.1.1 443 to be visible as 192.168.10.1 443 and also 192.168.1.2 443 to be visible as 192.168.10.1 443. Route-map is not gonna help in this case, it's use case is for policy-based NAT (based on IP src and IP dst).

 

Regards,

Cristian Matei.

So i should use policy-based NAT, can you give me an example how to achieve this?

Thank you

Hi,

    

    Mapping the same socket of multiple inside IP addresses, like (192.168.1.1 443 and 192.168.1.2 443) to the same other socket (10.10.10.10 443) via NAT, is not possible, as the NAT entries need to be unique. think about it, if someone comes and want to reach 10.10.10.10 443, based on which criteria will the router UN'nat into 192.168.1.1 or 192.168.1.2?

    Policy-based NAT is meant to NAT the source into something different, based on the accessed destination, but this is not  what you're looking for.

    If you have two internal hosts (192.168.1.1 and 12.168.1.2) that offer the same service (like HTTPS, TCP port 443), the only way to make these two visible via NAT is one of the following:

            - NAT into different IP's, like 192.168.1.1 443 into 10.10.10.1 443 and 192.168.1.2 443 into 10.10.10.2 443

            - NAT both into same IP, but use different ports, like 192.168.1.1 443 into 10.10.10.1 443 and 192.168.1.2 443 into 10.10.10.1 8443

 

Regards,

Cristian Matei.

 

 

Mapping the same socket of multiple inside IP addresses, like (192.168.1.1 443 and 192.168.1.2 443) to the same other socket (10.10.10.10 443) via NAT, is not possible, as the NAT entries need to be unique. think about it, if someone comes and want to reach 10.10.10.10 443, based on which criteria will the router UN'nat into 192.168.1.1 or 192.168.1.2?

 

Yes that's true but i think iptables in linux can achieve this, and i just think cisco ios maybe can do this too but sadly no.

 

Policy-based NAT is meant to NAT the source into something different, based on the accessed destination, but this is not what you're looking for.
If you have two internal hosts (192.168.1.1 and 12.168.1.2) that offer the same service (like HTTPS, TCP port 443), the only way to make these two visible via NAT is one of the following:
- NAT into different IP's, like 192.168.1.1 443 into 10.10.10.1 443 and 192.168.1.2 443 into 10.10.10.2 443
- NAT both into same IP, but use different ports, like 192.168.1.1 443 into 10.10.10.1 443 and 192.168.1.2 443 into 10.10.10.1 8443

 

i can do that but sadly 10.10.10.1 443 is already registered in domain name and my client already connect through that domain, i just want simply redirect this spesific client to another local machine without adding new pub.

Hi,

   

  1.Even if Linux could achieve this, i don't see how its' gonna work in the end, technically speaking.

  2. The public IP remains the same, so DNS resolves it the same way, it's a matter of changing the port they're using to connect(443 and 8443 for the public IP, instead of 443 and 443 for the public IP).

 

Regards,

Cristian Matei.

 

 

Review Cisco Networking for a $25 gift card