Hello Paul,

Thank you for your input!

Hosts 10.0.1.3, 1.0.1.4, etc have to have internet access, so I can't exclude them from dynamic pat.

extensible reversible is used for outside-to-inside initialization, so ports translated only when initiated from <my remote ip> network. The goal is to connect from <my remote ip> to specific hosts by the specific ports and prohibit external connection except initialized from <my remote ip>.

Hello

---

@IVoronov wrote:

extensible reversible is used for outside-to-inside initialization, so ports translated only when initiated from <my remote ip> network. The goal is to connect from <my remote ip> to specific hosts by the specific ports and prohibit external connection except initialized from <my remote ip>.

---

Not so sure i understand here, The reversible feature works as/when a internal host first initiates an external connection so from there on until the nat table is cleared you have a 1-1 host nat entry allowing external hosts to then initiate a outside/inside connection however is your case you already have that with the static pat entry’s.

Does it mean that "reversible" is used only on dynamic pat to create static translation? That's good to know, i appreciate your effort.

But in this particular case it means that this keyword is useless and can be omitted, because static rule does not need to be initialized from outside to create translation in nat table. I think i have to keep "extendable" so i can translate more than one internal ip address to one external? Or is it not needed for static pat?

And the problem stays: even if "reversible" does nothing for static pat entries, some of them (with ports 80 and 443) are not in the nat table but in nat counters for static translations.

Hello

---

@IVoronov wrote:

Does it mean that "reversible" is used only on dynamic pat to create static translation? That's good to know, i appreciate your effort.

---

My understanding it is yes.

Example: nat reversible
ip nat pool NATREV <first public-ip last public-ip> prefix-length x
ip nat inside source route-map NAT pool NATREV reversible

---

@IVoronov wrote:

But in this particular case it means that this keyword is useless and can be omitted, because static rule does not need to be initialized from outside to create translation in nat table. I think i have to keep "extendable" so i can translate more than one internal ip address to one external? Or is it not needed for static pat?

---

Correct

---

@IVoronov wrote:

And the problem stays: even if "reversible" does nothing for static pat entries, some of them (with ports 80 and 443) are not in the nat table but in nat counters for static translations.

---

If you clear the nat table than the only translation you should see is the static entrys that is however no other traffic is traversing the nat router at that time but if it is then you should see dynamic entrys also.

Hello Paul,

First of all, many thanks for your time, your help is invaluable for my little task.

I fixed the issue by removing "reversible" keyword and route-map, since it is useless for static translation in my case, because there is only 1:1 translation. I learned that route-map on static translation does not enforce any outside-inside security, because rule created has "---" as outside address so it is used for any outside-inside connections.

Security was fixed by adding acl to the inside interface.

I still have no idea why some of the static rules were in table and some are not, but this is for future lab testing.

Again, thank you for your time and effort, it helped greatly!

Hi,

   @IVoronov See my post, it does work with the reversible keyword, i mean enforcing your NAT policy so there is no need for an inbound ACL. Now as for the missing translations, if they showed up in config but not in the translation table, this was clearly a "feature", which could be fixed by some tweaking of the order of commands, a reload, or an upgrade.

Regards,

Cristian Matei.

Hello Cristian,

I saw your post and greatly appreciate it. Now I understand that "reversible" was just useless in this particular case and may be omitted without consequences.

The point is that with only NAT policing is is kinda hard for me to do:

1) some predefined network <my remote ip> must have access to some inside hosts (10.10.1.0/24) on some ports. There static PAT is used

2) same hosts and some other in the same network have to have internet access. There dynamic PAT is used.

I don't think i can restrict outside access on some ports without impact on the internet access using only NAT policy tools, correct me if I'm wrong

Hello

---

@IVoronov wrote:
I fixed the issue by removing "reversible" keyword and route-map, since it is useless for static translation in my case, because there is only 1:1 translation. I learned that route-map on static translation does not enforce any outside-inside security, because rule created has "---" as outside address so it is used for any outside-inside connections.

---

Glad you got it working.

FYI as stated @Cristian Matei  the interface acl ingress acl isnt applicable, if you want to specify what external hosts can connect to those static public natted addresses ( something i didnt interpret you wanted on your OP so apologies) then the route-map with an acl can be used with (internal) to/from (external) networks being specifed to allow specific access.

Hello Cristian,

Thank you for the input!

Route-map was used in a bad way, cause no route policing is needed, that was a weak security enforcement attempt and I'm kinda ashamed of it, so i omitted it in the end.

Your description of the "reversible keyword" is actually great and i didn't found this at all, many thanks.

In the end i fixed the issue by removing route-maps and "reversible".

Still have no idea why 443 and 80 ports were not in nat table, will test it later on the lab.

Hi,

   I'm glad it's all clear now. If the commands were showing up in "running-config" for static NAT, but not in translations table, that's a bug which needs to be fixed by upgrade.

   As i said, even in your case, with using route-maps and reversible keyword, you still gain something (instead of using plain static NAT with no route-map and reversible): the fact that only remote networks defined in the ACL as destination IP, can initiate traffic towards your NAT'ed resources; otherwise a static NAT is just a static NAT, it's just available for everyone to access, unless you use an ACL to restrict that.

Regards,

Cristian Matei.

After viewing this thread , i have a question of my own

interface GigabitEthernet0/1
ip address 120.124.32.5 255.255.255.248
ip mtu 1492
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!

interface Vlan1
ip address 10.20.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
no ip http server
ip http port 8080
ip http secure-server

ip nat inside source list mynat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.20.1.12 443 interface GigabitEthernet0/1 443

ip nat outside source list NAT-OUT-IN pool POOL-OUT-IN
ip route 10.20.0.0 255.255.255.0 10.20.1.249 (10.20.1.249 is my layer 3 switch)
ip route 192.168.20.0 255.255.255.0 10.20.1.249
ip tacacs source-interface Vlan1
!

ip access-list extended GigabitEthernet0/1
permit tcp any host 202.147.165.4 eq 443
permit tcp host 202.147.165.4 eq 443 any

ip access-list extended NAT-OUT-IN
permit tcp any host 202.147.165.4 eq 443
permit tcp host 202.147.165.4 eq 443 any

ip access-list extended firewall (This acl was empty, i put the entry for 207.67.74.157)
permit tcp any host 202.147.165.4 eq 443
permit tcp host 202.147.165.4 eq 443 any

ip access-list extended mynat

permit ip 10.20.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit tcp any host 202.147.165.4 eq 443
permit tcp host 202.147.165.4 eq 443 any
!

My remote location ip is 202.147.165.4 and it has blocked all traffice except 443
i am unable to ping or trace route 202.147.165.4 port 443.
i have put remote ip entries in all over router but of no use
any help