Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1376
Views
10
Helpful
4
Replies

policy based routing + NAT PRoblems, please help

David_Beldi
Level 1
Level 1

‎10-24-2017 08:44 PM - edited ‎03-08-2019 12:29 PM

Hello guys

 

sorry for disturbing you, my name is David, I am doing my final project on network security and i am having problems with NAT and policy based routing.

I am using only 1 cisco router(2901) basic switch and 2 servers.

Outside network is 192.168.183.0 which connects Our G0/0 (ip address 192.168.183.51) g0/1=11.0.0.1 

Server 1 = 11.0.0.2

Server 2 = 11.0.0.15

 

we want ssh packets sent from client computer 192.168.183.220 to be sent to Server 2 (11.0.0.15)

and we want packets sent from 192.168.183.53 to be sent to server 1(11.0.0.2)

Problem we having is we don't know how to do port translation on multiple ip addresses. So different ip address can ssh into different server.

 

we tried multiple different types of configurations but nothing seems to be working. 

 

at this stage we are stuck on this config:

 

ip nat inside source static tcp 11.0.0.15 22 int g0/0 22

ip nat inside source static tcp 11.0.0.2 22 192.168.183.51 22 route-map honR extendable

 

ip access-list etended hon

permit ip host 192.168.183.53 host 192.168.183.51

 

Route-map honR permit 10 

match ip address hon

 

((with this configuration client 192.168.183.53 can ssh inside 11.0.0.2(using 192.168.183.51) but when we try to make client 192.168.183.220 to ssh inside 11.0.0.15(using 192.168.183.51) it still takes us to 11.0.0.2. I feel like ACL/ROute map isn't being used and it just static 1:1 Port forwarding. 

 

Please help :)))

Labels:
0 Helpful
4 Replies 4

Meheretab Mengistu
Level 7
Level 7

‎10-24-2017 09:55 PM

Hi David,

I am a little confused with the setup you have. Which network is the "nat outside" and which one is the "nat inside"? Please share the output of 'sh run'.

HTH,
Meheretab
HTH,
Meheretab

David_Beldi
Level 1
Level 1
In response to Meheretab Mengistu

‎10-24-2017 11:14 PM

Hello Meheretab,

 

Thank you for your reply,

 

int g0/0 (outisde world)

Ip address 192.168.183.51 255.255.255.0

ip nat outside

ip policy route-map honR

 

int g0/1 (inside goes to switch and than servers)

ip address 11.0.0.1 255.255.255.0

ip nat inside

 

I have to apologise, i cant post sh run till tomorrow.

 

Thanks again David

 

0 Helpful

paul driver
VIP
VIP

‎10-25-2017 06:06 AM - edited ‎10-25-2017 06:09 AM

Hello

Are you wishing to PAT on the same ports (ssh / outside interface for two different servers - if so my understanding it cannot be done.

 

However you can use different public ip addresses or specify different ssh ports and connect via those specified new ports via the same interface

 

example
ip nat source static tcp 11.0.0.2 22 192.168.183.2 22
ip nat source static tcp 11.0.0.15 22 192.168.183.15 22

or
ip nat inside source static tcp 11.0.0.2 2002 interface x/x 2002
ip nat inside source static tcp 11.0.0.15 2015 interface x/x 2015

res
Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

David_Beldi
Level 1
Level 1
In response to paul driver

‎10-25-2017 08:27 PM

Hello paul, thank you for replying, I decided to change configuration. what i am trying to do is use policy based routing to reroute the specific traffic going to 11.0.10.5 to 11.0.20.5 using the known source ip! which at this stage is 192.168.1.5 255.255.255.0 

 

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RHome
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$1SeR$LgRp8TxZH2nT5zLFXBwk/.
!
no aaa new-model
ip cef
!
!
!
!
ip domain name cisco.com
!
!
!
username R1 password 0 david
!
!
controller DSL 0/0/0
line-term cpe
!
!
!
!
interface FastEthernet0/0
ip address dhcp // 192.168.1.4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 11.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 11.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map hon
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 11.0.10.5 22 192.168.1.4 22 route-map hon extendable
!
access-list 101 permit ip 11.0.10.0 0.0.0.255 any
access-list 101 permit ip 11.0.20.0 0.0.0.255 any
access-list 110 permit ip host 192.168.1.5 any
!
route-map hon permit 10
match ip address 110
set ip next-hop 11.0.20.5
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end
 

 

as you can see in a nat i have one to one PAT from my server and and my gateway to outside world. and i am trying to implement PBR so, traffic with source ip address of 192.168.1.5 will be sent to my second server 11.0.20.5!

 

thanks for your time guys :))

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card