10-24-2017 08:44 PM - edited 03-08-2019 12:29 PM
Hello guys
sorry for disturbing you, my name is David, I am doing my final project on network security and i am having problems with NAT and policy based routing.
I am using only 1 cisco router(2901) basic switch and 2 servers.
Outside network is 192.168.183.0 which connects Our G0/0 (ip address 192.168.183.51) g0/1=11.0.0.1
Server 1 = 11.0.0.2
Server 2 = 11.0.0.15
we want ssh packets sent from client computer 192.168.183.220 to be sent to Server 2 (11.0.0.15)
and we want packets sent from 192.168.183.53 to be sent to server 1(11.0.0.2)
Problem we having is we don't know how to do port translation on multiple ip addresses. So different ip address can ssh into different server.
we tried multiple different types of configurations but nothing seems to be working.
at this stage we are stuck on this config:
ip nat inside source static tcp 11.0.0.15 22 int g0/0 22
ip nat inside source static tcp 11.0.0.2 22 192.168.183.51 22 route-map honR extendable
ip access-list etended hon
permit ip host 192.168.183.53 host 192.168.183.51
Route-map honR permit 10
match ip address hon
((with this configuration client 192.168.183.53 can ssh inside 11.0.0.2(using 192.168.183.51) but when we try to make client 192.168.183.220 to ssh inside 11.0.0.15(using 192.168.183.51) it still takes us to 11.0.0.2. I feel like ACL/ROute map isn't being used and it just static 1:1 Port forwarding.
Please help :)))
10-24-2017 09:55 PM
10-24-2017 11:14 PM
Hello Meheretab,
Thank you for your reply,
int g0/0 (outisde world)
Ip address 192.168.183.51 255.255.255.0
ip nat outside
ip policy route-map honR
int g0/1 (inside goes to switch and than servers)
ip address 11.0.0.1 255.255.255.0
ip nat inside
I have to apologise, i cant post sh run till tomorrow.
Thanks again David
10-25-2017 06:06 AM - edited 10-25-2017 06:09 AM
Hello
Are you wishing to PAT on the same ports (ssh / outside interface for two different servers - if so my understanding it cannot be done.
However you can use different public ip addresses or specify different ssh ports and connect via those specified new ports via the same interface
example
ip nat source static tcp 11.0.0.2 22 192.168.183.2 22
ip nat source static tcp 11.0.0.15 22 192.168.183.15 22
or
ip nat inside source static tcp 11.0.0.2 2002 interface x/x 2002
ip nat inside source static tcp 11.0.0.15 2015 interface x/x 2015
res
Paul
10-25-2017 08:27 PM
Hello paul, thank you for replying, I decided to change configuration. what i am trying to do is use policy based routing to reroute the specific traffic going to 11.0.10.5 to 11.0.20.5 using the known source ip! which at this stage is 192.168.1.5 255.255.255.0
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RHome
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$1SeR$LgRp8TxZH2nT5zLFXBwk/.
!
no aaa new-model
ip cef
!
!
!
!
ip domain name cisco.com
!
!
!
username R1 password 0 david
!
!
controller DSL 0/0/0
line-term cpe
!
!
!
!
interface FastEthernet0/0
ip address dhcp // 192.168.1.4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 11.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 11.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map hon
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 11.0.10.5 22 192.168.1.4 22 route-map hon extendable
!
access-list 101 permit ip 11.0.10.0 0.0.0.255 any
access-list 101 permit ip 11.0.20.0 0.0.0.255 any
access-list 110 permit ip host 192.168.1.5 any
!
route-map hon permit 10
match ip address 110
set ip next-hop 11.0.20.5
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end
as you can see in a nat i have one to one PAT from my server and and my gateway to outside world. and i am trying to implement PBR so, traffic with source ip address of 192.168.1.5 will be sent to my second server 11.0.20.5!
thanks for your time guys :))
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide