Solved: Static NAT order on router

Phil Bradley · ‎07-17-2018

I have a scenario where I am port forwarding on a cisco router with a static nat and also have a vpn built on the same device. I notice anytime I create a port forward NAT on the outside interface then this rule always gets pushed to the top of the config and processed first. If I try to hit this same device using the internal address over the VPN then it gets translated to the outside address and fails. Obviously I can use the outside address but it would be nice to be able to use the internal address as well.

a.alekseev · ‎07-17-2018

ip nat inside source static tcp 172.16.0.2 5001 interface Cellular0 5001 route-map ....

View solution in original post

a.alekseev · ‎07-18-2018

R47(config)#$static tcp 1.0.0.48 23 1.0.1.3 2023 route-map NAT ?
extendable Extend this translation when used
forced Delete this entry and its children, even if in use
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
reversible check route-map for out->in traffic
<cr>

use "reversible" is you want such behavior.

View solution in original post

a.alekseev · ‎07-17-2018

use VTI instead of crypto-map or
make exceptions in nat.

Phil Bradley · ‎07-17-2018

I'll have to look into the VTI's. I'm not sure how I could make an exception for this. Here is my current setup:

ip nat inside source static tcp 172.16.0.2 5001 interface Cellular0 5001
ip nat inside source static tcp 172.16.0.3 5002 interface Cellular0 5002
ip nat inside source static tcp 172.16.0.4 5003 interface Cellular0 5003
ip nat inside source route-map nonat interface Cellular0 overload

ip access-list extended nat
deny ip host 172.16.0.1 host 192.168.2.147
deny ip host 10.10.0.3 192.168.1.0 0.0.0.31
deny ip 172.16.0.0 0.0.0.15 192.168.1.0 0.0.0.31
permit ip 172.16.0.0 0.0.0.15 any
!
route-map nonat permit 10
match ip address nat

I can use the outside interface address fine to connect to device 172.16.0.2:8001 but using the VPN and connecting directly to 172.16.0.2:8001 fails because it gets translated to the outside address from inside to outside.

a.alekseev · ‎07-17-2018

ip nat inside source static tcp 172.16.0.2 5001 interface Cellular0 5001 route-map ....

Phil Bradley · ‎07-18-2018

I don't have the option to add route-map to the end of the NAT. Is this version specific?

a.alekseev · ‎07-18-2018

What IOS version do you have?

Phil Bradley · ‎07-18-2018

It will allow me to add the route-map to the end if i use the outside ip address instead of the interface keyword.

I am on version 15.6(3)M3a.

Phil Bradley · ‎07-18-2018

I think I have this working now. This what I did:

ip access-list extended outside_access
permit tcp host 172.16.0.2 host 1.1.1.1 eq 5001

route-map outside permit 10

match ip address outside_access

ip nat inside source static tcp 172.16.0.2 5001 2.2.2.2 5001 route-map outside

I have tested access both from the outside address and the vpn address and it appears to work. I am going to add the other addresses in and make sure they work as well.

Phil Bradley · ‎07-18-2018

Hi alekseev. I just noticed that any ip from the outside can connect with the route-map below. Is this the expected behavior? I expected only the 1.1.1.1 outside address would be able to connect.

a.alekseev · ‎07-18-2018

R47(config)#$static tcp 1.0.0.48 23 1.0.1.3 2023 route-map NAT ?
extendable Extend this translation when used
forced Delete this entry and its children, even if in use
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
reversible check route-map for out->in traffic
<cr>

use "reversible" is you want such behavior.