using NAT to forward traffic to local workstation

eliwasserman92 · ‎06-05-2016

I'm trying to make a static NAT mapping to accomplish the following

1. A server on the internet should be able to initiate communication a local workstation

2. The Cisco router should forward traffic received on 205.2.2.201 TCP Port 5353 > to local IP 10.10.10.2

These commands aren't working for me, any suggestions of what needs to be corrected ?

access-list PORT-FWDING-ACL permit tcp host 68.305.71.167 host 205.2.2.201 eq 5353

ip nat pool PORT-FWDING-POOL 10.10.10.2 10.10.10.2 netmask 255.255.255.0

ip nat outside source list PORT-FWDING-ACL pool PORT-FWDING-POOL

Seb Rupik · ‎06-05-2016

Hi there,

Assumgin the Gi0/0 is your outside interface, and Gi0/1 is on the inside towards your local workstation.

!
access-list PORT-FWDING-ACL permit tcp host 68.305.71.167 host 205.2.2.201 eq 5353
!
int gi0/0
  ip nat enable
  ip nat outside
  ip access-group PORT-FWDING-ACL in
!
int gi0/1
  ip nat enable
  ip nat inside
!
ip nat inside source static tcp 10.10.10.2 5353 interface gi0/0 5353
!

This will NAT incoming traffic so that internal return traffic is routed towards the 'inside' interface of the router.

cheers,

Seb.

eliwasserman92 · ‎06-05-2016

Hi Sep, Thanks for your quick and thought out response, much appreciated!

Can you help me understand, I still have a few questions.

1. The ACL on gi0/0 will now be filtering all traffic, when I truly only wished to use the ACL to pickup specific packets for the NAT rule.

2. the ip nat inside source command will leave the traffic tagged with port 5353 once inside my network. The only reason for the port number is for the default gateway/cisco router to be able to know that these packets are intended to be forwarded to a specific host.

3. Does the inside keyword in the ip nat command mean that it will only translate traffic going in the outbound direction.

-----------------------------------------------------------------

Just to clarify, this is what I'm trying to achieve

- Packets sourcing from 68.305.71.167

- That are sent to 205.2.2.201 eq 5353 ( The public address of my Cisco router)

- Should be forwarded to local workstation 10.10.10.2

nagasheshu2010 · ‎06-06-2016

1. The ACL on gi0/0 will now be filtering all traffic, when I truly only wished to use the ACL to pickup specific packets for the NAT rule.

------ You can remove that ACL if you want. But it is safe to write an ACL permitting only the traffic which we require and denying rest all as Gi0/0 is facing outside world.

2. the ip nat inside source command will leave the traffic tagged with port 5353 once inside my network. The only reason for the port number is for the default gateway/cisco router to be able to know that these packets are intended to be forwarded to a specific host.

--------- I did not understand your question completely but "ip nat inside source static tcp 10.10.10.2 5353 interface gi0/0 5353" does exactly the same work I.e, the port number is for the default gateway/cisco router to be able to know that these packets are intended to be forwarded to a specific host.

3. Does the inside keyword in the ip nat command mean that it will only translate traffic going in the outbound direction.

-------Your assumption is wrong, the Inside keyword in the IP nat command means that whenever there is traffic from 10.10.10.2 on port number 5353 hits the INSIDE interface (Gi0/1 in our case) is natted to IP address of Gi0/0 keeping the port number same as 5353 and vice versa.

Hope this explains?