I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1.
Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway.
On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0.
An example port forward rule in this device:ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable
Where x.x.x.x is the IP address of interface Gig0/0/0.
This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks.
It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside.
I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface.
I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help!
The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on!
Edit: Watered down config
interface GigabitEthernet0/0
description ----WAN_INTERFACE_PRI----
mtu 1596
ip address x.x.x.x 255.255.255.248
ip access-group SECURE-IN in
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
service-policy output EthernetAccessService
!
interface GigabitEthernet0/1
description ----INTERNAL----
ip address 192.168.1.1 255.255.255.0
ip access-group OUT-FILTER in
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description ----WAN_INTERFACE_BACK----
ip address y.y.y.y 255.255.254.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload
ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload
!
ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent
ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent
!
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended OUT-FILTER
permit icmp any any
permit ip object-group Unrestricted-Access-Group any
deny ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended SECURE-IN
permit ip host any
deny tcp any any eq telnet log
deny tcp any any eq 22 log
permit ip any any
!
no cdp run
!
!
!
route-map PRI_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0
!
route-map BACK_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0/0
No comments:
Post a Comment