Question about Cisco Static-PAT

Hi Guys,

I'm confused about the static-pat.

I have a very simply setup.

Non-cisco IPsec endpoint (2.2.2.3) ----- 2.2.2.1 (Cisco Router) 1.1.1.1 ---Non-cisco IPsec endpoint (1.1.1.2)

=======================

interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
end

interface GigabitEthernet0/1
 ip address 2.2.2.1 255.255.255.0
 ip nat inside
end

ip nat inside source static udp 2.2.2.3 500 interface GigabitEthernet0/0 501
=======================

 

Can someone help me to understant the NAT statement. I thought this will change the Dst port from 500 to 501, however i debug found my src-port been changed to 501.

 

RouterA1#
Jul 30 02:00:45.363: NAT*: i: udp (2.2.2.3, 500) -> (1.1.1.2, 500) [10690]
Jul 30 02:00:45.363: NAT*: i: udp (2.2.2.3, 500) -> (1.1.1.2, 500) [10690]
Jul 30 02:00:45.363: NAT*: UDP s=500->501, d=500
Jul 30 02:00:45.363: NAT*: s=2.2.2.3->1.1.1.1, d=1.1.1.2 [10690]

 

Thanks

 

Comments

  • NAT translation table will have single inside global address mapped to many inside local addresses.  Inside local source port numbers could be all identical.  Translating these ports to something is a necessity.

    For example the following done on cisco ios 12.4(15)T using dynamic PAT.

    R1_GW1#show ip nat translation

    Pro Inside global      Inside local       Outside local      Outside global

    udp 192.168.13.1:500   192.168.12.4:500   192.168.13.3:123   192.168.13.3:123

    udp 192.168.13.1:1     192.168.12.5:500   192.168.13.3:123   192.168.13.3:123

    R1_GW1#

    Two inside local entries using same inside local udp port number.  Inside global address identical.  Must change inside global source port numbers to get sepatate entries for return traffic.


    For static pat, at the cli you determine what this port translation will be.  Is my understanding.

    Hey experts chime in.  RB
  • Hi Randy,

    thanks for your answer, however i'm not talking about the dynamic pat (overlaod).

    below from cisco doc:

    ====================

    ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80

    !--- Static NAT command that states any packet received in the inside
    !--- interface with a source IP address of 172.16.10.8:8080 is
    !--- translated to 172.16.10.8:80.

     

    Note that the configuration description for the static NAT command
    indicates any packet received in the inside interface with a source address of
    172.16.10.8:8080 is translated to 172.16.10.8:80. This also implies that any
    packet received on the outside interface with a destination address of
    172.16.10.8:80 has the destination translated to 172.16.10.8:8080.

    ===================

    ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable

    !--- This statement performs the static address translation for the Web server.
    !--- With this statement, users that try to reach 171.68.1.1 port 80 (www) are
    !--- automatically redirected to 192.168.0.5 port 80 (www). In this case
    !--- it is the Web server.

    =============================================

    So i think the 8080 and 80 is talking about Dst-port.
  • Right you are.  You've answered your question./cheers

     

  • haha... no my debug output shows the scr-port been changed

  • Interesting.  I must be misreading the debug.  My understanding of PAT is that source ports are to be translated.   Static PAT is just a predetermination of what that port translation will be.  What does show ip nat translation reveal?

  • it looks normal, i'm out of office cannot share it right now. will post when i go back next week.

    thanks !

  • nyx01. The output is correct. Let me explain using a different example. Imagine you had this line of config instead.

    ip nat inside source static 10.0.26.2 5.5.5.5

    It means that when the internal IP 10.0.26.2 tries to reach ANY IP address, the router will re-map the source IP to 5.5.5.5 before sending the traffic to the destination.

     

    So now let's change that line of code to include port info too.

    ip nat inside source static udp 10.0.26.2 2002 5.5.5.5 50002

    This means that when host 10.0.26.2 initiates a connection to any IP
    using the port 2002, the router will re-map the source IP to 5.5.5.5 and port to 50002. FYI the ports here are source ports, but only when the traffic is initated from the internal ip 10.0.26.2 and sent to a random destination (these turn into destination ports when traffic comes from the other direction. I will explain this below).

     

    So let's do these examples again for traffic actually initiated from the web this time. Let's assume we have rolled back to the config below.

    ip nat inside source static 10.0.26.2 5.5.5.5


    It means that if someone on the web from ANY ip address wants to reach your internal host 10.0.26.2, that they would have to go to 5.5.5.5 right? It doesn't mean that only the IP 5.5.5.5 can reach 10.0.26.2. It means that anyone from any IP who wants to connect to 10.0.26.2 must connect to 5.5.5.5, and then the router re-maps the traffic towards 10.0.26.2.

    So let's continue this example to include port information, as shown below.

    ip nat inside source static udp 10.0.26.2 2002 5.5.5.5 50002

    Assume someone from any IP wants to connect to your internal host 10.0.26.2 on port 2002, they must actually go to 5.5.5.5 on port 50002. And THEN the router re-maps the traffic to reach the internal host 10.0.26.2 on port 2002. In this scenario the port information is for destination ports.

     

    The reason why people always assume the ports in the NAT config are always destination ports is because 99% of the time you create static NAT or PAT rules so that external traffic can arrive towards an internal host. In this case the ports are always destination ports.

     

    I hope this clears up your confusion.

  • Hi SG4RB0,

    Thanks for your explanation ! make sense to me and match my test output.

    Just wonder if you can provide me any official doc as I may need it for a report.

    And, I didn't find any similar explanation from cisco, even from Cisco Press - Comparing, Designing and Deploying VPNs it says the static pat is used for vpn initiate IKE from outside to inside.

     

     

     

     

     

    Thank !!!

  • Hi All,

    thank you for posting and fine explanation.//cheers

  • Well I don't know any official documents for it currently. I learned it when running into problems for customers years ago. I will try and find something official for you though.

  • Hi sg4rb0,

     

    Thank you bro !

     

     

  • Hey, I couldn't find anything about the PAT port direction. The only thing  I could find was Cisco talking about PAT from the intiiation of connections from the internet (which technically 99% of the traffic would be initiated from anyways if you were to create a rule like this).  See the link below.

     

    http://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12905-827spat.html

     

  • thans again. I saw some similar doc.

    I will follow up if i got chance to open a TAC ticket or talk to cisco guys.

     

  • By thinking on the reason NAT was invented, in order to NAT RFC1918 addresses and get Internet access, it means NAT was designed to do source NAT, not destination NAT (although nowadays you can do both); however, if you have a static NAT/PAT entry, because traffic can be initiated both ways, the traffic flow will actually determine if the router will do source NAT or destination NAT.

    The command "ip nat inside source static tcp 172.16.10.8 8080 10.10.10.8 80" , by reading left to right, says that as you receive IPv4 traffic on your inside NAT interface, do a source NAT of type static for 172.16.10.8 TCP port 8080 to 10.10.10.8 TCP port 80; by swapping the traffic direction the command states as you receive traffic inbound in your outside NAT interface, do a destination NAT of type static for 10.10.10.8 TCP port 80 to 172.16.10.8 TCP port 8080.

Sign In or Register to comment.