0

We have a Cisco 2800 (two, in fact, with HSRP) configured to serve a number of hosts in LAN, and a VPN that's used to configure them. The device has 2 interfaces, one serves multiple VLANs in the inside network, one is connected to ISP and hosts a lot of public IP addresses with HSRP with a configured default gateway. The ISP interface is marked outside, the LAN interface is marked inside. My target is to limit port exposure for a certain host that is translated like this:

ip nat inside source static LAN_IP OUTSIDE_IP route-map RM-NOVPN

To my knowledge, this equals host to be open for any outside connection, and allows it to connect and be visible by the same global IP address of OUTSIDE_IP. I have tried to limit the number of ports exposed for outside connection to bare minimum with a number of statements like this:

ip nat inside source static tcp LAN_IP PORT1 OUTSIDE_IP PORT1 route-map RM-NOVPN

This works, but if I disable the total NAT translation the host loses ability to initiate connections to Internet. I have tried creating a dynamic translation with overload like this:

ip nat pool HOSTPOOL OUTSIDE_IP OUTSIDE_IP mask 255.255.255.224 ip nat inside source route-map RM_NOVPN2 pool HOSTPOOL overload route-map RM_NOVPN2 deny 10 match ip address AL-CRYPTOMAP-VPN ! route-map RM_NOVPN2 permit 20 match ip address AL-HOST ! ip access-list standard AL-HOST permit LAN_IP !

AL-CRYPTOMAP-VPN is a crypto map access list for VPN traffic. The same list is used in RM_NOVPN to prevent traffic originating from VPN to get NATed.

This config doesn't work, in terms of the host being unable to initiate connections to Internet. The reason is unknown, given that with static full-port NAT the host was communicating. The question is, is this task possible to accomplish only by clever NAT usage? For now we are unable to establish a complete ACL for inbound traffic on the outside interface.

Note this is not ASA, so I'm not able to use a glorified GUI and packet tracer to debug packet flow or whatever. Cisco IOS version is reported as 12.4.

Improve this question
2
  • Why can't you just set up NAT, and have an ACL attached to the interface where the host is connected to limit the traffic for that host? Commented Mar 2, 2017 at 14:04
  • Sadly, the number of hosts and services is pretty large, so I'm seeking a pure-NAT solution prior to building a proper ACL. Still we'll be building an ACL anyway. Commented Mar 2, 2017 at 14:27

1 Answer 1

Reset to default
0

Unfortunately, with my configuration a pure NAT solution is impossible. The reason is listed here:

Q. Is it possible to build a configuration with both static and dynamic NAT translations?

A. Yes. However, the same IP address cannot be used for the NAT static configuration or in the pool for NAT dynamic configuration. All the public IP addresses need to be unique. Note that the global addresses used in static translations are not automatically excluded with dynamic pools containing those same global addresses. Dynamic pools must be created to exclude addresses assigned by static entries.

Apparently, if Cisco has a static NAT, even if port-based, configured for a destination IP address, it cannot support dynamic NAT to the same IP address at all. It was also said there that "if a packet that has no match for static NAT appears, it's transferred without NAT". Therefore, when a LAN_IP tried to NAT outside with a non-listed port on static, the packet is un-NATed then dropped as spoofed at outside interface, or at least the connection never gets established because the source address is LAN_IP and not OUTSIDE_IP. Pity.

NATing directly to the interface will result in the server sending data as another IP than OUTSIDE_IP, and since that server is a mail server, mail sent from wrong IP will be refused at destination due to SPF/DKIM protection.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.