Wednesday, 15 May 2013

Bi-directional NAT/SNAT with Cisco Routers

Some of you may be familiar with either Microsoft Forefront TMG or ISA Server.

It had an option when publishing ports to the outside world of "Requests appear to come from the ISA Server computer" or "Requests appear to come from the Forefront TMG computer".

This was handy for instance if you were publishing ports to the internet on WAN servers/local servers which didn't have that particular ISA or TMG box as it's default gateway.

This can be particularly handy if you wanted to load balance traffic across two links or simply as a backup way of getting into your network remotely if your primary link fails.

It basically modified the source address of any incoming connections so that it appears to the internal client as coming from the routers internal side IP.

This guide below shows exactly how to achieve this with a Cisco router running IOS 12.4.

In a typical scenario, you might have a router configured with ADSL and a Dialer interface with "ip nat outside" and a "Fa0/0" or "G0/0" LAN interface with "ip nat inside"

It may look like the following:

interface Dialer0
 description ISP ADSL2+ Interface
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password 7 06675F141A1F064F25
interface FastEthernet0/0
 description LAN Interface
 ip address
 ip nat inside
 duplex auto
 speed auto
access-list 1 permit
dialer-list 1 protocol ip permit
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 25 interface Dialer0 25
ip route Dialer0

The problem with the above configuration is that the NAT only travels one way. What we want to achieve is a bi-directional NAT.

We need to remove the "ip nat inside" and "ip nat outside" lines from both the Dialer0 and FastEthernet0/0 interfaces and replace with "ip nat enable". This means now that we can configure NAT to work both inbound and outbound.

For the below example, we assume that my ISP has assigned me a static IP of

The server I want to publish is a Web Server on IP

Assuming that your current configuration is like the above, we would type the following:

interface FastEthernet0/0
 no ip nat inside
 ip nat enable
interface Dialer0
 no ip nat outside
 ip nat enable
no ip nat inside source list 1 interface Dialer0 overload
no access-list 1 permit
ip access-list extended NAT_OUT
 permit ip any
ip access-list extended NAT_IN
 permit ip any host
ip nat source list NAT_IN interface FastEthernet0/0 overload
ip nat source list NAT_OUT interface Dialer0 overload
ip nat source static tcp 80 interface Dialer0 80

And that's it! Now when connections are made to the public IP, they are translated internally to the web server but the source address appears as - the IP address bound the the Fa0/0 interface.

No comments:

Post a Comment