NAT based on destination port number

nat;

Is it possible to translate one local source IP address to different glabal addresses, with translation being based on destination port number?

Cisco 3825 and PIX 501 are available.

Within a concrete task, I need to send HTTPS requests from my client program to an outside web server, periodically changing a global address used by the program.

I have got a pool of 64 internet addresses.

I can change sent packets destination port number programmatically, and I hope to use these changed port numbers as a criterion when translating the source IP address.

I am about to revert the destination port number back to 443 after changing the global source IP address.

Best Answer

From a support forum static-pat-pix

Note: You cannot use the same real or mapped address in multiple static commands between the same two interfaces. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface.

Thus it seems we have two options:

NAT on the router; not recommended as it would be difficult to get through the PIX.
Change the IP address (private) on the host, and have a PIX rule for each private IP address.

As you did not give any real IP addresses, I will create a example.

On the hosts, use 10.0.0.1-10.0.0.15/28.

On the PIX, NAT to 196.0.0.1 - 196.0.0.1

global (outside) 1 196.0.0.1-196.0.0.15 netmask 255.255.255.240
nat (inside) 1  10.0.0.0  255.255.255.240  0  0

Or you can NAT, one by one, with:

static (inside,outside) 10.0.0.1 196.0.0.1 netmask  255.255.255.255
static (inside,outside) 10.0.0.2 196.0.0.2 netmask  255.255.255.255

etc.

Now, every time you need to change your external IP address, just change the internal source IP address.

Related Solutions

Routing – Destination NAT based IP SLA Trigger

I'm not sure this will work. I don't have a lab to try it, but it works great on paper ;)

In this example, host will connect to 40.0.0.1, which is a natted address.

access-list 10 permit 10.0.0.1
access-list 20 permit 20.0.0.1

route-map CRI-1 permit 10
match ip address 10

route-map CRI-2 permit 10
match ip address 20

ip nat outside source static 10.0.0.1 40.0.0.1 route-map CRI-1
ip nat outside source static 20.0.0.1 40.0.0.1 route-map CRI-2

NAT – inside global address

The two kinds of NAT your question is referring to can be categorized as destination NAT, and source NAT.

Destination NAT will typically change a connection to your router from the ISP direction to a destination target that's inside your network. It's also commonly referred to as port forwarding. This lets you expose a service that would normally be inaccessible inside your private network.

Source NAT will change a connection through your router from your local network to a source target that is the router itself, allowing multiple hosts to use a single public address.

NAT can perform other translations, but few others are useful except in niche cases. Despite the phrasing in your question, a source NAT that you describe is not helpful. Using a global address that is not functional on the router will have no good effect. No other device or protocol would keep track of that, so all replies will be forwarded to the device that should have that IP, which would know nothing about your setup and promptly drop them. If you want to use a different IP, get it set up and functional on the router first.

Best Answer

Related Solutions

Routing – Destination NAT based IP SLA Trigger

NAT – inside global address

Related Topic