Cisco IOS NAT – Inside Static NAT Mapping for Multiple External IPs

cisco-iosnat;

Will the following work?

ip nat inside source static 1.1.1.1 2.2.2.2 route-map x
ip nat inside source static 1.1.1.1 2.2.2.3 route-map x

(say the remote net is 20.20.20.0 in both cases)

What I'm not sure about is if the reply to an access from outside can be translated properly.

Client 20.20.20.1:1234 sends a packet to Server 2.2.2.2:5678 which internally becomes 1.1.1.1:5678.

Server 1.1.1.1:5678 then sends a reply packet to 20.20.20.1:1234.

What does the router do with this?

Will it translate the reply's source address to 2.2.2.2 or 2.2.2.3?
From the above, at first sight both are possible.
Does it take the initial socket into account and reply using the address on which it was contacted in the first place?

Best Answer

The router looks at the complete socket (protocol, source/destination ip and port) which allows it to have a 1:1 relationship for any connection.

So yes, it does work.

Related Solutions

Cisco NAT – Cisco Static NAT with Route-Maps

i believe that the problem is in the VRF configuration itself , so please check the next
1. configure 'ip vrf forwarding Customer1-portforwarding' under interfaces involved in NAT (nat inside,nat outside interfaces)
2. if your access list will use the VRF routing table so you need to add 'set vrf Customer1-portforwarding' command under route-map configuration to make use of theVRF routing table
3. make your route-map more specific by set next hop
4. verify NATing by use 'sh ip nat translation' command

make use of those URLs
NAT over VRF
Route-map over VRF

Brute Force UDP Hole Punch – Is It Possible?

Yes. Yes it is possible. The network has to be able to handle all the packets (without exceptions - packet loss means death), the machines have to be able to send out packets fast enough, the other end must not have "flooding protection" and the address has to not change every time you open a new connection. This method managed to connect my laptop behind my University's WiFi with my friends laptop behind his WiFi and it sent a packet from my home WiFi through my University's symmetric NAT. If you're using a phone, you should probably send packets as fast as possible because phones are slow but with laptops you can synchronize the barrage of UDP packets with Thread.sleep()

/**
 * Shoots empty UDP packets at every port between "start" and "end".
 */
public static void sendBarrage(int start, int end, InetAddress target) {

    final ByteBuffer to_send = ByteBuffer.allocate(0);

    // Start at a random value to avoid re-traversing failed paths on repeated attempts.
    final int starting_point = start + generator.nextInt(end - start);

    // Go from starting_point down to 1024. 
    for (int port = starting_point; port >= start; --port) { 
        try {
            if (made_connection == false) {
                myChannel.send(to_send, new InetSocketAddress(target, port));
            } else {
                break;
            }
        } catch (java.nio.channels.ClosedChannelException cce) {
            Application.printerr("Channel closed while on port: " + port);
            break;
        } catch (IOException e) {
            Application.printerr("Error sending in port: " + port);
            continue;
        }
    }

    // Go from 65535 down to say starting_point, not including starting_point.
    for (int port = end - 1; port > starting_point; --port) { 
        try {
            if (made_connection == false) {
                myChannel.send(to_send, new InetSocketAddress(target, port));
            } else {
                break;
            }
        } catch (java.nio.channels.ClosedChannelException cce) {
            Application.printerr("Channel closed while on port: " + port);
            break;
        } catch (IOException e) {
            Application.printerr("Error sending in port: " + port);
            continue;
        }
    }
}

^ Make sure you call this method in a loop, it might take a few attempts. Keep in mind that this method does NOT work with cell phone tower networks (unless you get insanely lucky and the public ip address does not change). It might work better if one side holds the port open while the other guesses rather than having them both brute force both sides.

Also, if only one side holds the ports open, this method might be good: https://www.goto.info.waseda.ac.jp/~wei/file/wei-apan-v10.pdf

Best Answer

Related Solutions

Cisco NAT – Cisco Static NAT with Route-Maps

Brute Force UDP Hole Punch – Is It Possible?

Related Topic