Question : Problem: NAT Reflection in Cisco IOS

How do you can make NAT reflection in CISCO IOS ?

Using IOS I am doing a basic PAT overload for example:

ip nat inside source static tcp 192.168.1.3 80 111.1.1.4 80 extendable

111.1.1.4 is the external ip address, 192.168.1.3 is the internal one. Anyone can access the server using the external ip address from outside, but not from inside.

If I am using iptables on linux I do NAT reflection like this:
Code Snippet:
1:
2:
3:
4:
5:
6:
7:
#The normal port forward
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.1.3:80
iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.3 -j ACCEPT
 
#The reflection part:
iptables -t nat -A prerouting_rule -d 111.1.1.4 -p tcp --dport 80 -j DNAT --to 192.168.1.3
iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -p tcp --dport 80 -d 192.168.1.3 -j MASQUERADE
Open in New Window Select All

Answer : Problem: NAT Reflection in Cisco IOS

Did you try the outside nat?
The real problem is that the nat as configured for internal hosts is source-nat where the destination host receives packets sourced as your outside IP address.
But, the static nat for inbound is a destination nat where the source does not get changed. Your internal server may see the packets come in targeting the public ip, but the response will be to the source which is the private IP of the host PC, and that is "local" to the server and the server responds to the source, but the source is expecting a reply from the public ip and just drops it.
You end up needing to do both source and destination nat which is what having both a nat inside and a nat outisde configuration is trying to do, but the issue is that no packet ever actually traverses the 'outside' interface since both the source and destination are on the same interface and are local to each other.
There is a concept called 'nat on a stick' uisng a loopback interface as the nat interface and a routing trick to try to set the loopback into the route table.
This example uses a different physical router. I have never seen this work, and it is not supported by Cisco TAC.

http://cco.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

Random Solutions  
 
programming4us programming4us