The quick and simple answer is, you don’t have to. Why? Let’s take a look at an example.
Let’s say you have the following three devices on the internal network with these parameters:
Host 1, IP address 10.10.10.10, communicating with a Web server on the Internet
Host 2, IP address 10.10.10.11 connected to an email server on the Internet
Host 3, IP address 10.10.10.12 connected to an FTP server on the Internet
Al three are sharing the same external IP address of 201.12.12.12.
Let’s say that Host 1 is the first to make a connection using a local port number of 45001 and a destination port number of 80 for the web server. The translation of the host’s IP address looks like this:
Inside local 10.10.10.10:45001 Inside global 201.12.12.12:45001
Let’s say Host 2 is the next to connect to its email server, and let’s say it’s using the same local port number of 45001 and a destination port number of 110 for POP3 for example. The translation of the host’s IP address looks like this:
Inside local 10.10.10.11:45001 Inside global 201.12.12.12:45002
Notice that the external port number is incremented by 1. If there is a port that is already in use by another translation, then the very next available port number is used. Let’s continue with the translation for Host 3 assuming the same local port number is used:
Inside local 10.10.10.12:45001 Inside global 201.12.12.12:45003
Once again, the next available port number is used. This way there is never a conflict between identical port numbers that may be used by hosts on an internal network.
There are a variety of terminal programs available that you can use, but which is the best depends on what you are looking for.
One of the most popular is Putty, which has many options and which I personally use often. If you want a program that will also allow you to save and organize the connectivity info of dozens or even hundreds of network devices, then you should use something with more such options such as mRemoteNG. These two are my best picks (and they’re free), however, there are many others that can be purchased as well. One of those is secureCRT which I have also used and is quite good. Others may share some other opinions as well, but I think the best thing is to try out various options, and find the one that fits best with what you need.
I have a Cisco Router 1800 Series and im having some trouble with access for client pc’s behind that in a double nat setup
It sits behind a pfsense Router/Firewall that has the ip of 192.168.16.1. I have connected a client directly into the Cisco Router.
The Client can ping the outside interface 192.168.16.240 and the inside interface of 10.10.20.1 of the cisco router. The client pc gets a address from the DHCP pool from the cisco router.
The Client pc cannot contact the internet and cannot ping other host on the 192.168.16.0 network, witch the pfsense firewall/router handles.
The Cisco Router itself can ping things on the internet and the 192.168.16.0 network also from the 10.10.20.0 interface with the ip of 10.10.20.1. The 10.10.20.0 network are defined in vlan 1.
Allso the Pfsense with ip 192.168.16.1 can ping the outside interface of the Cisco Router with ip 192.168.16.240 and the inside interface of 10.10.20.1. The Pfsense has a static route to the 10.10.20.0 network with a gateway of 192.168.16.240. The pfsense cannot ping the Client PC behind the Cisco Router.
Can anyone see what is wrong with my conf ?
Current configuration : 1819 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1ND
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Rx0C$eGYoDl0WYvOAWi2PqHypE/
enable password somestuff
!
no aaa new-model
!
!
dot11 syslog
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool dpool1
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 1.1.1.1
domain-name ndcisco
!
!
ip domain name noerdar.local
ip name-server 192.168.16.1
ip name-server 8.8.8.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 192.168.16.240 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
no ip route-cache
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
ip default-gateway 192.168.16.1
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0 overload
!
!
!
!
!
!
!
control-plane
!
!
line con 0
password somestuff
line aux 0
line vty 0 4
password somestuff
login
!
end
Hope someone can help me. I tried to define access-list 100 permit ip any any
but it does not help
It seems that your NAT translation is not functioning. First of all, you did well to test all of the connectivity between devices as you did, and you verified that all devices are able to ping all other devices and subnets except for the PC. Note that with all your pinging, connectivity is established only via routing. No NAT was involved.
Now with your NAT configuration, you are not specifying which IP addresses should be translated. You have the ip nat inside source list 100... command, but you have not defined the access list 100. You mention at the end that you tried applying this, but it didn’t work.
Try applying the following access list:
access-list 100 permit 10.10.20.0 0.0.0.255
This will match all of the inside subnet for NAT translation. In any case, as you apply this, and as you attempt to ping, check the NAT translations using the show ip nat translations command to see that the packets are indeed being translated.
Note that you will still not be able to ping the PC from the PFSense firewall as NAT translations will only work for traffic that is initiated from inside, but the PC should be able to ping the PFSense, and the Internet as well.
I suggest you also follow step by step, the configuration procedure in the following lesson to more clearly understand each step that is taken:
Thanks for this Laz. Just to confirm did you mean Inside local and Inside Global? As the destination port numbers are only shown in the output for the Outside columns.
Also you know the name of any particular Cisco doc which describes the port incrementing behaviour? Thanks.
Yes you are right, I fixed the post so it is now correct.
As for the port values that are assigned, take a look at the following Cisco documentation:
Look at the question titled “When configuring for PAT (overloading), what is the maximum number of translations that can be created per inside global IP address?”
Great lesson, thanks. However, I have a doubt: based on this behavior of random port assignment by PAT for traffic coming from the inside, how does this work with DHCP, since DHCP clients listen on UDP port 68 for avoiding issues when BOOTREPLIES are broadcasted (according to RFC 951)
The server sends replies using ‘BOOTP client’ as the destination port; depending on the kernel or driver facilities in the server, this may or may not be a broadcast (this is explained further in the section titled ‘Chicken/Egg issues’ below).
Is this the reason why usually DHCP servers are hosted in devices prior to the NAT router? Or does PAT have a workaround for this?
Greetings,
Above, you see three routers called Host, NAT, and Web1. Imagine our host is on our LAN and the webserver is somewhere on the Internet. Our NAT router in the middle is our connection to the Internet.
The IP on the web1 is a private IP, so this does not show that it is somewhere on the internet using a public IP. The NAT translation should be a public IP if it is going to web1 on the internet
That’s the “imagine” part. In labs, I never use public IP addresses with the exception of 1.1.1.1, 2.2.2.2, 3.3.3.3 etc. on loopback interfaces. If I had to start over today, I would have used different addresses for those as well.
For NAT in a lab it doesn’t matter whether you use private or public IP addresses.
Typically, a DHCP server will reside on the same subnet or network segment as the host acting as the DHCP client. If you are using a DHCP server in another subnet, you would use a DHCP relay, and the local gateway would act as the IP helper address (DHCP relay agent).
As such, a DHCP server would not typically be deployed across a NAT router. A NAT router typically defines the edge of a particular network. Any services serving particular hosts (such as a DHCP server) would typically be within the same administrative domain as the host themselves. It would be unusual to have a situation where you have a DHCP server on the “outside” assigning IP addresses to hosts on the “inside”.
So from a design perspective, you wouldn’t have to deal with the UDP port issue that you are describing simply because you wouldn’t deploy a DHCP server in that fashion.