Static/Dynamic NAT

[darsys]

I want to be able to allow a host on the internal network to connect via a specific port xxxx. The inside net is currently using a nat overload on a single ip. I have tried static nat setup with specific port info and adding that ip/port combo to a deny statement in the dynamic nat access list. The internal host still seems to create a dynamic port number everytime it connects to the outside host. The traffic does go out with the correct port xxxx as destination and comes back with source port correct but i think the application is having a problem because it is actually recieving the data at the dynamic port. Any help is appreciated. BTW i have removed the access list and it does not help. Thanks, Damon

Config ::
Using 2824 out of 29688 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname ihs-1720
!
boot system flash
logging buffered 4096 debugging
enable secret 5 blah
enable password 7 blah
!
ip subnet-zero
no ip source-route
no ip domain lookup
ip name-server 192.168.1.1
ip name-server blah
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool dhcppool
network 192.168.1.0 255.255.255.0
domain-name blah
default-router 192.168.1.254
dns-server 192.168.1.1
!
no ip bootp server
ip inspect name inspectfilter smtp alert on
ip inspect name inspectfilter ftp alert on
ip inspect name inspectfilter tcp alert on
ip inspect name inspectfilter udp alert on
ip inspect name inspectfilter http alert on
ip audit info action alarm drop reset
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface Ethernet0
description Internet Ethernet Connection
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect inspectfilter out
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
speed auto
no cdp enable
!
ip nat inside source list 150 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.1 25 interface Ethernet0 25
ip nat inside source static tcp 192.168.1.17 6877 interface Ethernet0 6877
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.y
ip route 192.168.1.0 255.255.255.0 FastEthernet0
no ip http server
!
logging 192.168.1.1
access-list 11 permit 192.168.1.16
access-list 101 permit tcp host z.z.z.z host x.x.x.x eq 6877
access-list 101 permit tcp any host x.x.x.x eq smtp
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 deny ip any any
access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 150 deny tcp host 192.168.1.1 eq smtp any eq smtp
access-list 150 deny tcp host 192.168.1.17 eq 6877 any eq 6877
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
line con 0
login
line aux 0
exec-timeout 5 0
login
line vty 0 4
session-timeout 1
exec-timeout 5 0
password 7 03105A121200231C1F
login
transport input none
!
scheduler allocate 4000 1000
end

 

[NetOpsTech]

Verify all the ports the application needs to use and weather they are TCP or UPD or both.

 

[fmonteiro]

Are you aware there is a subtle difference between the ip nat inside and outside? Take a look at this information and see if it may help you:

Summary
There are two important things to note in this example.

First, when the packet travels from outside to inside, translation occurs first, and then the routing table is checked for the destination. When the packet travels from inside to outside, the routing table is checked for the destination first, and then translation occurs. For more information refer to NAT Order of Operation.

Secondly, it is important to note which part of the IP packet gets translated when using each of the commands above. The following table contains a guideline:

Command
Action

ip nat outside source static
translates the source of the IP packets that are traveling outside to inside

translates the destination of the IP packets that are traveling inside to outside

ip nat inside source static
translates the source of IP packets that are traveling inside to outside

translates the destination of the IP packets that are traveling outside to inside



What the above guidelines indicate is that there is more than one way to translate a packet. Depending on your specific needs, you should determine how to define the NAT interfaces (inside or outside) and what routes the routing table should contain before or after translation. Keep in mind that the portion of the packet that will be translated depends upon the direction the packet is traveling, and how you configured NAT.

Full example could be found at:

http://www.cisco.com/warp/public/556/2.html

Hope this help!

 

[darsys]

Sorry to inconvenience everyone. Ended up being an application problem that the vendor had assured me time and time again was a firewall problem.

I would like to note that I never did get nat to allow the internal host to send out a packet at the original port. ie source port seems to be dynamic in the logs. The applicaiton works and i believe this is normal but would love to see an example of how to accomplish a static port mapping so that the originating port can remain static through the whole transaction. Or I would like to understand why this is not normal or possible.

Sorry again if i inconvenienced anyone.

Thanks for the help, Damon