NAT; few questions...

mpgioia
Here to help

NAT; few questions...

NAT; port translation on a 1:1 NAT ?

You can't do a port translation as well as an address translation with a "1:1 NAT" ? "1:Many NAT" looks like it can do it ? or... "Port forwarding" rule maybe looks like how to do it ?

OS/NAT engine (or it's interface) seems limited...

 

Secondly..

 

Let me explain a use case.

I have three services.  One public IP for DNAT.  SMTP, RDP, HTTPS.

SMTP I need it be to 1:1 .. Inbound hit the Public IP. When sourced outbound.. uses the same Public IP.

RDP and HTTPS.. Inbound it to hit the Public IP referenced above. 

But if outbound traffic is seen with a dst of RDP, HTTPS, I need it to traverse the standard SNAT/SPAT overload.. not use the public set aside for DNAT's ONLY. 

How do I do that with this OS 😕 :confused :thinking_face. 

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Outbound traffic that is not a 1:1 NAT will use the WAN interface IP address.

 

On the whole, you can not achieve what you have asked for.

mpgioia
Here to help

 


@PhilipDAth wrote:

Outbound traffic that is not a 1:1 NAT will use the WAN interface IP address.


^^ Yes of course.. that makes sense..

 

 

-----------------------------

 

But both can't be done.. right ?  I can't do a port translation as well as an address translation on a 1:1NAT.  And, I definitely can't do the second question right ?

As you said on the 'whole'.. right ?

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>I can't do a port translation as well as an address translation on a 1:1NAT

 

You can do PAT on the WAN IP and 1:1 NAT on other IP addresses presented to the WAN interface.

 

No, you can not say traffic heading out that is https to be source NATed to a specific IP address.

mpgioia
Here to help

Hang on...

 

I want DNAT to a specific INSIDE LAN IP for certain ports.

But then SNAT on that port bound to WAN IP to be on the standard SNAT overload the everything gets accumulated in.

 

'Static 1:1' NAT means.. whether its INGRESS or EGRESS .. for that port.. it'll use that different public ip .. and not the OVERLOAD that everything else gets accumulated. 

 

 

I think I achieve what I want with 'Port Forwarding Rules' (special INGRESS only.. right ?) .. but then notice you can't do ICMP with Port Forwarding.. #facepalm.. and you can't specify the public address.. it just forwards from the WAN IP... #doublefacepalm...

NAT state-machine is such a commodity these days.. is it the UX that's the limitation.. maybe programmatic access you can leverage more flexibility ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels