Static NAT¶
Static NAT entries alter traffic, redirecting it to a static host on an internal network, or mapping it to a static address on the way out:
tnsr(config)# nat pool addresses <external address>
tnsr(config)# nat static mapping [(icmp|tcp|udp|any)]
local <local address> [(any|<local port>)]
external (<external address>|<external interface>) [(any|<external port>)]
[twice-nat] [out-to-in-only] [route-table <rt-tbl-name>]
There are two common use cases for static NAT in practice: Port Forwarding and 1:1 NAT.
Warning
Remember to add the address of the outside interface as a part of a NAT pool (NAT Pool Addresses) or the static NAT entry will fail to commit.
Warning
The out-to-in-only
and twice-nat
features require
endpoint-dependent
NAT mode. In TNSR 18.11 and later, this is the default
mode.
The following commands set TNSR to endpoint-dependent
NAT mode:
tnsr(config)# nat global-options nat44 enabled false
tnsr(config)# nat global-options nat44 endpoint-dependent true
tnsr(config)# nat global-options nat44 enabled true
The protocol, and port numbers for protocols which use ports, may be omitted.
When omitted, the value defaults to any
.
Port Forwards¶
Port forwards redirect a port on an external NAT pool address to a port on a local host. A port forward is accomplished by specifying ports in the static NAT command:
tnsr(config)# nat pool addresses 203.0.113.2
tnsr(config)# nat static mapping tcp local 10.2.0.5 22 external 203.0.113.2 222
In the above example, a TCP connection to port 222 on 203.0.113.2 will be forwarded to port 22 on 10.2.0.5. The source address remains the same.
Note
To forward all TCP or UDP ports, use the keyword any
instead of a
specific port number.
1:1 NAT¶
1:1 NAT, also called One-to-One NAT or in some cases “Network Address Translation”, maps all protocols and ports of an external address to an internal address. This mapping works for inbound and outbound packets. To create a 1:1 mapping, make a static NAT entry which does not specify any protocol or ports:
tnsr(config)# nat pool addresses 203.0.113.3
tnsr(config)# nat static mapping local 10.2.0.5 external 203.0.113.3
Note
The protocol may also be specified as any
in this case.
Twice NAT¶
Twice NAT changes both the source and destination address of inbound connection packets. This works similar to a static NAT port forward, but requires an additional NAT address specification.
First, add the internal address for source translation:
tnsr(config)# nat pool addresses 10.2.0.2 twice-nat
Next, add the external address to which the client originally connects:
tnsr(config)# nat pool addresses 203.0.113.2
Finally, add the static mapping which sets up the destination translation:
tnsr(config)# nat static mapping tcp local 10.2.0.5 22 external 203.0.113.2 222 twice-nat
In the above example, a TCP connection to port 222 on 203.0.113.2 will be forwarded to port 22 on 10.2.0.5. When the packet leaves TNSR, the source is translated so the connection appears to originate from 10.2.0.2 using a random source port.
Warning
This feature requires endpoint-dependent NAT mode. In TNSR 18.11 and later, this is the default mode.
The following commands set TNSR to endpoint-dependent
NAT mode:
tnsr(config)# nat global-options nat44 enabled false
tnsr(config)# nat global-options nat44 endpoint-dependent true
tnsr(config)# nat global-options nat44 enabled true