Static NAT

Static NAT entries alter traffic, redirecting it to a static host on an internal network, or mapping it to a static address on the way out:

tnsr(config)# nat pool addresses <external address>
tnsr(config)# nat static mapping [(icmp|tcp|udp|any)]
                  local <local address> [(any|<local port>)]
                  external (<external address>|<external interface>) [(any|<external port>)]
                  [twice-nat] [out-to-in-only] [route-table <rt-tbl-name>]

There are two common use cases for static NAT in practice: Port Forwarding and 1:1 NAT.

Warning

Remember to add the address of the outside interface as a part of a NAT pool (NAT Pool Addresses) or the static NAT entry will fail to commit.

Warning

The out-to-in-only and twice-nat features require endpoint-dependent NAT mode. In TNSR 18.11 and later, this is the default mode.

The following commands set TNSR to endpoint-dependent NAT mode:

tnsr(config)# nat global-options nat44 enabled false
tnsr(config)# nat global-options nat44 endpoint-dependent true
tnsr(config)# nat global-options nat44 enabled true

The protocol, and port numbers for protocols which use ports, may be omitted. When omitted, the value defaults to any.

Port Forwards

Port forwards redirect a port on an external NAT pool address to a port on a local host. A port forward is accomplished by specifying ports in the static NAT command:

tnsr(config)# nat pool addresses 203.0.113.2
tnsr(config)# nat static mapping tcp local 10.2.0.5 22 external 203.0.113.2 222

In the above example, a TCP connection to port 222 on 203.0.113.2 will be forwarded to port 22 on 10.2.0.5. The source address remains the same.

Note

To forward all TCP or UDP ports, use the keyword any instead of a specific port number.

1:1 NAT

1:1 NAT, also called One-to-One NAT or in some cases “Network Address Translation”, maps all protocols and ports of an external address to an internal address. This mapping works for inbound and outbound packets. To create a 1:1 mapping, make a static NAT entry which does not specify any protocol or ports:

tnsr(config)# nat pool addresses 203.0.113.3
tnsr(config)# nat static mapping local 10.2.0.5 external 203.0.113.3

Note

The protocol may also be specified as any in this case.

Twice NAT

Twice NAT changes both the source and destination address of inbound connection packets. This works similar to a static NAT port forward, but requires an additional NAT address specification.

First, add the internal address for source translation:

tnsr(config)# nat pool addresses 10.2.0.2 twice-nat

Next, add the external address to which the client originally connects:

tnsr(config)# nat pool addresses 203.0.113.2

Finally, add the static mapping which sets up the destination translation:

tnsr(config)# nat static mapping tcp local 10.2.0.5 22 external 203.0.113.2 222 twice-nat

In the above example, a TCP connection to port 222 on 203.0.113.2 will be forwarded to port 22 on 10.2.0.5. When the packet leaves TNSR, the source is translated so the connection appears to originate from 10.2.0.2 using a random source port.

Warning

This feature requires endpoint-dependent NAT mode. In TNSR 18.11 and later, this is the default mode.

The following commands set TNSR to endpoint-dependent NAT mode:

tnsr(config)# nat global-options nat44 enabled false
tnsr(config)# nat global-options nat44 endpoint-dependent true
tnsr(config)# nat global-options nat44 enabled true