Friday, August 26, 2011

Single Public IP NATing to Multiple Hosts


In my previous blog entry, Multiple Public IP NATing to Multiple Hosts, I described how you can use "one to one" NATing to allocate one public IP address per internal host. This is a great solution for those who have multiple public IPs, however, these usually come at an added monthly cost.

An alternative to this method would be to run your services on different port numbers. For example, if you have three web servers, you could run one on port 80, the next on port 8080 and the last one on port 8081. However, some System Administrators do not like forcing their applications to run on non-standard ports and some applications may not even offer you the option.

So how do we fix this issue you ask? Rather than do the port change on the application(s) themselves, you can simply do it on the router itself. This is a great solution because the applications themselves do not need to be changed and you've got a central point of configuration for all of the port changes. Also, should you decide to invest in additional IP addresses later on down the track, you can migrate the server(s) to their new IP address(es) by simply changing a few lines of configuration.

Using the diagram below, I'll describe how you can achieve this:




Using the  "ip nat inside source static tcp/udp" command, we can map port 23 (telnet) for each of the LAN hosts (192.168.45.2, 192.168.45.3 and 192.168.45.4) to different ports (23, 2300 and 2301 respectively). 

R1(config)#do sh run | inc ip nat inside source static
ip nat inside source static tcp 192.168.45.2 23 94.56.43.2 23 extendable
ip nat inside source static tcp 192.168.45.3 23 94.56.43.2 2300 extendable
ip nat inside source static tcp 192.168.45.4 23 94.56.43.2 2301 extendable


What this means is that if we try to telnet to:
  • 94.56.43.2 on port 23, we'll connect to 192.168.45.2
  • 94.56.43.2 on port 2300, we'll connect to 192.168.45.3
  • 94.56.43.2 on port 2301, we'll connect to 192.168.45.4
As mentioned above, the beauty of configuring the port changes on the internet router itself (R1), we don't need to force telnet to run on different ports on the other hosts LAN hosts (R2, R3 and R4).

Let's look at some examples. Here is R1's NAT table before any traffic has been sent: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 94.56.43.2:23      192.168.45.2:23    ---                ---
tcp 94.56.43.2:2300    192.168.45.3:23    ---                ---
tcp 94.56.43.2:2301    192.168.45.4:23    ---                ---


Now I'll initiate some telnet sessions from R1 to 94.56.43.2 and it's multiple ports. I'll start with port 23: 

R5#telnet 94.56.43.2 23
Trying 94.56.43.2 ... Open


Now let's take a look at the NAT translation table: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 94.56.43.2:23      192.168.45.2:23    203.43.94.1:42931  203.43.94.1:42931
tcp 94.56.43.2:23      192.168.45.2:23    ---                ---
tcp 94.56.43.2:2300    192.168.45.3:23    ---                ---
tcp 94.56.43.2:2301    192.168.45.4:23    ---                ---


Now I'll try ports 2300 and 2301: 

R5#telnet 94.56.43.2 2300
Trying 94.56.43.2, 2300 ... Open
R5#
R5#telnet 94.56.43.2 2301
Trying 94.56.43.2, 2301 ... Open


And now let's take another look at the NAT translation table: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 94.56.43.2:23      192.168.45.2:23    ---                ---
tcp 94.56.43.2:2300    192.168.45.3:23    203.43.94.1:23292  203.43.94.1:23292
tcp 94.56.43.2:2300    192.168.45.3:23    ---                ---
tcp 94.56.43.2:2301    192.168.45.4:23    203.43.94.1:49225  203.43.94.1:49225
tcp 94.56.43.2:2301    192.168.45.4:23    ---                ---


As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

8 comments:

  1. Hi!

    Cant get this to work, and I don't know why...

    This is what my config:
    ip nat inside source list NAT interface Serial0/0/0 overload
    ip nat inside source static tcp 192.168.1.2 23 10.1.1.1 23 extendable

    When I try to use telnet from the outside to the address of 10.1.1.1 (which is the outside interface in this case) it keeps telneting the router itself and not 192.168.1.2.

    What am I doing wrong?

    ReplyDelete
  2. Hi there.

    Have you put the "ip nat inside" and "ip nat outside" commands on the right interfaces?

    If you have, feel free to e-mail me your "show run" output ( myciscolabsblog@gmail.com ) and I'd be happy to take a look.

    ReplyDelete
  3. No! And the funny thing is that I always forget it and it takes ages for me to figure out whats wrong!

    Thank you!

    ReplyDelete
  4. hehe, not a problem at all, I'm glad I could help :)

    ReplyDelete
  5. But I do have one question.
    The extendable keyword, what does it do?

    When i use:
    ip nat inside source static tcp 192.168.1.2 23 interface Serial0/0/0 23

    instead of:
    ip nat inside source static tcp 192.168.1.2 23 10.1.1.1 23 extendable

    It works as good as the other, is there a difference?

    ReplyDelete
  6. In my blog post, the extendable keyword isn't actually required, though it doesn't hurt having it.

    For more information on the "extendable" keyword though, have a read of this page:

    http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

    ReplyDelete
  7. Is it possible to control it by multiple public ip?
    just like
    94.56.43.2 on port 23, we'll connect to 192.168.45.2 port 23
    94.56.43.3 on port 2300, we'll connect to 192.168.45.3 port 23
    94.56.43.4 on port 2301, we'll connect to 192.168.45.4 port 23
    How to do this?

    ReplyDelete
    Replies
    1. Hi Kyle, yes, this most certainly can be done. A lot of people do a similar setup when they only have one public IP. For example:

      94.56.43.2 on port 23, we'll connect to 192.168.45.2 port 23
      94.56.43.2 on port 2300, we'll connect to 192.168.45.3 port 23
      94.56.43.2 on port 2301, we'll connect to 192.168.45.4 port 23

      This way they don't have to buy multiple public IP addresses.

      Delete