Access to a PAT-ed network questions.

does PAT-ed network can be accessed by a static route?
for example :
ip route 192.168.0.0/24 172.16.0.2. -> can it be done?
just wondering

because afaik, it uses ports to differentiate the connection right? well if it can be accessed by a static route - then the concept of PAT/ICS will fall down.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Drakonblayde

well, you can certainly define that all traffic being sent to a certain address will go follow a certain route, but there's no guarentee you're going to get a response. Most routers will drop packets that have addresses that fall in the RFC1918 address spaces.

PAT uses ports to differentiate the connections, yeah, but the ip address itself is being translated as well. The outside world will never see a packet coming from the private space behind the network, all they'll see is the ip address of the interface that's sending the packet outside of the internal network.

I suppose you could try source routing a packet to an ip behind the firewall, but any network administrator who allows that kind of traffic through his network needs to be shot and admitted to hell as it's chief damned soul for such a cardinal sin.

rossonieri#1

ok,
if the PAT-ed network has a public DHCP address from ISP - the ICS server will giving address like 192.168.0.0/16 to its network. and how can i differentiate which one of the host serving DNS, WWW, FTP etc.
well, if i use NAT with pool - i surely can point a specific IP to the service. but how about PAT??

tunerX

You use NAT overload with static translations to get this done.
DNS - 192.168.1.6
WWW - 192.168.1.7
FTP - 192.168.1.8
SMTP - 192.168.1.9

ip nat inside source list 7 interface serial 0 overload
ip nat inside source static tcp 192.168.1.6 53 80.19.125.2 53
ip nat inside source static udp 192.168.1.6 53 80.19.125.2 53
ip nat inside source static tcp 192.168.1.7 80 80.19.125.2 80
ip nat inside source static tcp 192.168.1.8 21 80.19.125.2 21
ip nat inside source static tcp 192.168.1.9 25 80.19.125.2 25

interface e 0
ip address 192.168.1.1 255.255.255.0
ip nat inside

interface s 0
ip address 80.19.125.2 255.255.255.252
ip nat outside

access-list 7 permit 192.168.1.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 80.19.125.2

tunerX

DrakonBlayde,

I got a port forwarding question either on the BSCI or the BCRAN (I cannot remember). I did get an overlapping question on the CCIE written. It would be a good idea to learn the different ways to forward and also how to use overlapping nat.

rossonieri#1

ok, and wow. thanks tunerX...

Drakonblayde

I guess I misunderstood the question then... Yeah, I know how to forward ports, I've got my services running on different boxes behind a single router with a single public IP address.

I thought he was asking if you could get past NAT/PAT with a static route, I assumed from the outside, and that's just not gonna work. I see what he's trying to do now, he's trying to hit different services from outside the firewall, to different machines inside, and you don't need a static route for that, just a public IP on the wan interface, and proper forwarding rules.

So the answer to his initial question is no