pzam
asked on
How to redirect outbound traffic via Cisco IOS?
Is there a way to redirect all OUTBOUND traffic addressed to a specific host to a different one via Cisco IOS?
For example, I want to be able to redirect all traffic addressed to 74.134.x.x to 68.114.x.x. The specific client in this case is a Windows box.
For example, I want to be able to redirect all traffic addressed to 74.134.x.x to 68.114.x.x. The specific client in this case is a Windows box.
nativevlan
Will the clients be using the IP address or the hostname of the external service?
If you are using the hostname then you will be able to accomplish this with DNS (assuming that you have an internal DNS server) or by changing the host file. If you need to use the IP address then you will have to implement DNAT (https://supportforums.cisc
ASKER
Unfortunately, the client is using an IP address; a FQDN is not an option.
The DNAT options that I have found in IOS all involve an outside global address of the Cisco as the destination. I need something that will redirect a remote global IP.
For example, I need this packet:
source 192.168.1.x port 10001 destination 74.134.x.x port 10001
Redirected/changed/fixed-u
source 192.168.1.x port 10001 destination 68.114.x.x port 10001
Will DNAT accomplish this and I just missed it?
The DNAT options that I have found in IOS all involve an outside global address of the Cisco as the destination. I need something that will redirect a remote global IP.
For example, I need this packet:
source 192.168.1.x port 10001 destination 74.134.x.x port 10001
Redirected/changed/fixed-u
source 192.168.1.x port 10001 destination 68.114.x.x port 10001
Will DNAT accomplish this and I just missed it?
Sorry I don't have alot of experience with DNAT, it looks like you would want to do this ?
ip nat inside source static 74.134.x.x 10001 68.114.x.x
Then apply the ip nat inside (local lan) and ip nat outside (internet facing).
To make sure you could put a switch between your IOS router and the internet connection, then mirror the port to a computer running wireshark to check that the translation occurred.
Again I'm not 100% sure on the config, maybe someone else has more xp with DNAT.
ip nat inside source static 74.134.x.x 10001 68.114.x.x
Then apply the ip nat inside (local lan) and ip nat outside (internet facing).
To make sure you could put a switch between your IOS router and the internet connection, then mirror the port to a computer running wireshark to check that the translation occurred.
Again I'm not 100% sure on the config, maybe someone else has more xp with DNAT.
ASKER
The only address option following IP NAT INSIDE SOURCE STATIC is defined as 'A.B.C.D Inside local IP address.' I have yet to find a command that takes a remote IP as an argument.
Just for SAG, I did try the entry you suggested. The router accepts the command, but it does not work. :)
Just for SAG, I did try the entry you suggested. The router accepts the command, but it does not work. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks Garry-G, any update on this pzam?
ASKER
Garry-G,
I originially thought that some variant of 'ip nat outside destination static' would be command needed. After all, I was wanting to redirect one outside destination to another. Needless to say, I came to find that is not a command option in Version 15.0(1)M1.
I have since tried your version using the 'ip nat outside source static' syntax, but it does not work. The actual address options on that command are Outside Global, then Outside Local, which does not appear to allow two remote IPs.
Any other ideas?
Thanks.
I originially thought that some variant of 'ip nat outside destination static' would be command needed. After all, I was wanting to redirect one outside destination to another. Needless to say, I came to find that is not a command option in Version 15.0(1)M1.
I have since tried your version using the 'ip nat outside source static' syntax, but it does not work. The actual address options on that command are Outside Global, then Outside Local, which does not appear to allow two remote IPs.
Any other ideas?
Thanks.
Ah, the joys of new IOS versions ... tested that on a 12.4 box ... although, checking with a rather new 1941 15.0(1)M5, the command is accepted just fine ... in fact, I can't seem to find any mention of the "ip nat outside global" syntax ... are you certain you're in the right context?
try PBR ( Policy base routing ):http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html
PBR is useful for multiple outgoing LINKS, not changing destination addresses ...
ASKER
Garry-G,
I found the 'Outside Global' and 'Outside Local' definitions by using the help prompt. That is, typing in 'ip nat outside source static ?' produced:
A.B.C.D Outside global IP address
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
Then, typing 'ip nat outside source static 74.134.x.x ?' produced:
A.B.C.D Outside local IP address
Given the definitions provided, I dont think this will do what I want. Since I want to substitute one remote IP for another, both IPs would have to be a destination outside global.
Also, my router accepted the original command you suggested; it just didn't work as intended.
I wonder if there is something like a Tcl script that would accomplish this...?
I found the 'Outside Global' and 'Outside Local' definitions by using the help prompt. That is, typing in 'ip nat outside source static ?' produced:
A.B.C.D Outside global IP address
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
Then, typing 'ip nat outside source static 74.134.x.x ?' produced:
A.B.C.D Outside local IP address
Given the definitions provided, I dont think this will do what I want. Since I want to substitute one remote IP for another, both IPs would have to be a destination outside global.
Also, my router accepted the original command you suggested; it just didn't work as intended.
I wonder if there is something like a Tcl script that would accomplish this...?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your last comment helped to resolve this issue. I was, indeed, getting mired in semantics. I looked up the address definitions on Cisco and found a very help explanation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
In doing so, I found that the original command you suggested was correct - except that the IPs were reversed for my specific needs. That is, the correct syntax turned out to be:
ip nat outside source static [REDIRECTED_IP] [IP_TO_REDIRECT]
Thanks for your help!
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
In doing so, I found that the original command you suggested was correct - except that the IPs were reversed for my specific needs. That is, the correct syntax turned out to be:
ip nat outside source static [REDIRECTED_IP] [IP_TO_REDIRECT]
Thanks for your help!