Source and destination NAT for accessing SSH internal device from internet

Publication Date:  2016-11-30 Views:  421 Downloads:  0
Issue Description

Setting up NAT port translation so that beginning an SSH session from a Host on internet to a particular port to the AR160’s outside interface translates to a particular port/IP combination on the AR160s inside interface.

For example initiating a SSH session from a host in internet on port 64444 of AR external interface to translate to port 22 and IP address of CE switch internal
IP address, using the following config on int GE0/0/4:

interface GigabitEthernet0/0/4

ip address 10.1.139.6 255.255.255.0

nat server protocol tcp global current-interface 64444 inside 192.168.200.131 22

This seems to work for normal devices, but there is a problem in using this method to access the internal switches Meth interfaces. Due to the fact that the NAT statement
above only changes the destination of the packets, not the source, so the source remains the external IP address of Host. The switches doesn’t have a route back to external IP address, so drops the traffic. 

One possibility is creating a separate routing table for the Meth interface using a VPN, but this is not desired because of the large number of internal switches that
need to be accessed.

The need is to change on the AR160 router that would change the source ip/port of the incoming packets.



Solution

In order for switches Meth interfaces to return the packets to Host in internet there is the need to create source NAT to change the Public IP in Private IP from the same subnet with the switch.

Configure NAT outbound on the internal AR interface so that when packets leave the router, the source is changed:

acl number 3000  

   rule 5 permit ip source [Public IP of Host]     

interface Ethernet2/0/0                                                        
  
nat outbound 3000                 //Configure outbound NAT to translate the source IP address used when external users access the internal
network and ensure that the internal network does not need to import routes of the external network.



END