NAT allows requests coming from the internal (local) network to go out to the external network, but it does not allow request from the external network to come to the internal network. This behavior means that it is impossible for an external device to send a packet to a device on the internal network. It also means that device in the internal network cannot operate as a server with regards to the external network.
To allow requests from the external network to reach internal network devices, you configure the vEdge router that sits at the edge of the internal network to be a NAT gateway that performs NAT port forwarding (also called port mapping). With such a configuration, the vEdge router sends all packets received on a particular port from an external network to a specific device on the internal (local) network.
Configure NAT Port Forwarding
To configure NAT port forwarding, define one or more port-forwarding rules to send packets received on a particular port from the external network to an internal server:
vEdge(config)# vpn 0 vEdge(config-vpn)# interface geslot/port vEdge(config-interface)# nat vEdge(config-nat)# port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) private-vpn vpn-id private-ip-address ip-address
Use the port-start and port-end options to define the desired TCP or UDP port or range of ports. port-number1 must be less than or equal to port-number2. To apply port forwarding to a single port, specify the same port number for the starting and ending numbers. When applying port forwarding to a range of ports, the range includes the two port numbers that you specify—port-number1 and port-number2. Packets whose destination port matches the configured port or ports are forwarded to the internal server.
Each rule applies either to TCP or UDP traffic. To match the same ports for both TCP and UDP traffic, configure two rules.
For each rule, specify the private VPN in which the internal server resides and the IP address of the internal server. This VPN is one of the VPN identifiers in the overlay network.
You can create up to 128 rules.
Considerations for Configuring NAT Port Forwarding
By default, SSH access on a router interface is disabled. However, when you configure NAT port forwarding on an interface in VPN 0 that connects to the internet, NAT port forwarding can potentially be used to allow SSH access to a router from devices on the Internet. Because of this, it is strongly advised that you do not configure NAT port forwarding on such an interface. It is recommended that you use NAT port forwarding only between the router and a service-side VPN.
However, in a lab or POC setting, you might want to configure NAT port forwarding on an interface in VPN 0. The following configuration snippet is an example of such a configuration, which enables NAT port forwarding in VPN 0, thus allowing access to the router through SSH:
system aaa auth-order local interface ge0/0 description Internet ip address 192.168.50.28/28 nat no block-icmp-error respond-to-ping port-forward port-start 22 port-end 22 proto tcp private-vpn 0 private-ip-address 192.168.50.28 ! ! tunnel-interface encapsulation ipsec color public-internet ! no shutdown !
This configuration creates a port-forwarding rule for TCP port 22, to accept SSH requests from external devices. As mentioned above, enabling SSH on an internet connection opens up access to the router. Other problems can also arise because of some parts of this configuration:
- respond-to-ping—This command allows the vEdge router to respond to ping requests that are sent from the external network. These ping requests bypass any NAT port-forwarding rules that you have configured. In this configuration, the external network is the Internet, so ping requests can come from anywhere. It is recommended that you do not configure the NAT interface to respond to ping requests. If you need to test reachability, configure this command temporarily and then remove it once the reachability testing is complete.
- private-vpn 0—The SSH requests are sent to the WAN transport VPN, VPN 0. A best practice is to forward external traffic to a service-side VPN, that is, to a VPN other than VPN 0 or VPN 512.
- private-ip-address 192.168.50.28 and ip address 192.168.50.28/28—The address of the internal server to which external traffic is being sent is the same as the IP address of the WAN interface. For the private IP address, a best practice is to specify the IP address of a service-side device. If you need to specify a private IP address for one of the interfaces on the vEdge router, do not use an address in the transport VPN (VPN 0). If you need to use an address in VPN 0, do not use an interface that is connected to the Internet.
- auth-order local—This configuration provides only for local authentication, using the credentials configured on the vEdge router itself. No RADIUS or TACACS server is used to verify the user's SSH login credentials. While this configuration normally does not expose the router to brute-force attacks, here, in the context of the rest of the configuration, it contributes to the router's vulnerability to attack.