NAT allows requests coming from the internal (local) network to the external network, but it does not allow request from the external network to come to the internal network. This behavior means that it is impossible for an external machine to send a packet to a device on the internal network. It also means that device in the internal network cannot operate as a server with regards to the external network.
To allow requests from the external network to reach internal network devices, you configure the vEdge router that sits at the edge of the internal network to be a NAT gateway that performs NAT port forwarding (also called port mapping). With such a configuration, the vEdge router sends all packets received on a particular port from an external network to a specific device on the internal (local) network.
Configure NAT Port Forwarding
To configure NAT port forwarding, define one or more port-forwarding rules to send packets received on a particular port from the external network to an internal server:
vEdge(config)# vpn 0
vEdge(config-vpn)# interface geslot/port
vEdge(config-nat)# port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) private-vpn vpn-id private-ip-address ip-address
Use the port-start and port-end options to define the port or port range of interest. port-number1 must be less than or equal to port-number2. To apply port forwarding to a single port, specify the same port number for the starting and ending numbers. When applying port forwarding to a range of ports, the range includes the two port numbers that you specify—port-number1 and port-number2. Packets whose destination port matches the configured port or ports are forwarded to the internal server.
Each rule applies either to TCP or UDP traffic. To match the same ports for both TCP and UDP traffic, configure two rules.
For each rule, specify the private VPN in which the internal server resides and the IP address of the internal server. This VPN is one of the VPN identifiers in the overlay network.
You can create up to 128 rules.
Best Practices for Configuring NAT Port Forwarding
Configuring NAT port forwarding can, in some circumstances, make the vEdge router vulnerable to brute-force attacks. The following configuration snippet illustrates a case where the router could fall victim to an SSH brute-force attack:
system aaa auth-order local interface ge0/0 description Internet ip address 192.168.50.28/28 nat no block-icmp-error respond-to-ping port-forward port-start 22 port-end 22 proto tcp private-vpn 0 private-ip-address 192.168.50.28 ! ! tunnel-interface encapsulation ipsec color public-internet ! no shutdown !
This configuration creates a port-forwarding rule for TCP port 22, to accept SSH requests from external devices. By itself, this rule provides no opening for brute-force attacks. (As a side note, enabling SSH on a router interface that is connected to the internet is inherently unsafe.) However, problems can arise because of some of the other commands in this configuration:
- respond-to-ping—This command allows the vEdge router to respond to ping requests that are sent from the external network. These ping requests bypass any NAT port-forwarding rules that you have configured. In this configuration, the external network is the Internet, so ping requests can come from anywhere. It is recommended that you do not configure the NAT interface to respond to ping requests. If you need to test reachability, configure this command temporarily and then remove it once the reachability testing is complete.
- private-vpn 0—The SSH requests are sent to the WAN transport VPN, VPN 0. A best practice is to forward external traffic to a service-side VPN, that is, to a VPN other than VPN 0 or VPN 512.
- private-ip-address 192.168.50.28 and ip address 192.168.50.28/28—The address of the internal server to which external traffic is being sent is the same as the IP address of the WAN interface. For the private IP address, a best practice is to specify the IP address of a service-side device. If you need to specify a private IP address for one of the interfaces on the vEdge router, do not use an address in the transport VPN (VPN 0). If you need to use an address in VPN 0, do not use an interface that is connected to the Internet.
- auth-order local—This configuration provides only for local authentication, using the credentials configured on the vEdge router itself. No RADIUS or TACACS server is used to verify the user's SSH login credentials. While this configuration normally does not expose the router to brute-force attacks, here, in the context of the rest of the configuration, it contributes to the router's vulnerability to attack.