NAT with static port forwarding

With NAT, the source IP address and the port of the host on the private side (inside) of the network are translated to an external IP address and port on the public side (outside) of the network. The IP address on the inside can be assigned to a raw socket IP host connected to an RS-232 serial interface or assigned to an IP interface associated with an Ethernet port.

Static port forwarding is configured on the CLI using the following parameters:

  • inside IP address

  • inside port

  • outside IP address

  • outside port

  • protocol

NAT with static port forwarding shows an example of a network with a 7705 SAR-Hm series node configured to use NAT with static port forwarding.

Figure 1. NAT with static port forwarding

In the scenario shown above, the "RTU" VPRN service is inside and the "SCADA" VPRN service is outside. The "RTU" VPRN contains two IP transport services, one for each connected device. For information about IP transport services, see IP transport services and also see "Serial Transport over Raw Sockets" in the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide.

NAT with static port forwarding shows specific values for the inside IP address and port and outside IP address and port. The cellular interface of the node is used as the network-facing interface to transport the outside VPRN traffic.

When a packet is sent from the SCADA master to the node over the LTE network, it will be carried within the outside "SCADA" VPRN service toward the node. The node will send the packet to the BB-ISA MDA to perform the required NAT function based on the configured NAT policy. NAT is applied to the packet as needed. The packet is then processed by the inside "RTU" VPRN service, destined to the corresponding IP transport service.

When a packet is sent from the RTU toward the SCADA master, the inside "RTU" VPRN service sends the packet to the BB-ISA MDA where the NAT policy translates the IP address and port to the outside IP address and port, The BB-ISA MDA then sends the packet to the outside "SCADA" VPRN service where it is routed over the cellular interface using the "SCADA" VPRN service.

The steps and CLI outputs below show the configuration of NAT with static port forwarding based on NAT with static port forwarding.

  1. Configure NAT on the BB-ISA MDA:

    config
         isa
            nat-group 1  
                  mda 1/6
    
  2. Configure the inside "RTU" VPRN (1) service for the inside static port forwarding NAT function:

    config
         service 
              vprn 1   
                 interface 'rtu1'
                     address 192.168.0.1/32
                     loopback 
                 interface 'rtu2'
                     address 192.168.0.2/32
                     loopback 
                 ip-transport 1/3/1
                     local-host ip-addr 192.168.0.1 port-num 2000 protocol udp
                     remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp 
                 ip-transport 1/3/2
                     local-host ip-addr 192.168.0.2 port-num 2000 protocol udp
                     remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp
        
        
    config
         service 
              vprn 1   
                 nat
                     inside 
                         destination-prefix 1.2.3.4/24   .  
                         nat-policy 'sar-hm-1'  
        
        
    config
         service 
               nat 
                    nat-policy 'sar-hm-1  
                         pool 'pool-name-1'  router 2  
                    port-forwarding  
                        lsn router 1 ip 192.168.0.1 protocol udp port 2000 outside-
                                      ip 10.0.0.1 outside-port 100 nat-policy "sar-hm-1"
                        lsn router 1 ip 192.168.0.2 protocol udp port 2000 outside-
                                      ip 10.0.0.1 outside-port 101 nat-policy "sar-hm-1"
    
  3. Configure the outside "SCADA" VPRN (2) service for the outside static port forwarding NAT function:

    service vprn 2  
         interface 'Outside_RTU' 
            address 10.0.0.1/32
            loopback
         nat
            outside
                   pool 'pool-name-1'nat-group 1 type large-scale 
                             address-range 10.0.0.1 10.0.0.1 create 
                             port-forwarding-range 30000  
                             port-reservations ports 1000