NAT with static port forwarding
With NAT, the source IP address and the port of the host on the private side (inside) of the network are translated to an external IP address and port on the public side (outside) of the network. The IP address on the inside can be assigned to a raw socket IP host connected to an RS-232 serial interface or assigned to an IP interface associated with an Ethernet port.
Static port forwarding is configured on the CLI using the following parameters:
inside IP address
inside port
outside IP address
outside port
protocol
NAT with static port forwarding shows an example of a network with a 7705 SAR-Hm series node configured to use NAT with static port forwarding.
In the scenario shown above, the "RTU" VPRN service is inside and the "SCADA" VPRN service is outside. The "RTU" VPRN contains two IP transport services, one for each connected device. For information about IP transport services, see IP transport services and also see "Serial Transport over Raw Sockets" in the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide.
NAT with static port forwarding shows specific values for the inside IP address and port and outside IP address and port. The cellular interface of the node is used as the network-facing interface to transport the outside VPRN traffic.
When a packet is sent from the SCADA master to the node over the LTE network, it will be carried within the outside "SCADA" VPRN service toward the node. The node will send the packet to the BB-ISA MDA to perform the required NAT function based on the configured NAT policy. NAT is applied to the packet as needed. The packet is then processed by the inside "RTU" VPRN service, destined to the corresponding IP transport service.
When a packet is sent from the RTU toward the SCADA master, the inside "RTU" VPRN service sends the packet to the BB-ISA MDA where the NAT policy translates the IP address and port to the outside IP address and port, The BB-ISA MDA then sends the packet to the outside "SCADA" VPRN service where it is routed over the cellular interface using the "SCADA" VPRN service.
The steps and CLI outputs below show the configuration of NAT with static port forwarding based on NAT with static port forwarding.
Configure NAT on the BB-ISA MDA:
config isa nat-group 1 mda 1/6
Configure the inside "RTU" VPRN (1) service for the inside static port forwarding NAT function:
config service vprn 1 interface 'rtu1' address 192.168.0.1/32 loopback interface 'rtu2' address 192.168.0.2/32 loopback ip-transport 1/3/1 local-host ip-addr 192.168.0.1 port-num 2000 protocol udp remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp ip-transport 1/3/2 local-host ip-addr 192.168.0.2 port-num 2000 protocol udp remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp config service vprn 1 nat inside destination-prefix 1.2.3.4/24 . nat-policy 'sar-hm-1' config service nat nat-policy 'sar-hm-1 pool 'pool-name-1' router 2 port-forwarding lsn router 1 ip 192.168.0.1 protocol udp port 2000 outside- ip 10.0.0.1 outside-port 100 nat-policy "sar-hm-1" lsn router 1 ip 192.168.0.2 protocol udp port 2000 outside- ip 10.0.0.1 outside-port 101 nat-policy "sar-hm-1"
Configure the outside "SCADA" VPRN (2) service for the outside static port forwarding NAT function:
service vprn 2 interface 'Outside_RTU' address 10.0.0.1/32 loopback nat outside pool 'pool-name-1'nat-group 1 type large-scale address-range 10.0.0.1 10.0.0.1 create port-forwarding-range 30000 port-reservations ports 1000