NAT not Working as Expected

JamieGB · Nov 26, 2021, 10:24 AM

Hi,

I'm trying to using static port NAT for a machine which is outside of the interface address. When I perform a packet capture, traffic is reaching my translated IP, but the reply traffic is going direct to the IP where the packets originated from.

I've tried port forwarding - doesn't work. 1:1 NAT, Outbound NAT....I can't achieve the desired result.

Any help much appreciated. I've followed the NAT guide but to no avail.

Thanks.

viragomann · Nov 26, 2021, 4:40 PM

@jamiegb said in NAT not Working as Expected:

When I perform a packet capture, traffic is reaching my translated IP, but the reply traffic is going direct to the IP where the packets originated from.

The reply is sent to the IP, which the destination device sees as source in the packet. If you want the device to reply to another IP you can translate the source IP using an outbound NAT rule.

JamieGB · Nov 26, 2021, 4:40 PM

@viragomann Thanks for your reply. Does that mean I need 2 outbound NAT rules? Just the one rule doesn't seem to do the job?

viragomann · Nov 26, 2021, 4:51 PM

@jamiegb said in NAT not Working as Expected:

Does that mean I need 2 outbound NAT rules? Just the one rule doesn't seem to do the job?

To be honest, I didn't really understand, what you're trying to achieve here and what you've already done.

I'm trying to using static port NAT for a machine which is outside of the interface address.

A static source port? Is this needed for the application?

Maybe you can give some more detailed infos.

JamieGB · Nov 27, 2021, 1:19 PM

@viragomann Sorry should have been clearer about the requirements.

I have a SIP server which has an IP address within the interface....lets call it telephony.

My SIP server is very specific with where traffic is coming from - It performs some kind of IP firewalling.

I have 8 SIP telephones. 4 of them are active during normal hours. These are in another country. Routing is fine I can reach the SIP server.

However, the other 4 telephones have to take over out of hours. I am trying to get the SIP server to see the same IP address (or same 4 ip addresses) whether they're from the first set of phones, or the second.

On the other hand, the SIP server can also initiate calls to the handsets, and the handsets also perform this IP firewalling.

So, in short, the 2 sets of phones must target the same IPs for the SIP server, and the SIP server depending on the time of day must contact the same IPs.

Outbound NAT works fine to get the SIP server to see the same addresses (I use carps with outbound NAT). However, the SIP server also needs to contact the phones for inbound calls, and the address which the telephone sees must be the same as that which it thinks is the SIP server.

Hope that makes sense.

EDIT: I've tried using port forwarding for the server -> handset communication, but this does not perform SNAT. The IP telephones only see the original SIP server address which doesn't match its configuration and rejects the call.

JamieGB · Nov 27, 2021, 5:13 PM

Arrrrrhhhhhh....

Why didn't anyone tell me I could use both outbound NAT and port NAT using the same address?

All my problems are solved!