With NAT, the source IP address and the port of the host on the private side (inside) of the network are translated to an external IP address and port on the public side (outside) of the network. The IP address on the inside can be assigned to a raw socket IP host connected to an RS-232 serial interface or assigned to an IP interface associated with an Ethernet port.
Static port forwarding is configured on the CLI using the following parameters:
inside IP address
inside port
outside IP address
outside port
protocol
Figure: NAT with static port forwarding shows an example of a network with a 7705 SAR-Hm series node configured to use NAT with static port forwarding.
In the scenario shown above, the "RTU" VPRN service is inside and the "SCADA" VPRN service is outside. The "RTU" VPRN contains two IP transport services, one for each connected device. For information about IP transport services, see IP transport services and also see "Serial Transport over Raw Sockets" in the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide.
Figure: NAT with static port forwarding shows specific values for the inside IP address and port and outside IP address and port. The cellular interface of the node is used as the network-facing interface to transport the outside VPRN traffic.
When a packet is sent from the SCADA master to the node over the LTE network, it will be carried within the outside "SCADA" VPRN service toward the node. The node will send the packet to the BB-ISA MDA to perform the required NAT function based on the configured NAT policy. NAT is applied to the packet as needed. The packet is then processed by the inside "RTU" VPRN service, destined to the corresponding IP transport service.
When a packet is sent from the RTU toward the SCADA master, the inside "RTU" VPRN service sends the packet to the BB-ISA MDA where the NAT policy translates the IP address and port to the outside IP address and port, The BB-ISA MDA then sends the packet to the outside "SCADA" VPRN service where it is routed over the cellular interface using the "SCADA" VPRN service.
The steps and CLI outputs below show the configuration of NAT with static port forwarding based on Figure: NAT with static port forwarding.
Configure NAT on the BB-ISA MDA:
config
isa
nat-group 1
mda 1/6
Configure the inside "RTU" VPRN (1) service for the inside static port forwarding NAT function:
config
service
vprn 1
interface 'rtu1'
address 192.168.0.1/32
loopback
interface 'rtu2'
address 192.168.0.2/32
loopback
ip-transport 1/3/1
local-host ip-addr 192.168.0.1 port-num 2000 protocol udp
remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp
ip-transport 1/3/2
local-host ip-addr 192.168.0.2 port-num 2000 protocol udp
remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp
config
service
vprn 1
nat
inside
destination-prefix 1.2.3.4/24 .
nat-policy 'sar-hm-1'
config
service
nat
nat-policy 'sar-hm-1
pool 'pool-name-1' router 2
port-forwarding
lsn router 1 ip 192.168.0.1 protocol udp port 2000 outside-
ip 10.0.0.1 outside-port 100 nat-policy "sar-hm-1"
lsn router 1 ip 192.168.0.2 protocol udp port 2000 outside-
ip 10.0.0.1 outside-port 101 nat-policy "sar-hm-1"
Configure the outside "SCADA" VPRN (2) service for the outside static port forwarding NAT function:
service vprn 2
interface 'Outside_RTU'
address 10.0.0.1/32
loopback
nat
outside
pool 'pool-name-1'nat-group 1 type large-scale
address-range 10.0.0.1 10.0.0.1 create
port-forwarding-range 30000
port-reservations ports 1000