Temporary 1:1 NAT

pikapp33 · May 30, 2019, 4:24pm

I don’t know if this is possible currently, or if this would be a feature request…

Cisco routers give you the option to do a “temporary” 1:1 NAT based on source address block. Basically you can assign a pool of IP address as the NAT translated address, and then when an internal source gets identified for NAT, it grabs an address from the pool and assigns it as a 1:1 NAT until a timeout is reached (ex inactivity time of 60 seconds). The NAT address is then returned to the pool for reallocation.

The equivalent commands on the cisco side are:

access-list 1 permit (Hosts to be Translated)
ip nat translation timeout 30 (or appropriate inactivity time)
ip nat pool StickyNat (Translated Address Pool)
ip nat inside source list 1 pool StickyNat

Please advise if this is currently doable and how to configure, or if I should enter a feature request for this functionality (if even possible)

Thanks!

joshua · May 31, 2019, 4:00pm

In your example that would still be overloading (Masquerading) on the Cisco router as the keyword no-overload is not present just with multiple addresses. With modern service inspection and proper firewall rules there isn’t much of a good reason to perform dynamic 1:1 translations and 1:1’s are best reserved for static service allocation. With VyOS you can accomplish the same through the NAT rules as shown :

vyos@vyos# set translation address 
Possible completions:
   <x.x.x.x>    NAT to the specified IP address
   <x.x.x.x>-<x.x.x.x>
                NAT to the specified IP range
   <x.x.x.x/x>  NAT to the specified network address. Host part of the address will remain unchanged
   masquerade   NAT to the primary address of outbound-interface

system · June 2, 2019, 4:01pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.