Cisco Systems Is this even possible? (Excluding Subnet from Global NAT)

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Is this even possible? (Excluding Subnet from Global NAT) Dylan 10-11-05
Posted by Dylan on October 11, 2005, 9:28 pm
Please log in for more thread options
Hi there,

I'm using a static NAT (overload) to map a subnet of private addresses
to a single routable IP.

However, from the "outside" (from the PIX) I would like to be able to
ping/connect to the invidual private addresses. The static routes are
there, but when I ping them, the ping is returned from the Routeable
IP, not the private so it fails.

eg ->

------------------------
203.203.203.1
Cisco PIX
203.203.204.1
-----------------------
        |
        |
        |
-----------------------
203.203.204.2
192.168.0.1 (secondary addr for wireless net)

Cisco 2610
----------------------




Pinging 192.168.0.1 (2610) from 203.203.204.1 (PIX) ->


ping intf2 192.168.205.1
624: ICMP echo request (len 32 id 9233 seq 0) 203.203.204.1 > 192.168.0.1
625: ICMP echo reply (len 32 id 9233 seq 0) 203.203.204.2 >
203.203.204.1 <--- coming back
                                                                                        from global NAT, not 192.168.0.1
192.168.205.1 NO response received -- 1000ms





The PIX is straightfoward routing eg

route intf2 192.168.0.0 255.255.255.0 203.203.204.2 1


The 2610 NAT is like so - >


interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0 secondary
ip address 203.203.204.2 255.255.255.0
ip nat inside
ip policy route-map set-default
duplex auto
speed auto
no cdp enable
hold-queue 256 in

ip nat pool no-overload 203.203.204.2 203.203.204.2 prefix-length 24
ip nat inside source list 7 pool no-overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 <ip address of public gateway>
ip route 192.168.0.0 255.255.255.0 203.203.204.1

access-list 7 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map set-default permit 10
match ip address 7
set ip next-hop 203.203.204.1




So is there a way to exclude the NAT for my PIX subnet (have even tried
setting up 192.168.0.3 on a PIX interface with static routes to and
from 2610 but no luck there either)

I need to be able to ping/monitor hosts in the 192.168.0.0 subnet but
also allow them all internet access with the NAT overload.

Apologies for lack of detail, I'm no expert but fully appreciate any
advice on better ways to achieve this aim, The PIX and 2610 are about
40kms apart so am trying to find a way to monitor the 192.168.0.0 hosts
from the PIX end (my office) rather than installing servers on the
remote end.

Cheers,

Dylan.





Posted by on October 12, 2005, 12:13 am
Please log in for more thread options
Dylan wrote:
> Hi there,
>
> I'm using a static NAT (overload) to map a subnet of private addresses
> to a single routable IP.
>
> However, from the "outside" (from the PIX) I would like to be able to
> ping/connect to the invidual private addresses. The static routes are
> there, but when I ping them, the ping is returned from the Routeable IP,
> not the private so it fails.
>
> eg ->
>
> ------------------------
> 203.203.203.1
> Cisco PIX
> 203.203.204.1
> -----------------------
> |
> |
> |
> -----------------------
> 203.203.204.2
> 192.168.0.1 (secondary addr for wireless net)
>
> Cisco 2610
> ----------------------
>
>
>
>
> Pinging 192.168.0.1 (2610) from 203.203.204.1 (PIX) ->
>
>
> ping intf2 192.168.205.1
> 624: ICMP echo request (len 32 id 9233 seq 0) 203.203.204.1 > 192.168.0.1
> 625: ICMP echo reply (len 32 id 9233 seq 0) 203.203.204.2 >
> 203.203.204.1 <--- coming back
> from global NAT, not
> 192.168.0.1
> 192.168.205.1 NO response received -- 1000ms
>

From what I understand, this is the expected behavior. That is, the
ping will fail. This is one of the shortcomings of NAT, that it prevents
simple kinds of network diagnostic tools like ping from working.

B Squared
\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/
If C++ is your hammer, everything looks like your thumb.


Posted by on October 12, 2005, 8:00 am
Please log in for more thread options
That is more or less how NAT works.
However you possibly could use static nats for certain
addresses/protocols.
A NAT does not need to cover ALL uses of a particular address.

Say you wanted to monitor 3 hosts using telnet (port 23) connections.

192.168.0.1
192.168.0.2
192.168.0.3

Outside address 1.1.1.1

choose 3 random ports 10123, 10223, 10323


You could then NAT as follows

1.1.1.1 10123 --> 192.168.0.1 23
1.1.1.1 10223 --> 192.168.0.2 23
1.1.1.1 10323 --> 192.168.0.3 23

I have not considerd all possible implications/pitfalls however I think
that this could be configured on a router and maybe
on a pix. (I have less pix experience)

Let us know if it works!!


Similar ThreadsPosted
Is this even possible? (Excluding Subnet from Global NAT) October 11, 2005, 9:28 pm
FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP October 25, 2006, 9:04 am
FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP October 25, 2006, 9:04 am
Cisco 877 & DHCP not excluding addresses July 3, 2006, 6:02 am
excluding a port from a "match protocol" class-map June 19, 2008, 12:19 pm
Add a private subnet to existing real class C subnet January 11, 2007, 2:58 pm
cannot ping from subnet A to subnet B for a specific host August 3, 2006, 1:58 pm
Cisco 1812 subnet to subnet NAT September 3, 2007, 5:42 am
Global on Pix August 4, 2006, 12:07 pm
nat (inside) 0, global and VPN September 22, 2005, 4:22 pm
Help with "Global" command May 15, 2006, 3:28 pm
VPN not connected with global IP September 18, 2007, 12:08 pm
NAT Problem in a global Network March 5, 2006, 1:43 pm
525 Pix is not roaming global ranges May 10, 2006, 5:16 pm
Different Global Directory in CM 4.2(3) for each customer... December 31, 2006, 10:07 pm