1. Home
  2. Cisco Systems
  3. NAT puzzle for the experts

NAT puzzle for the experts

I need to accomplish two different NAT's, preferrably within the config of a 2811 router. I'm hitting a brick wall and if any experts want to take a crack at it, here is the "puzzle".

I am NAT'ing my internal ranges to 12.31.44.65 before going over a T1 to a customer, who wants to only see us from this IP. He does not allow RFC1918 address from customers, yet he uses some himself. We only need Telnet and FTP, so initiation from our side is okay. This part works fine.

The second requirement for *me* is I have a conflict with 10.0.0.0 /15 in my network, so I want to alias the entire block with 10.118.0.0 /15 instead. I have used both of these NAT's before successfully in different circumstances, but am at a loss on how to get them to work together when needed. I've tried loopbacks, NAT-on-a-stick and other such configs I've researched to no avail.

If the destination IP is 10.0.0.0 /15, I want my users to try to go to

10.118.0.0 and have it NAT to 10.0.0.0 /15 *as well as* NAT their source to 12.31.44.65.

Can both be done at the same time?

(FYI. None of the pings work because the customer is not connected yet. That is irrelevant)

** Here is the pertinent config: **

interface FastEthernet0/0 description LAN ip address 172.26.13.12 255.255.255.0 ip nat inside

interface Serial0/0/0 description customer XYZ link ip address 100.100.100.2 255.255.255.252 ip nat outside

router ospf 2 router-id 172.26.13.12 redistribute static subnets passive-interface Serial0/0/0 network 172.26.13.0 0.0.0.255 area 2

ip route 10.118.0.0 255.254.0.0 100.100.100.1 ip route 10.146.0.0 255.255.0.0 100.100.100.1

ip nat pool XYZ_POOL 12.31.44.65 12.31.44.65 netmask 255.255.255.252 ip nat inside source route-map NONAT pool XYZ_POOL overload ip nat outside source static network 10.0.0.0 10.118.0.0 /15

route-map NONAT permit 10 description Match ACL for XYZ NAT (I know route-map is not needed. I could just use a list) match ip address 6

access-list 6 permit 172.26.13.0 0.0.0.255 access-list 6 permit 172.26.14.0 0.0.0.255 access-list 6 permit 10.118.0.0 0.1.255.255

Here are some 'debug IP NAT' results. The first one is okay and correcly NATs the source to 12.31.44.65. The second one does not do both NATs - not that I expect it to yet. I just don't know how to configure it correctly.

------------------------------------------------------------------------

XYZ_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global

--- --- --- 10.118.0.0 10.0.0.0

XYZ_Router#ping Protocol [ip]: Target IP address: 10.146.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.26.13.12 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.146.1.1, timeout is 2 seconds: Packet sent with a source address of 172.26.13.12

Nov 2 17:10:18.275 EST: NAT: s=172.26.13.12->12.31.44.65, d=10.146.1.1 [20]. Nov 2 17:10:20.275 EST: NAT: s=172.26.13.12->12.31.44.65, d=10.146.1.1 [21]. Nov 2 17:10:22.275 EST: NAT: s=172.26.13.12->12.31.44.65, d=10.146.1.1 [22]. Nov 2 17:10:24.275 EST: NAT: s=172.26.13.12->12.31.44.65, d=10.146.1.1 [23]. Nov 2 17:10:26.275 EST: NAT: s=172.26.13.12->12.31.44.65, d=10.146.1.1 [24]. Success rate is 0 percent (0/5)

XYZ_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global

--- --- --- 10.118.0.0 10.0.0.0 icmp 12.31.44.65:6 172.26.13.12:6 10.146.1.1:6

10.146.1.1:6

------------------------------------------------------------------------

XYZ_Router#ping Protocol [ip]: Target IP address: 10.118.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.26.13.12 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.118.0.1, timeout is 2 seconds: Packet sent with a source address of 172.26.13.12

Nov 2 17:15:39.408 EST: NAT: s=172.26.13.12, d=10.118.0.1->10.0.0.1 [39]. Nov 2 17:15:41.408 EST: NAT: s=172.26.13.12, d=10.118.0.1->10.0.0.1 [40]. Nov 2 17:15:43.408 EST: NAT: s=172.26.13.12, d=10.118.0.1->10.0.0.1 [41]. Nov 2 17:15:45.408 EST: NAT: s=172.26.13.12, d=10.118.0.1->10.0.0.1 [42]. Nov 2 17:15:47.408 EST: NAT: s=172.26.13.12, d=10.118.0.1->10.0.0.1 [43]. Success rate is 0 percent (0/5) XYZ_Router#show ip nat translations Pro Inside global Inside local Outside local Outside global

--- --- --- 10.118.0.1 10.0.0.1

--- --- --- 10.118.0.0 10.0.0.0 icmp 172.26.13.12:8 172.26.13.12:8 10.118.0.1:8 10.0.0.1:8

Reply to
valnar
Loading thread data ...

ck at it, here

nitiation from

e used both of

local =A0 =A0 =A0 =A0 Outside global

=A0 =A0 =A0 10.118.0.0 =A0 =A0 =A0 =A0 =A0 =A010.0.0.0

local =A0 =A0 =A0 =A0 Outside global

=A0 =A0 =A0 10.118.0.0 =A0 =A0 =A0 =A0 =A0 =A010.0.0.0

1:6 =A0 =A0 =A0 =A0 =A010.146.1.1:6

local =A0 =A0 =A0 =A0 Outside global

=A0 =A0 =A0 10.118.0.1 =A0 =A0 =A0 =A0 =A0 =A010.0.0.1

=A0 =A0 =A0 10.118.0.0 =A0 =A0 =A0 =A0 =A0 =A010.0.0.0

8 =A0 =A0 =A0 =A0 =A010.0.0.1:8

All seems pretty reasonable.

Do you have a route to 10.0.0.1? Not sure if you need one but it does seem like a bit of an issue.

Another possibility may be that your ACL 6 needs to include 10.0.0.x

One last thing is that I would have a look with traffic sourced externally to the router to see if the "problem" is due to some issue with the test method.

The documents below suggests that your approach is correct.

You have probably seen these but mostly in case I want to go back to them:-

formatting link
NAT Order of Operation

formatting link
NAT in Overlapping Networks This has an almost identical scenario to your own.

formatting link
guide.

Finally you may need to consider these comments !--- This line is necessary to make NAT work for return traffic. !--- The router needs to have a route for the pool to the inside !--- NAT interface so it knows that a translation is needed. from the "Using NAT in Overlapping Networks" document. I havent got my head round that yet.

Reply to
bod43

My config worked almost perfectly, with a couple minor changes. Adding the static route to point to the inside wasn't one of them.

As it turns out, there is either a bug in IOS, or perhaps it was the way it was designed. If I source from the internal interface IP, it doesn't work right. When I went out on the network and tried it, both translations occured! Weird.

I did not need to change any of my nat inside or nat outside statements.

I did remove the nonat route-map and just used a simple ACL, but that didn't matter either. I'll clean it up a bit.

Reply to
Robert

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.