NAT translation question for experts

Absolutely, just change the mask. Your use to one to one nat's with a /32 mask. Change the mask to a /16 and you'll get what your after. 10.150.3.3 will be 10.100.3.3

I'm not sure you understand. I don't want to change my source IP range (which is 172.26.x.x in this instance for this particular segment). I want to change the destination range.

Here is what I need:

My LAN segment is 172.26.12.0 /24

I have a 10.100.0.0 /16 elsewhere in my network (across a WAN, and it's in my OSPF routing table so it is "off limits")

I have a T1 to a company which we need to access - they also have

10.100.0.0 /16 addresses. We cannot access them directly because I would route the wrong way.

This other company does *not* have a problem with our internal

172.26.12.0 range. We can come from that. However, I cannot have my PC's look for their 10.100.x.x range because it'll route the wrong way. I would rather put in an alias network range and let my PC's try to hit 10.150.x.x, with that translating to 10.100.x.x once it gets past my router on their T1 (where I would prefer to do the NAT)

I've looked at ip nat inside, outside, destination, etc variants but am not sure which one, if any, will accomplish what I need. I don't want to NAT my own source IP's, I want to NAT their destination IP's.

-Bob

If you have "years of experience using NAT on Cisco IOS routers", why do you need to even ask this question. The problem you describe is exactly how NAT works.

What you need to do is have the other company configure a static translation from 10.150/16 to 10.100/16. Then on your router you route

10.150/16 through the Extranet to their router.

Thats one of doing it. I prefer to keep everything controlled in the local customers environment rather than relying on another companies IT department.

To the OP. There is absolutely no difference to your years of NAT experience with the exception of it's reversed since your trying to manipulate a destination network.

Ethernet (your local lan) ip nat outside serial (customer with 10.100net) ip nat inside

ip nat inside source static network 10.100.0.0 10.150.0.0 /16

Place a core route for 10.150/16 pointing to your T1 router and your done. The other side obviously needs a route to your 172 network.

That's what I missed - reversing the ip nat inside and outside statements on the interfaces. That just reinforces my need of a separate router. I'll give that a shot. Thanks.

-Bob

The only reason you would need a seperate router is if the 2 different

10.100net's are off of it. If thats the case rather than buying new hardware you could have the end company (as Barry suggested) do the NAT.

Doesn't have have the problem that his LAN would be considered "inside" with respect to the Internet, but "outside" when NATting to the other company? You can't have both "ip nat inside" and "ip nat outside" on the same interface, can you?

If he has a customer/partner/vendor/whatever p2p T1 coming in to his internet router then there is more problems than just NAT! You are correct that if it were his internet router that it would be an issue since the inside interface can't be both nat inside and nat outside.

Looks like this may be what you are looking for:-

Use the normal ip nat inside ip nat outside on the interfaces

ip nat outside source static network 10.100.0.0 10.150.0.0/16

I may try for a play later today.

I would imagine that there is an equivalent ip nat inside dest form of the above

Since I am using NAT, and backwards as you might say, I don't have a problem using a separate 2811 for this customer. We don't usually have IP conflicts like this. Switching the ip nat inside/outside statements would mess up my current vendor router.

-bob

Why would it be a big problem to have the partner T1 come into the same router that handles their Internet connection? With proper ACLs or NAT configurations you should be able to prevent them from using your router as a way to get to the Internet.

As mentioned I was interested in this and had a look:-

The guess that I made above seems to be the right thing.

Use the normal ip nat inside ip nat outside on the interfaces

ip nat outside source static network 10.100.0.0 10.150.0.0/16

10.100.0.0 on inside side 10.150.0.0 on outside side

I have verified that the translations get created irrespective of the direction of the initial traffic - expected for static NATs.

Good to go.

R2#sh ip nat tr Pro Inside global Inside local Outside local Outside global

--- --- --- 10.150.1.1

10.100.1.1

--- --- --- 10.150.1.2

10.100.1.2

--- --- --- 10.150.0.0

10.100.0.0 icmp 172.26.12.1:4 172.26.12.1:4 10.150.1.1:4 10.100.1.1:4 icmp 172.26.12.1:10 172.26.12.1:10 10.150.1.2:10 10.100.1.2:10 R2#

Dynamips to the fore:-)

A warning is that I have not read ANY documentation that describes "ip nat outside source static network"

I ASSUME that it will create correct

10.100.a.b 10.150.c.d mapping always.

where a =3D=3D c and b =3D=3D d

You may need to exclude the 10.100.0.0 --> 10.150.0.0 traffic from any Internet NATs that you have configured.

Good luck.

I tried this today too and it works fine. I just never used 'ip nat OUTSIDE' before. As you say, good to go.

-Bob