topic Re: NAT to replace the source address in Routing and SD-WAN

NAT to replace the source address

DriverCiscoPL — Wed, 03 Feb 2021 11:27:00 GMT

Hello, I don't know how to make NAT for 192.168.0.0/24 network to replace the source address to the router address 172.23.120.5 for packets going to the network 10.10.21.100/32.

I have working configuration in VyOS system, but how to make it in Cisco 1921 router?

rule 01 {
    destination {
        address 10.10.21.100/32
    }
    outbound-interface any
    protocol all
    source {
        address 192.168.0.0/24
    }
    translation {
        address 172.23.120.5
    }
}

Re: NAT to replace the source address

balaji.bandi — Wed, 03 Feb 2021 11:44:19 GMT

Looik at good examples :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i3.html#wp1284532593

Re: NAT to replace the source address

DriverCiscoPL — Wed, 03 Feb 2021 13:40:31 GMT

Should I set interface of the router address 172.23.120.5 to "ip nat enable" ?
and then

ip nat source static 192.168.0.0/24 172.23.120.5

Re: NAT to replace the source address

balaji.bandi — Wed, 03 Feb 2021 14:04:07 GMT

that should work, test and advise. if any issue.

Re: NAT to replace the source address

Georg Pauwen — Wed, 03 Feb 2021 18:07:05 GMT

Hello,

if you want the translation only to take place when the source is 192.168.0.0/24 and the destination 10.10.21.100/32, you need a configuration that looks like the one below. Keep in mind that any other destination address will not lead to a translation.

It doesn't matter whether the translated address 172.23.120.5 is actually configured on an interface (which means the NAT outside interface can have a different IP address).

interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 172.23.120.5 255.255.255.0
ip nat outside
!
ip nat pool DEST 172.23.120.5 172.23.120.5 netmask 255.255.255.0
ip nat inside source list 101 pool DEST overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 host 10.10.21.100

Re: NAT to replace the source address

paul driver — Thu, 04 Feb 2021 00:30:06 GMT

Hello
You dont state if that translation address is actually part of you router egress interface or you want to use that address specifically for that translation and then nat all other traffic to the routers interface

Example:
router wan interface =172.23.120.1

specific nat address =172.23.120.5 - this can be any routable address reachable via your wan rtr
access-list 100 permit ip 192.168.0 0 0.0.0.255 host 10.10.21.100

access-list 101 deny ip 192.160.0.0 0.0.0.255 host 10.10.21.100
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

ip nat pool specific-nat 172.13.120.5 172.13.120.5 netmask 255.255.255.240

ip nat inside source list 100 pool specific-nat
ip nat inside source list 101 interface xx (wan interface)

Re: NAT to replace the source address

DriverCiscoPL — Thu, 04 Feb 2021 18:34:40 GMT

Thank you, it works, however I've noticed that I have a loop when I try to ping from any host behind GigabitEthernet0/1 to any host which is behind GigabitEthernet0/0

ping 192.168.0.30
PING 192.168.0.30 (192.168.0.30) 56(84) bytes of data.
64 bytes from 172.23.120.5: icmp_seq=1 ttl=127 time=1.97 ms
From 172.23.120.4: icmp_seq=2 Redirect Host(New nexthop: 172.23.120.5)
64 bytes from 172.23.120.5: icmp_seq=2 ttl=127 time=0.749 ms
64 bytes from 172.23.120.5: icmp_seq=3 ttl=127 time=0.544 ms
64 bytes from 172.23.120.5: icmp_seq=4 ttl=127 time=0.506 ms

traceroute 192.168.0.30
traceroute to 192.168.0.30 (192.168.0.30), 30 hops max, 40 byte packets
1 (172.23.120.5) 5.094 ms 5.342 ms 5.905 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 *

Re: NAT to replace the source address

Georg Pauwen — Thu, 04 Feb 2021 21:34:18 GMT

Hello,

it is not a loop. The traffic just gets stuck. The NAT only works when traffic is initiated from the inside.

Re: NAT to replace the source address

DriverCiscoPL — Thu, 04 Feb 2021 21:56:32 GMT

Hello,

What can I do to be able to initiate traffic from outside to inside?

Maybe route the packet with 172.23.120.5 to null0 ?

Re: NAT to replace the source address

paul driver — Thu, 04 Feb 2021 22:57:58 GMT

Hello
FYI - You shouldn’t be able to ping an ip address that resides on the nat inside network from a nat outside ip address?

The whole idea about nat it to “hide” an network meaning the outside network shouldn’t be aware of the inside lan subnet - hence why the lan is 99% non routable addressing.

If you want a particular outside host to reach a particular inside ip address then you need to perform static 1-1 nat/pat