topic Re: NAT Overlapping Networks in Network Security

NAT Overlapping Networks

phillipmoore1 — Mon, 11 Mar 2019 20:30:21 GMT

I know this subject is all over the place but I cannot find one that matches my scenario exactly. I have 3 (or more) networks all with the same subnet that need to access a central NAS. There is no external network here it is all standalone, but I figured I would put the NAS on the WAN of the outtermost router. I know I can do this with 4 cheap linksys routers.

My main questions are:

1) Can I do this with a single cisco device using NAT to replace all the routers in the dotted red area.

2) If so does anyone have a recomendation/model on a device?

Diagram is below:

Please forgive me if my terminology / diagrams are not exact, I am pretty new at this.

Re: NAT Overlapping Networks

Roman Rodichev — Fri, 06 May 2011 15:00:45 GMT

You could do this with any Cisco router running advanced IP services feature set, such as 1800, 1900, 2800, 2900, etc. Do your switches support trunking and vlans? You will probably need to connect switches together on separate VLANs and then have one trunk interface to your router. I say this because these routers will only have two (1841, 1900, 2800, 2901) or three ethernet interfaces (2911>). Otherwise you can get additional ethernet interfaces with HWIC-4ESW, HWIC-1FE, HWIC-2FE. Make sure it's supported by the router model you get.

The feature to use would be VRF NAT. You must use VRFs as IOS won't allow you to have the same IP subnet on more than one interface without VRFs. In your case you would put three 192.168.x.x/16 interfaces into individual VRFs and leave NAS interface in a global VRF. These interfaces don't necessary have to be physical interface, and could be subinterfaces with 802.1q encapsulation all running on a single physical interface as I mentioned in the first paragraph. The configuration would look like this:

ip vrf LAN1

rd 1:1

ip vrf LAN2

rd 2:2

ip vrf LAN3

rd 3:3

int fas0/0

no shut

int fas0/0.10

ip vrf forwarding LAN1

encapsulation dot1q 10

ip address 192.168.0.1 255.255.0.0

ip nat inside

int fas0/0.20

ip vrf forwarding LAN2

encapsulation dot1q 20

ip address 192.168.0.1 255.255.0.0

ip nat inside

int fas0/0.30

ip vrf forwarding LAN3

encapsulation dot1q 30

ip address 192.168.0.1 255.255.0.0

ip nat inside

int fas0/0.40 (or fas0/1)

ip address 192.130.0.1 255.255.0.0

ip nat outside

access-list 1 permit any

ip nat inside source list 1 interface fas0/0.40 vrf LAN1 overload

ip nat inside source list 1 interface fas0/0.40 vrf LAN2 overload

ip nat inside source list 1 interface fas0/0.40 vrf LAN3 overload

ip route vrf LAN1 0.0.0.0 0.0.0.0 fas0/0.40

ip route vrf LAN2 0.0.0.0 0.0.0.0 fas0/0.40

ip route vrf LAN3 0.0.0.0 0.0.0.0 fas0/0.40

Re: NAT Overlapping Networks

phillipmoore1 — Mon, 09 May 2011 12:15:23 GMT

Thank you, I actually have a 2811 with a NM-16ESW etherswitch module that adds 16 ports to it. I noticed the ones you posted were WAN interface cards not etherswitch modules, will that make a difference?

If not then I will give it a try and let you know.

Re: NAT Overlapping Networks

Roman Rodichev — Mon, 09 May 2011 13:25:43 GMT

Shouldn't make a difference. Instead of Fas0/0.x interfaces you will use VLANx interfaces.

Re: NAT Overlapping Networks

phillipmoore1 — Mon, 23 May 2011 19:50:25 GMT

Sorry it took so long to get back but I am trying it out now and it seems to be hanging up when trying to mount the nas to both networks. I do have one configuration line that looks important that I could not add in there. "encapsulation ..." I change the fas0/0.10 to VLAN10 . Should it be something like int VLAN10.10. Also I did change the picture a little by not putting hte nas on the fas0.0 interface I thought I would try to just use one of the FastEthernet ports, maybe that was wrong. Snippit of config is below

ip vrf LAN1

rd 1:1

ip vrf LAN2

rd 2:2

ip vrf LAN3

rd 3:3

interface FastEthernet1/0

description "THIS GOES TO THE NAS"
switchport access vlan 40
spanning-tree portfast
!

interface FastEthernet1/1
switchport access vlan 10
spanning-tree portfast
!

interface FastEthernet1/2
switchport access vlan 20
spanning-tree portfast

!
interface FastEthernet1/3
switchport access vlan 30
spanning-tree portfast
!

int VLAN10

ip vrf forwarding LAN1

encapsulation dot1q 10 <---------------This line failed to get added.

ip address 192.168.0.1 255.255.0.0

ip nat inside

int VLAN20

ip vrf forwarding LAN2

encapsulation dot1q 20 <---------------This line failed to get added.

ip address 192.168.0.1 255.255.0.0

ip nat inside

int VLAN30

ip vrf forwarding LAN3

encapsulation dot1q 30 <---------------This line failed to get added.

ip address 192.168.0.1 255.255.0.0

ip nat inside

ip nat inside source list 1 interface VLAN40 vrf LAN1 overload

ip nat inside source list 1 interface VLAN40 vrf LAN2 overload

ip nat inside source list 1 interface VLAN40 vrf LAN3 overload

ip route vrf LAN1 0.0.0.0 0.0.0.0 VLAN40 0.0.0.0

ip route vrf LAN2 0.0.0.0 0.0.0.0 VLAN40 0.0.0.0

ip route vrf LAN3 0.0.0.0 0.0.0.0 VLAN40 0.0.0.0

Re: NAT Overlapping Networks

Roman Rodichev — Mon, 23 May 2011 22:11:35 GMT

you don't need those commands because you are already using VLAN interfaces. VLAN number matches vlan number on the physical interface. You have switched interface card. If you used routed interfaces on the router, then you would use my config. You are ok.

In your configuration below, I don't see VLAN 40 interface, and how that connects physically.

Re: NAT Overlapping Networks

phillipmoore1 — Tue, 24 May 2011 17:29:13 GMT

I switched my NAS to be back on the external interface since that matched my initial diagram (I dont know if it matters). My full config is below: With this config I dont see where I map what address get nat'd to what, maybe it does not matter.

from system1 (192.168.110.20) I can ping my NAS (192.130.0.99) but when I try to map a drive using nfs I get RPC timeout. I them checked the nat translations and they do not look correct to me. see below.

show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 192.130.0.1:32835 192.168.110.20:32835 147.159.50.99:111 147.159.50.99:111
icmp 192.130.0.1:731 192.168.110.20:731 192.130.0.99:731 192.130.0.99:731
udp 192.130.0.1:32831 192.168.110.20:32831 192.130.0.99:111 192.130.0.99:111
udp 192.130.0.1:32832 192.168.110.20:32832 147.159.50.99:111 147.159.50.99:111
udp 192.130.0.1:32833 192.168.110.20:32833 192.130.0.99:111 192.130.0.99:111

Any Ideas?

config:

-------------------------------------------------------------------------------------------

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
ip vrf LAN1
rd 1:1
!
ip vrf LAN2
rd 2:2
!
ip vrf LAN3
rd 3:3
!
!
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
!
!
archive
log config
hidekeys
!
!
interface FastEthernet0/0
ip address 192.130.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
shutdown
!
interface FastEthernet1/1
switchport access vlan 10
!
interface FastEthernet1/2
switchport access vlan 20
!
interface FastEthernet1/3
switchport access vlan 30
!
interface FastEthernet1/4
shutdown
!
interface FastEthernet1/5
shutdown
!
interface FastEthernet1/6
shutdown
!
interface FastEthernet1/7
shutdown
!
interface FastEthernet1/8
shutdown
!
interface FastEthernet1/9
shutdown
!
interface FastEthernet1/10
shutdown
!
interface FastEthernet1/11
shutdown
!
interface FastEthernet1/12
shutdown
!
interface FastEthernet1/13
shutdown
!
interface FastEthernet1/14
shutdown
!
interface FastEthernet1/15
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip vrf forwarding LAN1
ip address 192.168.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
ip vrf forwarding LAN2
ip address 192.168.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan30
ip vrf forwarding LAN3
ip address 192.168.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route vrf LAN1 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0
ip route vrf LAN2 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0
ip route vrf LAN3 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 vrf LAN1 overload
ip nat inside source list 1 interface FastEthernet0/0 vrf LAN2 overload
ip nat inside source list 1 interface FastEthernet0/0 vrf LAN3 overload
!
access-list 1 permit any
!
control-plane

!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

Re: NAT Overlapping Networks

Roman Rodichev — Tue, 24 May 2011 19:56:11 GMT

Configuration looks good and translations look good. Traffic is getting translated to the outside IP on the Fas0/0 interface.

I don't think NFS supports NAT

Re: NAT Overlapping Networks

phillipmoore1 — Thu, 26 May 2011 14:37:50 GMT

Something is still wrong though if I try to connect to the web server on the NAS it works from one but not the other.

I turn on ip nat debugging and I see both networks are getting natted to the same ip address.

Ping from network 1

*May 26 14:32:17.663: NAT: s=192.168.110.20->192.130.0.1, d=192.130.0.99 [20599]
*May 26 14:32:17.663: NAT*: s=192.130.0.99, d=192.130.0.1->192.168.110.20 [60203]

Ping from network 2 (immediatly after)

*May 26 14:32:27.207: NAT: s=192.168.110.20->192.130.0.1, d=192.130.0.99 [35398]
*May 26 14:32:27.211: NAT*: s=192.130.0.99, d=192.130.0.1->192.168.110.20 [60204]

I would have thought network 1 would get natted to some address like 192.130.0.1 and network 2 would get nated to 192.130.0.2.

I tried to add something like the following:

ip nat pool mynat 192.130.0.1 192.130.0.254 netmask 255.255.255.0

ip nat inside source list 1 pool mynat

This didnt change anything am i missing something?

I also turn on ip debugging and I am seeing this: Note the encapsulation failed at the bottom.

---------------------------------------------------------------------------------------------------------------------------------------------

*May 26 12:58:39.917: IP: s=192.168.110.20 (Vlan20), d=147.159.50.99, len 84, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0,
fwdchk FALSE
*May 26 12:58:39.917: IP: s=192.168.110.20 (Vlan20), d=147.159.50.99, len 84, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE
, mtu 0, fwdchk FALSE
*May 26 12:58:39.917: IP: s=192.168.110.20 (Vlan20), d=147.159.50.99, len 84, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, foru
s FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 26 12:58:39.917: IP: s=192.168.110.20 (Vlan20), d=147.159.50.99, len 84, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FA
LSE
*May 26 12:58:39.917: IP: tableid=2, s=192.168.110.20 (Vlan20), d=147.159.50.99 (FastEthernet0/0), routed via RIB
*May 26 12:58:39.921: IP: s=192.168.110.20 (Vlan20), d=147.159.50.99 (FastEthernet0/0), len 84, output feature, CCE Output Classification(5), rtype 1, forus FALSE
, sendself FALSE, mtu 0, fwdchk FALSE
*May 26 12:58:39.921: NAT: s=192.168.110.20->192.130.0.1, d=147.159.50.99 [9997]
*May 26 12:58:39.921: IP: s=192.130.0.1 (Vlan20), d=147.159.50.99 (FastEthernet0/0), len 84, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, s
endself FALSE, mtu 0, fwdchk FALSE
*May 26 12:58:39.921: IP: s=192.130.0.1 (Vlan20), d=147.159.50.99 (FastEthernet0/0), len 84, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendse
lf FALSE, mtu 0, fwdchk FALSE
*May 26 12:58:39.921: IP: s=192.130.0.1 (Vlan20), d=147.159.50.99 (FastEthernet0/0), g=147.159.50.99, len 84, forward
*May 26 12:58:39.921: IP: s=192.130.0.1 (Vlan20), d=147.159.50.99 (FastEthernet0/0), len 84, encapsulation failed

---------------------------------------------------------------------------------------------------------------------------------------------

Re: NAT Overlapping Networks

phillipmoore1 — Thu, 26 May 2011 15:58:39 GMT

I got it working. Thanks so much for your help, I would not have gotten close without ya. It seems that I had to have each vlan nat'd to a pool instead of a diret interface. NOTE: This config file has to be tftp'd because the line "ip route vrf LAN1 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0" gets saved as "ip route vrf LAN1 0.0.0.0 0.0.0.0 FastEthernet0/0" when you use config t but it needs the 0.0.0.0 on the end. I dont know if this is a bug in the IOS or not.

thanks

- Phillip

--------------------------------------------------------------------------------------------------------------------------------

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
ip vrf LAN1
rd 1:1
!
ip vrf LAN2
rd 2:2
!
ip vrf LAN3
rd 3:3
!
interface FastEthernet0/0
ip address 192.130.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
shutdown
!
interface FastEthernet1/1
switchport access vlan 10
!
interface FastEthernet1/2
switchport access vlan 20
!
interface FastEthernet1/3
switchport access vlan 30
!
!
interface Vlan1
no ip address
!
interface Vlan10
ip vrf forwarding LAN1
ip address 192.168.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
ip vrf forwarding LAN2
ip address 192.168.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan30
ip vrf forwarding LAN3
ip address 192.168.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route vrf LAN1 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0
ip route vrf LAN2 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0
ip route vrf LAN3 0.0.0.0 0.0.0.0 FastEthernet0/0 0.0.0.0
no ip http server
no ip http secure-server
!
!
ip nat pool net1 192.101.0.0 192.101.0.254 netmask 255.255.0.0
ip nat pool net2 192.102.0.0 192.102.0.254 netmask 255.255.0.0
ip nat pool net3 192.103.0.0 192.103.0.254 netmask 255.255.0.0
ip nat inside source list 1 pool net1 vrf LAN1 overload
ip nat inside source list 1 pool net2 vrf LAN2 overload
ip nat inside source list 1 pool net3 vrf LAN3 overload
!
access-list 1 permit any
!
control-plane
!
end

Re: NAT Overlapping Networks

phillipmoore1 — Thu, 26 May 2011 16:52:18 GMT

Well I rebooted the router and now it does not work. I copied the config before I rebooted but it all looks the same. I am not getting the errors I posted before but seems that I had something like a route or something that made it work....now I just need to figure out what.

Re: NAT Overlapping Networks

Roman Rodichev — Thu, 26 May 2011 17:12:23 GMT

Phillip,

you can certainly overload to an interface and don't need pools. You can have all three networks overload PAT to the same interface IP. If you look at the translation table, it shows vrf for each entry, so it knows how to untranslate the global port to a local port and which VRF to send that traffic back to. So that's not a problem for sure. By the way, in your configuraiton, you are PATing ONLY to the first IP in the pool because you are still using "overload" command, which means PAT (instead of NAT). If you remove overload command, then each client will get a new IP from the pool.

You might be having an issue with that static route. Static VRF routes that use to leak traffic from VRF interface to global interface indeed need both the interface and next-hop specified. Try specifying the next-hop as the IP of the outside interface. Let me know if that works.

Roman

Re: NAT Overlapping Networks

phillipmoore1 — Fri, 27 May 2011 03:04:49 GMT

Awesome!! That did it.

I changed my ip route lines to look like "ip route vrf LAN1 0.0.0.0 0.0.0.0 FastEthernet0/0 192.130.0.99"

I also removed the overlay option on the ip nat lines.

Rebooted the router and all works great. I really appreciate all the help. I cannot tell you how many times I was told this will not work with a single device. Thanks for sticking through it with me.

- Phillip