Re: An IP NAT puzzle...

jwjacks · ‎09-28-2005

I would like to replicate an existing NAT configuration of an Netscreen firewall with a Cisco router. At first I thought no problem! But it seems that my brain is cramping up a bit.

In a nutshell I would like to have devices on two separate LAN’s to share a target print server with the use of NATing.

So… we have one router with three interfaces…

Vlan100 for the trusted users (good guys) with address 1.1.1.1/24

Vlan800 for the un-trusted users (bad guys) with address 10.1.1.1/24

Vlan600 for the isolated print server with address 192.168.1.1/24

The print server will have address 192.168.1.10 and I would like to have two virtual addresses of 1.1.1.10 and 10.1.1.10 on the router to be NATed to the print server.

So if we TAG VLAN 600 as inside and the other two VLANS as outside I then would expect to have two inside global addresses (1.1.1.10 and 10.1.1.10) that would overload to the one inside local address of 192.168.1.10. My expectation is that the print server would NOT be able to initiate any connections.

The router would not let me place two static NATs to the same address. It would be nice to have a static overload option for me to do this. For the life of me I am having a hard time configuring this with the various dynamic NAT schemes. What would be the best way to get this done?

Thanks in advance!

JJ

attrgautam · ‎09-28-2005

Can u try this ? You can try IP nat outside with Route maps like this

ip nat outside source route-map test1 pool pool1

ip nat outside source route-map test2 pool pool2

where u can specify the source IPs in test1 and test2 using match address and you can specify the IP to be natted in the pool.

Do try this it may work

jwjacks · ‎10-11-2005

I tried the above methods with no luck. Understand that I am trying to change the destination address and not the source address as things flow toward the print server. The print server will not be able to initiate any connections.

A simple static map of...

ip nat inside source static 192.168.1.10 10.1.1.10

would work for the untrusted folks only. But I am unable to add another static for the trusted users.

So I am still perplexed.

Thanks

JJ

attrgautam · ‎10-11-2005

When you try access the server did you see any nat transalations ? Could you pls paste the config if possible. It may help

Regds

namasthemeanshello · ‎10-11-2005

Hey guys,

I am new to these concepts,,please explain my doubts in this..

1) what would be the default gateways for the two lans.Are you implementing this using secondary ip addressing???

2) Static NAT according to text books is a one to one mapping...so how is it possible to map it to two different ip addresses

3) Is it possible for a NAT pool to have discontinuos ip addresses ?

Thanks and regards

Hari

attrgautam · ‎10-12-2005

1) The Default gateway for the LANs will be the IP on the VLAN

2) You can map to different addresses using Route-maps.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm Refer to the site for more info.

3) It is not possible for NAT Pool to have discontinuous IPs as you always specify starting and ending IPs

HTH

jwjacks · ‎10-12-2005

The print server on VLAN 600 will use 192.168.1.1 as its default gateway. The users on VLAN 100 and 800 will NOT use this router as a default gateway. I am expecting the router to reply to an ARP for the virtual address being NAT'ed. The static NAT below does this for you. All of the NAT configurations with route-maps doesn't seem to do this. Perhaps I need to add static arp entries with 'alias' option to do this... I don't know.

The interface configuration...

!

interface Vlan100

description Good guys

ip address 1.1.1.1 255.255.255.0

ip nat outside

!

interface Vlan600

description The print server

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan800

description Bad guys

ip address 10.1.1.1 255.255.255.0

ip nat outside

!

This static NAT works from the from the 'Bad guy' interface...

ip nat inside source static 192.168.1.10 10.1.1.10

I am unable to add another static MAP for the 'Good guys' such as...

ip nat inside source static 192.168.1.10 1.1.1.10

as this will return...

% 192.168.1.10 already mapped (192.168.1.10 -> 10.1.1.10)

Other stuff in the config that I have used in other NAT configurations...

!

ip nat pool PrintServer1 192.168.1.10 192.168.1.10 prefix-length 24

!

ip access-list standard badguys

permit 10.1.0.0 0.0.255.255

ip access-list standard goodguys

permit 1.1.0.0 0.0.255.255

!

access-list 1 permit 1.1.1.10

access-list 10 permit 10.1.1.10

!

route-map badguys-net permit 10

match ip address badguys

!

route-map goodguys-net permit 10

match ip address goodguys

!

I have tried many variations of using dynamic NAT with no such luck.

Any help is appreciated.

Thanks

JJ

attrgautam · ‎10-12-2005

I dont know if you have tried this but pls try this config and let me if it works. If it doesnt pls show me the NAt translations when you access the Printer

The interface configuration...

!

interface Vlan100

description Good guys

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

interface Vlan600

description The print server

ip address 192.168.1.1 255.255.255.0

ip nat outside

!

interface Vlan800

description Bad guys

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

ip nat outside source route-map badguys-net pool PrintServer1

ip nat outside source route-map goodguys-net pool PrintServer2

ip nat pool PrintServer1 192.168.1.10 192.168.1.10 prefix-length 24

ip nat pool PrintServer2 192.168.1.50 192.168.1.60 prefix-length 24

!

ip access-list standard badguys

permit 10.1.0.0 0.0.255.255

ip access-list standard goodguys

permit 1.1.0.0 0.0.255.255

!

route-map badguys-net permit 10

match ip address badguys

!

route-map goodguys-net permit 10

match ip address goodguys

Regds

jwjacks · ‎10-12-2005

I did try this with no luck.

At first I did not see any translations at all. I had to manually add an arp entry in the client to for the packet toward the router. I also changed the inside/outside settings to VLAN 100 & 800 set as outside and VLAN 600 set as inside.

I end up with atranslation with inside local set to 192.168.1.10 and the outside global to 10.1.1.100 (The client address). Looks like, in this case I need to outside global set to 192.168.1.10 and the outside local set to 10.1.1.10.

Thanks

JJ

Pro Inside global Inside local Outside local Outside global

--- --- --- 192.168.1.10 10.1.1.100

attrgautam · ‎10-13-2005

Oops looks like iam wrong. Ideally i would like to have seen a translation in the Outside local and global columns. The NAT outside should be on the Bad/Good Guyz VLAN so iam suprised you dont have any matches on the NAT translation then.

namasthemeanshello · ‎10-13-2005

hi guys,,

Jus a little thought into this...

1) Rather than trying to create a nat pool for the print server addresses why not try creating a pool for the LAN addresses.

2)for this we need to change the ip addresses of the

two vlans(goodguys and badguys ) into something which is continuos say from 10.10.10.1 to 10.10.10.20 and then segregate the two using a subnet mask (say a 5 bit one which can give you eight hosts on each)

3)by doing this we can have a continuos range of ip addresses which can be used to create a NAT pool and make them indside global

4)Make the print server vlan as inside local.

You cannot have more than one ip address mapped statically..I feel the problem lies in ip addressing part which is preventing you from making a NAT pool....

Please correct me if i have made an error somewhere...

Regards

Hari.