nat problem

yi-chen · ‎11-25-2002

when an inside server get static translated to a inside global address

can I use the global address to access the server from inside host?

it seems not work

I wonder the work process about cisco nat

thks

yi-chen · ‎11-25-2002

detailed configuration:

interface Ethernet0

ip address 192.168.1.8 255.255.255.224

ip nat inside

!

interface Ethernet1

ip address 172.16.5.225 255.255.255.0

ip nat outside

!

ip nat inside source list 9 interface Ethernet1 overload

ip nat inside source static tcp 192.168.1.11 23 interface Ethernet1 1500

!

access-list 9 permit 192.168.1.0 0.0.0.255

fabios · ‎11-27-2002

It will not work.

For NAT to work a packet has to transit through both an inside and an outside interface. The only way to make it work is to use a loopback interface as NAT outside and policy route the traffic for your inside translated host out of that interface and add a further NAT translation of the loopback.

Mechanics:

The tcp packet addressed to 172.16.5.225 port 1500 (which is the Eth1 address that translates to 192.168.1.11 port 23) when is incoming from eth0 (route map match source interface and destination IP) is routed to loopback 1 and since it goes out of an ip nat outside interface is translated.

Then it comes back in from the same interface (is a loopback) and since it still is an IP nat outside interface can be translated to whatever we want.

Then standard routing applies.

You will need an IP plus image to support policy routing.

Ensure there is enough CPU to handle the forecasted level of traffic between the two natting interfaces at ethernet speed (eth0 and loopback), without affecting router performance.

Fabio Sardone