Solved: 1:1 Static NAT for overlapping private IP space

judu · ‎06-28-2023

I would like to implement

1:1 static NAT. I am using ISR1100 IOS-XE

For background (in the attached image):

R2 is a third-party router (such as a customer or partner). It has a
```
192.168.1.0/24 network
```
It may or may not be connected to the internet (or other networks).
R1 is our router providing access to devices in the third-party
```
192.168.1.0/24 network
```
R1 is connected to
```
R2's 192.168.1.0/24 network
```
(through the network switch).
R1 has an
```
IP 192.168.1.50
```
but R2 remains the
```
default gateway
```
A static route is added on R2 to route traffic to us on
```
R1's 192.168.1.50
```
interface.
R1 (our router) connects to a larger network
```
(10.0.0.0/8)
```
through VPN.
We can assume address space between instances of R2 (customer/partner router) overlap globally.

I can successfully ping both directions.

I will allocate a CIDR block to each R1 instance within the

10.0.0.0/8 network

such as

10.0.0.0/24

making them globally unique and routable.

Due to R2 (customer/partner router) address space not being globally unique, I would like to implement 1:1 static NAT on R1 (our router). There would be between 1 and 3 hosts NAT'd.

So if there were three hosts in

192.168.1.0/24

I would want to be able to access them using

10.0.0.0/8

addresses as follows:

```
192.168.1.100 : 10.0.0.50
```
(this address is flexible, can be within the
```
10.0.0.0/24
```
or a neighboring block)
```
192.168.1.125 : 10.0.0.51
```
```
192.168.1.126 : 10.0.0.52
```

I have tried the following to achieve

192.168.1.100 : 10.0.0.50

I marked the interface to R2 as ip nat outside and the interface the

host 10.0.0.100

was in to

ip nat

inside. From the router, I could

ping 10.0.0.50

after issuing this command, but I could not ping from the

 host 10.0.0.100 to 10.0.0.50.

ip nat

inside source static

192.168.1.100 10.0.0.50

I may put R1's interface to R2 in a separate VRF and use VASI. Still trying to figure out the best path forward. Here are two links I was reading through about NAT between two different VRF's in IOS-XE.

https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555

https://www.cisco.com/en/US/docs/ios/ios_xe/sec_data_plane/configuration/guide/sec_vasi_vrf_aware_software_infrastructure_ps9587_TSD_Products_Configuration_Guide_Chapter.html

I am thankful for any advice on how to achieve this 1:1 static NAT as described.

judu · ‎06-29-2023

I have gotten this working! The following article was extremely useful.

https://wax-trax.medium.com/understanding-and-configuring-network-address-translation-nat-for-cisco-ccna-ccnp-and-ccie-7fef92fa654c

Case 12: Overlapping IP subnets (twice NAT)

This use case is most frequently seen during network mergers. Using NAT so that devices with overlapping subnets can achieve bidirectional communications can be very confusing. In the real world, this should be seen as a temporary fix until permanent IP subnets can be reassigned. To demonstrate this, I kept all of the names the same but changed the Remote subnet to

10.1.1.0/24

so it overlaps with Local. Additionally, all static routes from LR and ISP1 have been removed, so no routing is configured anywhere yet.

The previously mentioned static nat definition remains in place (although modified to use the second NAT option in the image) performing a 1:1 mapping from

10.0.1.50 to 192.168.1.100

I will add additional 1:1 mappings as needed. I also tested out the network mapping, but I prefer the 1:1 for my use case. Both worked well.

ip nat outside source static 192.168.1.100 10.0.1.50 add-route

A second NAT is necessary to translate the inside. I am using a pool of addresses (it can be much smaller). I intentionally chose not to use PAT overloading as it is not necessary for my use case.

I found that you MUST use an extended

access-list

here. The standard does not work. I will restrict this later.

This will map

10.0.0.100 to 10.0.3.1

(for example) so it can be routed back to R1.

ip nat pool CUST 10.0.3.1 10.0.3.99 prefix-length 24

ip access-list extended NAT
 10 permit ip any any
!
ip nat inside source list NAT pool CUST

R2's static route will be changed to match the CUST nat pool:

ip route 10.0.3.0 255.255.255.0 192.168.1.50

View solution in original post

judu · ‎06-28-2023

Update: I have made some progress.

By adding

add-route

to the static nat definition, traffic flows correctly from

10.0.0.100 to 192.168.1.100 using 10.0.0.20

ip nat outside source static 192.168.1.100 10.0.0.20 add-route

R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.0.0.20          192.168.1.100
icmp 10.0.0.100:20     10.0.0.100:20      10.0.0.20:20       192.168.1.100:20
tcp 10.0.0.100:53100   10.0.0.100:53100   10.0.0.20:22       192.168.1.100:22

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
L        10.0.0.1/32 is directly connected, GigabitEthernet0/0
S        10.0.0.20/32 [1/0] via 192.168.1.100
C        10.20.20.0/24 is directly connected, GigabitEthernet0/2
L        10.20.20.1/32 is directly connected, GigabitEthernet0/2
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/1
L        192.168.1.50/32 is directly connected, GigabitEthernet0/1

Packet capture on wire from

Host-10.0.0.100 <-> R1-10.0.0.1

 Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
 Ethernet II, Src: RealtekU_00:4c:31 (52:54:00:00:4c:31), Dst: RealtekU_1a:9b:b1 (52:54:00:1a:9b:b1)
 Internet Protocol Version 4, Src: 10.0.0.101, Dst: 10.0.0.20
 Internet Control Message Protocol

Packet capture on wire from

R1-192.168.1.50 <-> R2-192.168.1.1

 Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
 Ethernet II, Src: RealtekU_1c:2a:aa (52:54:00:1c:2a:aa), Dst: RealtekU_05:82:6c (52:54:00:05:82:6c)
 Internet Protocol Version 4, Src: 10.0.0.101, Dst: 192.168.1.100
 Internet Control Message Protocol

The destination address has been translated from

10.0.0.20 to 192.168.1.100.

Now I just need to figure out how to translate the source address to enable other

10.0.0.0/8

networks to communicate over the NAT link. In this packet capture on wire from

Host-10.20.20.100 <-> R1-10.20.20.1, pinging 10.0.0.20.

 Frame 2: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
 Ethernet II, Src: RealtekU_0c:73:b9 (52:54:00:0c:73:b9), Dst: RealtekU_18:78:e5 (52:54:00:18:78:e5)
 Internet Protocol Version 4, Src: 10.20.20.100, Dst: 10.0.0.20
 Internet Control Message Protocol

Packet capture on wire from

 R1-192.168.1.50 <-> R2-192.168.1.1, the source 10.20.20.100

needs to be translated in order for the reply packet to be routable back to R1.

 Frame 8: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
 Ethernet II, Src: RealtekU_1c:2a:aa (52:54:00:1c:2a:aa), Dst: RealtekU_05:82:6c (52:54:00:05:82:6c)
 Internet Protocol Version 4, Src: 10.20.20.100, Dst: 192.168.1.100
 Internet Control Message Protocol

MHM Cisco World · ‎06-29-2023

https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

This can hlep you

judu · ‎06-29-2023

I have gotten this working! The following article was extremely useful.

https://wax-trax.medium.com/understanding-and-configuring-network-address-translation-nat-for-cisco-ccna-ccnp-and-ccie-7fef92fa654c

Case 12: Overlapping IP subnets (twice NAT)

This use case is most frequently seen during network mergers. Using NAT so that devices with overlapping subnets can achieve bidirectional communications can be very confusing. In the real world, this should be seen as a temporary fix until permanent IP subnets can be reassigned. To demonstrate this, I kept all of the names the same but changed the Remote subnet to

10.1.1.0/24

so it overlaps with Local. Additionally, all static routes from LR and ISP1 have been removed, so no routing is configured anywhere yet.

The previously mentioned static nat definition remains in place (although modified to use the second NAT option in the image) performing a 1:1 mapping from

10.0.1.50 to 192.168.1.100

I will add additional 1:1 mappings as needed. I also tested out the network mapping, but I prefer the 1:1 for my use case. Both worked well.

ip nat outside source static 192.168.1.100 10.0.1.50 add-route

A second NAT is necessary to translate the inside. I am using a pool of addresses (it can be much smaller). I intentionally chose not to use PAT overloading as it is not necessary for my use case.

I found that you MUST use an extended

access-list

here. The standard does not work. I will restrict this later.

This will map

10.0.0.100 to 10.0.3.1

(for example) so it can be routed back to R1.

ip nat pool CUST 10.0.3.1 10.0.3.99 prefix-length 24

ip access-list extended NAT
 10 permit ip any any
!
ip nat inside source list NAT pool CUST

R2's static route will be changed to match the CUST nat pool:

ip route 10.0.3.0 255.255.255.0 192.168.1.50

MHM Cisco World · ‎06-29-2023

Same link I share'

Glad your issue solved

Have a nice day

MHM

judu · ‎06-29-2023

I appreciate your assistance, however these links are not the same.

MHM Cisco World · ‎06-29-2023

it same but you missing this part I think.
IP NAT INSIDE and IP NAT OUTSIDE is trick here, you smart and faster than me, so you get solution in same time I share link.
what important here the issue is solved.

Screenshot (38).png