Solved: Re: 6 IPS to public address in Cisco Packet Tracer

aradionovs · ‎06-05-2022

Hi there,

I am trying to implement a network topology in Cisco packet tracer.

I am using 2811 Cisco routers with GLC-LH-SMD ports for a fiver connection.

I have got 6 connections from router to other routers across network.

I want to translate all these IP addresses to one IP address, but for some reason it doesn't work.

I have connected 192.168.2.128/30, 192.168.2.132/30, 192.168.2.136/30, 192.168.2.140/30, 192.168.2.144/30, 192.168.2.148/30 networks and want to translate to one public ip - 180.33.78.45/24.

Other network has the same topology, but public ip - 180.33.78.44/24. My idea is to achieve that I can send prom one pc in network 1, get the ip translated, received this on the receiver side, and the received IP translate again to private.

Any thoughts how to achieve this?
Thank you

Flavio Miranda · ‎06-05-2022

Hi

Exactly how you are trying to do I dont believe it is possible. If I understood right, you have the same range of networks on the right and on the left. Then you might think that you may trasnlate do 1 ip address, send to the other side, and then get the response back.

But here we have the first problem. When you try to reach the other side, you are actually not going to the other side as you have the same network. There´s no reason to the router send the packet to the other side if it knows that network already on the same side.

About convert many address it not a problem as you can use an Access List with a broader mask. For example, you have

192.168.1.0, 192.168.2.0, 192.168.3.0

then on the access list you can use 192.168.0.0 255.255.0.0

The problem is, as mentioned, the router has no reason to send the packet to the other side.

What real companies do in this situation is to use an "representative" ip range. For example, you have 192.168.1.10 on the left side and you have 192.168.1.10 on the right side. But, you need them both to communicate.

Then, you use a different IP address that will represent on side.

In my file, I choose 172.16.1.10. Which means, when the left side ping 172.16.1.10, it is actually ping 192.168.1.10 on the right side.

This way I can trick the router and convince him to send my packet to the other side. Then, the NAT take place and the packet hits the destination which is my goal.

If you test, from my file, on the machine PC8(8), you can ping the other side:

C:\>ping 172.16.1.10




Pinging 172.16.1.10 with 32 bytes of data:




Reply from 172.16.1.10: bytes=32 time=10ms TTL=123

Reply from 172.16.1.10: bytes=32 time=10ms TTL=123

Reply from 172.16.1.10: bytes=32 time=7ms TTL=123

Reply from 172.16.1.10: bytes=32 time=10ms TTL=123




Ping statistics for 172.16.1.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 7ms, Maximum = 10ms, Average = 9ms




And you can check that the NAT worked:




Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.1.10:36 192.168.2.116:36 172.16.1.10:36 172.16.1.10:36

icmp 172.16.1.10:37 192.168.2.116:37 172.16.1.10:37 172.16.1.10:37

This IP 172.16.1.10 represent some IP address on the other side. On this case 192.168.1.116.

Where does I defined it?

On the

ip nat pool

I can do overload, which means, I dont care who is going to answer as long as it answer, or I can do a static map and match each 172.168.1.x to some 192.168.1.x on the other side.

I really hope you understood my explanation but if you dont, please, just ask.

View solution in original post

Flavio Miranda · ‎06-05-2022

Thats correct. You can represent many networks by playing with mask bits. As long as they are in the same range like 192.x.x.x.

View solution in original post

MHM Cisco World · ‎06-05-2022

with respect to Mr.@Flavio Miranda mention
you can do that in this way

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13774-3.html

View solution in original post

Flavio Miranda · ‎06-05-2022

Hi

Looks like possible but would be nice to see the topology

Can you share the PacketTracer file?

Zip it first.

aradionovs · ‎06-05-2022

Dear Flavio

Thanks for replying.

I have attached a zipped topology.

I am trying to solve this for so long, and I can't for some reason.

Thank you

Flavio Miranda · ‎06-05-2022

Hi

Exactly how you are trying to do I dont believe it is possible. If I understood right, you have the same range of networks on the right and on the left. Then you might think that you may trasnlate do 1 ip address, send to the other side, and then get the response back.

But here we have the first problem. When you try to reach the other side, you are actually not going to the other side as you have the same network. There´s no reason to the router send the packet to the other side if it knows that network already on the same side.

About convert many address it not a problem as you can use an Access List with a broader mask. For example, you have

192.168.1.0, 192.168.2.0, 192.168.3.0

then on the access list you can use 192.168.0.0 255.255.0.0

The problem is, as mentioned, the router has no reason to send the packet to the other side.

What real companies do in this situation is to use an "representative" ip range. For example, you have 192.168.1.10 on the left side and you have 192.168.1.10 on the right side. But, you need them both to communicate.

Then, you use a different IP address that will represent on side.

In my file, I choose 172.16.1.10. Which means, when the left side ping 172.16.1.10, it is actually ping 192.168.1.10 on the right side.

This way I can trick the router and convince him to send my packet to the other side. Then, the NAT take place and the packet hits the destination which is my goal.

If you test, from my file, on the machine PC8(8), you can ping the other side:

C:\>ping 172.16.1.10




Pinging 172.16.1.10 with 32 bytes of data:




Reply from 172.16.1.10: bytes=32 time=10ms TTL=123

Reply from 172.16.1.10: bytes=32 time=10ms TTL=123

Reply from 172.16.1.10: bytes=32 time=7ms TTL=123

Reply from 172.16.1.10: bytes=32 time=10ms TTL=123




Ping statistics for 172.16.1.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 7ms, Maximum = 10ms, Average = 9ms




And you can check that the NAT worked:




Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.1.10:36 192.168.2.116:36 172.16.1.10:36 172.16.1.10:36

icmp 172.16.1.10:37 192.168.2.116:37 172.16.1.10:37 172.16.1.10:37

This IP 172.16.1.10 represent some IP address on the other side. On this case 192.168.1.116.

Where does I defined it?

On the

ip nat pool

I can do overload, which means, I dont care who is going to answer as long as it answer, or I can do a static map and match each 172.168.1.x to some 192.168.1.x on the other side.

I really hope you understood my explanation but if you dont, please, just ask.

aradionovs · ‎06-05-2022

Dear Flavio

I got your point.

Thanks a lot this saved my life.

I was just really not understanding why its not working.

Also, in terms of access list, I can put 192.168.0.0 0.0.255.255 and all addresses, even 192.168.2.17/28 will be translated to the public IP?

Flavio Miranda · ‎06-05-2022

Thats correct. You can represent many networks by playing with mask bits. As long as they are in the same range like 192.x.x.x.

MHM Cisco World · ‎06-05-2022

you need
IP NAT INSDIE in each interface with private IP
IP NAT OUTSIDE in interface with public IP

MHM Cisco World · ‎06-05-2022

with respect to Mr.@Flavio Miranda mention
you can do that in this way

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13774-3.html

aradionovs · ‎06-05-2022

Great, thanks a lot!

MHM Cisco World · ‎06-05-2022

You are So So welcome friend