cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4634
Views
24
Helpful
92
Replies

ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

 

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

 

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

92 Replies 92

hi aksher,

in pix you have to go through configuration of global and nat command need to issue for pix NAT firewall...

here you will have examples:

config)# global (outside)1 192.168.1.128-192.168.1.254

config)# nat (inside) 1 10.1.0.0 255.255.0.0

here inside private ip addresses 10.1.0.0 are translated to global address specified by the global command....

here is the link for more reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm

rate this post if it helps

regards

Devang

hello Mr. Akhter,

its require cco login so please give some other link to access the resources...

regards

Devang

bt my ques was different.pls note nat (outside) and static(outside,inside) case....

Aksher,

These commands would be used to translate an outside source address to a different address on the inside network.

One reason to do this would be to allow certain outside hosts to be reached using addresses that are internal to your network. If configured with the "dns" keyword then when an inside user performs a look-up for a domain name whose ip matches the translation the DNS reply would be modified to provide an internal IP to reach that host.

Another reason to translate outside source addresses would be if your network contains IP addresses which overlap with those of another network. You would want to translate the addresses of the outside hosts so they don't get confused with inside hosts that have the same address. In this case you would also want to create a translation for your inside hosts when destined for the outside network.

Kevin

iamnarenreddy
Level 1
Level 1

HI , we are using the cisco 2600 series router in my network we are having 2 isps botha the isps Serials are connected to the S0 and S1,in the router only one fastE0, here the problem on S0 one ISP is already configured, recently we configured Second ISP to the Fast ethernet we alresdy assign one public ip.We configured Second ISP to S1 and default gateway is first isp's public ip.that fasteathernet is going to one switch from the switch we are distrubuting the network into two parts one is for VOIP and another one is for data.while we are accessing the network internet is very slow and some time the trace is going to other ISP can you please help me how to careat ACL for the can you please help me on this so that we can have better quality.

pleas give me the reply ASAP.

narenreddy,

Please note that this is the NAT forum.

If the question is about NAT, can you please provide a diagram or a better description? From what I understand you have something like below:

2600->FE0->ISP2

2600->Serial0->ISP1

2600->Serial1->ISP2

2600->FE1->switch-voip,data

default gateway is ISP1

And you are seeing bad voice quality...

kevintang
Level 1
Level 1

Hello, Aamer

I had a FTP NAT issue and need your help.

Here is my situation

10.x.x.9(Passive_FTP_server)---outside-----ROUTER-----Inside-----172.10.10.1(FTP_Client)

172.20.20.1<------------------------------------>|

10.x.x.9 is the Passive FTP server and connects to the NAT router outside interface.

172.10.10.1 is the FTP client and connects to the NAT router inside interface.

172.20.20.1 is the outside global NAT ip address for 10.9.9.9,

So the ftp client will think the ftp server ip address is 172.20.20.1, ftp client try to connect to 172.20.20.1 then forward the

connection request to the ftp server 10.x.x.9,

my problem is that when the passive ftp server received the connection request on port 21, then the server will open a port 3021 and

send ACK information back to the ftp client, let the ftp client connect on port 3021. we use sniffer found out that in the ACK information

from the server. it has his own IP address 10.9.9.9, so the ftp client will try to connect 10.x.x.9 on port 3021. But the ftp client can not

directory access the server 10.x.x.9, It should through the NAT ip address 172.x.x.1,

I have found this information on web site.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml

http://slacksite.com/other/ftp.html

But my situation is different from Cisco Doc, my ftp server is on the outside of the NAT interface. I have other traffic through this

NAT router, so I can not change around the NAT interface.

Is there any other fix solution from Cisco for my situation?

Hi Kevin,

It seems like the router is not translating the return data from the FTP server to the client from 10.9.9.9:3021 to 172.20.20.1:3021.

I'm assuming that you are running IOS, but which version?

There seems to be a few bugs that match your problem, namely:

CSCds15078 FTP,TFTP,RSH,RCP fail when NAT overload mode configured

Regards,

Heres a tought scenario I'm facing.

I am using PAT (outside interface). Some Internal IP's are also static natted.

I have a ASA5520 at my Company where I allow users to VPN into through the ASA5520. I have split-tunneling enabled so users do not waist company bandwidth when they are connecting from home. My company also has a Data Center located at another location. The Data Centers firewall only allows access to my company's network block for ex(111.222.222.128/27). Now if my users VPN into my company with split-tunneling enabled, they cannot access the data center because their Home ISP IP is comming up instead of the Company Outside Interface IP (which is allowe by the datacenter Firewall).

I need to allow users accessing VPN from home to be allowed to connect to the Data Center.

What can I do about this problem? IS there another way I can configure the ASA5520 or VPN ?

cisconoobie,

Here is the topology as I understand it:

[Datacenter]--ASA5520--Internet--[homeVPN]

And the problem is that the data center will only accept users from 111.222.222.128/27.

It seems like what you want to do is to reserve a portion of the 111.222.222.128/27 for the home users and do source NAT/PAT on the traffic coming from the homeVPN and going to the datacenter. The NAT/PAT should be done to the reserved range within the 111.222.222.128/27.

Hope I understood the problem properly

Regards,

Actually its DataCenter - Internet - ASA5520 - Internet - HomeVPN

So company internal users that ssh into the datacenter have no problem accessing because the datacenter firewall allows the companies Public IP net block. While users not on the companies public net block are not permitted to access the datacenter via ssh.

Hmm then how would I do this ?

Once a user is connected through the VPN, Is there a way to make SSH traffic look like its comming from the outside interface of the ASA5520(so the datacenter accepts it) rather than the User's ISP IP(which the datacenter does not accept)?

And all otrher traffic being split-tunneled ?

Hi cisconoobie,

So where I am getting confused is the ip addressing on the home VPN. A user inside the VPN generally will have addressing that is separate from what his local ISP is giving him. The only exception to this that I can think of is SSL-VPNS.

So if the user is hitting the data-center with the ISP's addresses, they are not using the VPN server.

Or perhaps I'm getting confused by the VPN term...

OK yes, the ASA5520 is issuing a internal network IP to the user that is VPNing in.

But I guess because of split-tunneling enabled, when a user goes to any website, the site records their ISP IP and not the Public VPN ASA5520 IP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco