10-20-2006 10:54 AM - edited 03-03-2019 02:25 PM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.
Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.
Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
10-27-2006 09:10 AM
hi aksher,
in pix you have to go through configuration of global and nat command need to issue for pix NAT firewall...
here you will have examples:
config)# global (outside)1 192.168.1.128-192.168.1.254
config)# nat (inside) 1 10.1.0.0 255.255.0.0
here inside private ip addresses 10.1.0.0 are translated to global address specified by the global command....
here is the link for more reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm
rate this post if it helps
regards
Devang
10-27-2006 12:07 PM
Thanks Devang!
Aksher,
Also look at:
10-28-2006 01:53 AM
hello Mr. Akhter,
its require cco login so please give some other link to access the resources...
regards
Devang
10-28-2006 05:07 AM
You are welcome to register for cco at:
http://tools.cisco.com/RPF/register/register.do
Benefits of registration:
http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html
10-30-2006 12:07 PM
bt my ques was different.pls note nat (outside) and static(outside,inside) case....
10-31-2006 02:21 PM
Aksher,
These commands would be used to translate an outside source address to a different address on the inside network.
One reason to do this would be to allow certain outside hosts to be reached using addresses that are internal to your network. If configured with the "dns" keyword then when an inside user performs a look-up for a domain name whose ip matches the translation the DNS reply would be modified to provide an internal IP to reach that host.
Another reason to translate outside source addresses would be if your network contains IP addresses which overlap with those of another network. You would want to translate the addresses of the outside hosts so they don't get confused with inside hosts that have the same address. In this case you would also want to create a translation for your inside hosts when destined for the outside network.
Kevin
10-27-2006 11:09 AM
HI , we are using the cisco 2600 series router in my network we are having 2 isps botha the isps Serials are connected to the S0 and S1,in the router only one fastE0, here the problem on S0 one ISP is already configured, recently we configured Second ISP to the Fast ethernet we alresdy assign one public ip.We configured Second ISP to S1 and default gateway is first isp's public ip.that fasteathernet is going to one switch from the switch we are distrubuting the network into two parts one is for VOIP and another one is for data.while we are accessing the network internet is very slow and some time the trace is going to other ISP can you please help me how to careat ACL for the can you please help me on this so that we can have better quality.
pleas give me the reply ASAP.
10-27-2006 12:14 PM
narenreddy,
Please note that this is the NAT forum.
If the question is about NAT, can you please provide a diagram or a better description? From what I understand you have something like below:
2600->FE0->ISP2
2600->Serial0->ISP1
2600->Serial1->ISP2
2600->FE1->switch-voip,data
default gateway is ISP1
And you are seeing bad voice quality...
10-28-2006 12:59 AM
Hello, Aamer
I had a FTP NAT issue and need your help.
Here is my situation
10.x.x.9(Passive_FTP_server)---outside-----ROUTER-----Inside-----172.10.10.1(FTP_Client)
172.20.20.1<------------------------------------>|
10.x.x.9 is the Passive FTP server and connects to the NAT router outside interface.
172.10.10.1 is the FTP client and connects to the NAT router inside interface.
172.20.20.1 is the outside global NAT ip address for 10.9.9.9,
So the ftp client will think the ftp server ip address is 172.20.20.1, ftp client try to connect to 172.20.20.1 then forward the
connection request to the ftp server 10.x.x.9,
my problem is that when the passive ftp server received the connection request on port 21, then the server will open a port 3021 and
send ACK information back to the ftp client, let the ftp client connect on port 3021. we use sniffer found out that in the ACK information
from the server. it has his own IP address 10.9.9.9, so the ftp client will try to connect 10.x.x.9 on port 3021. But the ftp client can not
directory access the server 10.x.x.9, It should through the NAT ip address 172.x.x.1,
I have found this information on web site.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml
http://slacksite.com/other/ftp.html
But my situation is different from Cisco Doc, my ftp server is on the outside of the NAT interface. I have other traffic through this
NAT router, so I can not change around the NAT interface.
Is there any other fix solution from Cisco for my situation?
10-28-2006 05:22 AM
Hi Kevin,
It seems like the router is not translating the return data from the FTP server to the client from 10.9.9.9:3021 to 172.20.20.1:3021.
I'm assuming that you are running IOS, but which version?
There seems to be a few bugs that match your problem, namely:
CSCds15078 FTP,TFTP,RSH,RCP fail when NAT overload mode configured
Regards,
10-28-2006 06:57 AM
Heres a tought scenario I'm facing.
I am using PAT (outside interface). Some Internal IP's are also static natted.
I have a ASA5520 at my Company where I allow users to VPN into through the ASA5520. I have split-tunneling enabled so users do not waist company bandwidth when they are connecting from home. My company also has a Data Center located at another location. The Data Centers firewall only allows access to my company's network block for ex(111.222.222.128/27). Now if my users VPN into my company with split-tunneling enabled, they cannot access the data center because their Home ISP IP is comming up instead of the Company Outside Interface IP (which is allowe by the datacenter Firewall).
I need to allow users accessing VPN from home to be allowed to connect to the Data Center.
What can I do about this problem? IS there another way I can configure the ASA5520 or VPN ?
10-28-2006 07:32 AM
cisconoobie,
Here is the topology as I understand it:
[Datacenter]--ASA5520--Internet--[homeVPN]
And the problem is that the data center will only accept users from 111.222.222.128/27.
It seems like what you want to do is to reserve a portion of the 111.222.222.128/27 for the home users and do source NAT/PAT on the traffic coming from the homeVPN and going to the datacenter. The NAT/PAT should be done to the reserved range within the 111.222.222.128/27.
Hope I understood the problem properly
Regards,
10-28-2006 03:57 PM
Actually its DataCenter - Internet - ASA5520 - Internet - HomeVPN
So company internal users that ssh into the datacenter have no problem accessing because the datacenter firewall allows the companies Public IP net block. While users not on the companies public net block are not permitted to access the datacenter via ssh.
Hmm then how would I do this ?
Once a user is connected through the VPN, Is there a way to make SSH traffic look like its comming from the outside interface of the ASA5520(so the datacenter accepts it) rather than the User's ISP IP(which the datacenter does not accept)?
And all otrher traffic being split-tunneled ?
10-31-2006 10:46 AM
Hi cisconoobie,
So where I am getting confused is the ip addressing on the home VPN. A user inside the VPN generally will have addressing that is separate from what his local ISP is giving him. The only exception to this that I can think of is SSL-VPNS.
So if the user is hitting the data-center with the ISP's addresses, they are not using the VPN server.
Or perhaps I'm getting confused by the VPN term...
10-31-2006 11:33 AM
OK yes, the ASA5520 is issuing a internal network IP to the user that is VPNing in.
But I guess because of split-tunneling enabled, when a user goes to any website, the site records their ISP IP and not the Public VPN ASA5520 IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide