ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT) - Page 2

ciscomoderator · ‎10-20-2006

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

m.reay · ‎10-23-2006

Hi Aamer. I have asked this question in the VPN/Security forum but didn't receive any response - so I wondered if you could help.

I have a customer who has a lan-to-lan vpn between a Concentrator 3000 and a Checkpoint firewall.

Packets entering the concentrator to be sent across the VPN are natted.

Most protocols seem to work fine apart from the netbios protocols UDP 137 and 138. These are sent through the tunnel but do not get natted.

I know Netbios embeds IP addresses inside of the packets, and that the ASA has an application inspection (fixup) which can handle this.

Is this a problem with the way the concentrator performs natting? Would you expect to see error messages regarding this in the concentrator logs?

Thanks in advance

Mick

aakhter · ‎10-23-2006

Hi m.reay,

I believe that you are absolutely correct. This is a feature limitation of the VPN Concentrator 3000 where it's implementation of NAT does not support Netbios.

I don't see an easy solution out of this, as you are probably using the 3000 on the public net, hence the need for NAT. Otherwise you could possibly move the NAT service to another device and only do IPsec tunneling on the VPN 3000.

You may want to contact your cisco representative and look at ASA or IOS based options.

m.reay · ‎10-23-2006

Thanks for the reply Aamer. This doesn't have anything to do with being connected to the Internet, as the actual packets are transported across the Internet inside of IPSEC.

The packets being natted are the original clear packets before they get encrypted - as in Lan-to-Lan where both LANNs are using the same private address range.

Does this still apply?

Thanks.

aakhter · ‎10-24-2006

m. Reay,

If the address range you are NATing to can sit behind the vpn 3000, in other works the 3000 the 3000 (after decryption of return traffic) can send the still NATted traffic to a node inside: Then you should be able to move the NAT function to another device inside.

Regards,

joe.morrison · ‎10-23-2006

Hi,

I am trying to make multiple sites act as one large broadcast domain. I have tried to set up Mobile IP, but I have about 40% packet loss. I would like to pass a 802.1q trunk through a IPSec VPN. Is this possible?

aakhter · ‎10-23-2006

Joe,

Please note that this is the NAT forum.

There is only one solution for connecting multiple (more than 2) sites in a broadcast domain over multiple L3 hops, and that is currently VPLS, which requires MPLS. MPLS and IPsec do not work together well.

There are a couple solutions:

1) Setup a full mesh of GRE tunnels between the sites, run MPLS-VPLS inside the GRE. Let IPsec encrypt the GRE.

2) Setup a full mesh of L2TPv3 tunnels in raw mode between all your sites. Let IPsec encrypt the L2tpv3. You may have to burn a few ports (one for each site) on the L2TPv3 hosts and acquire a switch to frontend.

Regards,

examples20001 · ‎10-24-2006

Hi,

Is it possible to assign the IP address of same segment(172.17.8.0/24) to both interface (inside, outside). NATting is not used in this router.

The router is used as a Firewall to filter out the traffic accoring the ACL and just forward the traffic to ISP router.

Is this setup possible? If possible what is the draw back on this setup and will I face any problem in future?

If not possible, how to implement it in anothere way with using same segment IP address.

Attached diagram with more details.

aakhter · ‎10-24-2006

Examples,

Keep in mind this is the NAT forum.

IOS does not allow the same subnet to exist in the same routing context on the same router. You may use VRFs to do the IP addressing as you've described, but will have to use static routes in the VRF to get the traffic to 'jump' over the VRF boundaries.

Regards,

examples20001 · ‎10-24-2006

Thank you very much for the details.

Can you please give some links which explains your details and with some configuration details.

MauricioB · ‎10-24-2006

Is it posssible to NAT and or Route-map across networks?

ie..our isp will send us 70.1.1.1 to our router we then need to take this 70.1.1.1 and NAT it to 10.1.1.10. The only thing is when 70.1.1.1 comes in it connected to 192.168.x.x network. The 10.x.x.x network is at some other remote location connect using gre VPN tunnel. All routers are connnected using EIGRP and are routing properly. Is NAT'ing across networks possible (if needed with route-maps)?

a.hajhamad · ‎10-24-2006

Hello my friends,

I don't have a specific Q., just i need your comments and feedback about the following:

I have a customer which "since no technical availability for L.L or F.R links" have ADSL connection with Cisco R. 877W with fixed IP address for the outside interface "only 1 IP" and i placed a Cisco ASA5510 after this R. with private IP address at the outside interface for the ASA since no way to have another real IPs.

My point, the Cisco R. is doing the NAT "PAT" and the ASA doing static NAT ONLY for the management and CSC IPs. Is this the best design?

Thanks in advance

Abd Alqader

aakhter · ‎10-24-2006

a.hajhamad,

based on what features you are trying to achieve you may not have a choice. If the feature set you are trying to use exist on the ASA, but your WAN connection is ADSL, you don't have much of a choice.

There is no requirement for the ASA to have real. Just be aware that for any servers that are sitting behind the ASA you will need to create static NAT/PAT bindings on both the 877 as well as the ASA.

Regards,

aa

aakhter · ‎10-24-2006

MauricioB,

I'm not sure I understand the question. Could you possible draw the design that you are asking about?

kevineck · ‎10-24-2006

Mauricio,

I'm not sure I completely understand the scenario you are describing, so please correct me if needed. As Aamer suggested a network diagram would be helpful.

My guess:

The ISP is sending traffic destined to the address 70.1.1.1 to the outside interface of your router. The router translates the destination to 10.1.1.10 for the internal network. The 10.x.x.x network is not directly conneted to the router but is reachable from there via a gre tunnel which originates from the router.

If this is a correct interpretation of the network, then yes this is possible.

The provider interface would be configured with "ip nat outside".

Both the 192.168.x.x interface and the tunnel interface would be configured as "ip nat inside".

"ip nat source inside static 10.1.1.10 70.1.1.1" will configure the described translation.

Kevin

MauricioB · ‎10-25-2006

main site

interface Tunnel0

bandwidth 1000

ip address 192.168.209.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 100

ip nhrp authentication DMVPN_NW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

no ip split-horizon eigrp 100

delay 1000

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile Profile1

!

interface FastEthernet0/0

ip address 192.168.109.30 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

no ip mroute-cache

duplex full

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 70.2.2.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

router eigrp 100

network 192.168.109.0

network 192.168.209.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 70.2.2.1

!

no ip http server

no ip http secure-server

ip nat pool hq 70.2.2.2 70.2.2.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool hq overload

!

logging trap debugging

access-list 100 deny ip 192.168.109.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 192.168.109.0 0.0.0.255 any

no cdp run

this is where i was thinking i should put the cahnge

interface FastEthernet0/1

ip address 70.2.2.3 255.255.255.0 secondary

i tried what you have but it didnt work, maybe i type it out wrong. can you edit my config and re-post ..so i can try that, thanks