Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7679
Views
5
Helpful
9
Replies

Bi-Directional NAT (two way nat) question

Go to solution
Clutchels
Level 1
Level 1

‎06-02-2015 10:59 AM - edited ‎03-05-2019 01:36 AM

Hi Gents

 

I realise I can't have "ip nat inside" and "ip nat outside" on the same interface .. so I will try to explain my situation below ..

 

I have a router c1841 .. which has, amongst other things. A public interface for internet (FastEthernet0/0.60), A private network which gets access to the internet (FastEthernet0/1.35) .. pretty simple right. And then a Tunnel interface to another device, which needs access to something on the private network.

 

My config is as follows.

!

interface FastEthernet0/0.60
 description Trunk to Internet
 encapsulation dot1Q 60
 ip address 200.200.200.164 255.255.255.248
 ip nat outside
 ip virtual-reassembly

!

interface FastEthernet0/1.35
 description some internal network
 encapsulation dot1Q 35
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!

interface Tunnel1
 ip address 10.255.255.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 192.168.2.11  (another interface on this router)
 tunnel destination 192.168.2.92  (another device which needs access to 10.10.10.0/24)

!

ip nat pool outnat 200.200.200.164 200.200.200.164 netmask 255.255.255.248
ip nat inside source list acl_nat interface FastEthernet0/0.60 overload

!

ip route 10.10.10.0 255.255.255.0 192.168.1.50

!

ip access-list standard acl_nat
 permit x.x.x.x 0.0.255.255
!
 

Ok, because I can't route it, and I don't have access to the private network, how could I NAT everything coming from the tunnel IP (10.255.255.2) to have a source address of 192.168.1.1 .. The idea is 10.255.255.2 must be able to access 10.10.10.0/24 which is behind a router on the private LAN with an ip of 192.168.1.50 .. .. Normally I would say "ip nat outside" on (FastEthernet0/1.35) .. but you can't have both "ip nat outside" and "ip nat inside" on the same interface.

I could easily do this on a linux router, but I can for the life of me not figure out how to do this on cisco.

at the moment I can ping everything on 10.10.10.0/24 from this upstream router .. but I need to access it remotely via the GRE Tunnel1 interface.

 

Please any advice will be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Clutchels

‎06-02-2015 01:04 PM

Okay then as it is a one to one mapping we can use a static so try this -

1) add "ip nat outside" to your tunnel interface on the router

2) add this line -

"ip nat outside source static 10.255.255.2 192.168.1.2 add-route"

Note the "add-route" option is needed. IOS does a route lookup before a translation from inside to outside.

So what happens without it is the return traffic gets to the router and a route lookup is done and the router sees the 192.168.1.2 IP as part of the directly connected interface IP subnet so it never forwards it to the tunnel interface.

The "add-route" keyword tells IOS to put a host specific route into the IP routing table for 192.168.1.2 pointing to the other end of the tunnel.

If you don't have that option things may get tricky :-)

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-02-2015 11:35 AM

The reason you can't work it out is because it is a limitation of IOS ie you cannot overload going from outside to inside or at least not that I am aware of.

You could with an ASA firewall but not IOS.

However what you can do is do dynamic NAT outside to inside using a NAT pool but that means you need an IP for every IP that could come via the tunnel.

What you could do is use a spare IP subnet as the NAT pool and then you simply advertise that NAT pool to the 192.168.1.50 router ie. it just needs to know how to get back to the pool.

From memory you may need to add a route for the IP subnet via the tunnel interface because IOS does a route lookup before a NAT translation from inside to outside so you would have to make sure the traffic was routed to the tunnel and then it would be translated back to the correct IP.

You would obviously need "ip nat outside" on your tunnel interface as well.

All of the above has been done from memory ie. I haven't used that type of NAT for a while so it may need testing.

If I get the chance later I run a quick test.

But firstly how many IPs are coming in via the tunnel and could you use a spare IP subnet for them ?

Jon

Go to solution
Clutchels
Level 1
Level 1
In response to Jon Marshall

‎06-02-2015 11:48 AM

Hi Jon

 

Thanks for the quick reply. Ok, I hear you on the limitation, thats what I was afraid of.

 

Ok, on the tunnel I have only one IP coming in 10.255.255.2, so only this IP needs to access the 10.10.10.0/24 network beyond FastEthernet0/1.35 (192.168.1.50) router.

 

One problem I have is I'm not allowed to touch 192.168.1.50 .. so I can't add any routes back to this upstream router. Which is why I wanted to NAT the connections going to it .. which makes it a bit of a tricky one .. *sigh*

 

Clutchy.

 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Clutchels

‎06-02-2015 11:55 AM

Do you have a spare IP in the 192.168.1.x range ?

Jon

0 Helpful

Go to solution
Clutchels
Level 1
Level 1
In response to Jon Marshall

‎06-02-2015 12:16 PM

Hi Jon

 

I do yes, 192.168.1.2 is free actually ..

 

C.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Clutchels

‎06-02-2015 12:24 PM

Can you just clarify ie.

you say only 10.255.255.2 needs access to the 10.10.10.x network but that is the tunnel IP address which seems unlikely unless you are doing NAT on the other end.

Are you ?

Jon

0 Helpful

Go to solution
Clutchels
Level 1
Level 1
In response to Jon Marshall

‎06-02-2015 12:27 PM

Correct sir, it's being NAT'ed on the other end. so everything will apear as 10.255.255.2 ..

 

Clutchy.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Clutchels

‎06-02-2015 01:04 PM

Okay then as it is a one to one mapping we can use a static so try this -

1) add "ip nat outside" to your tunnel interface on the router

2) add this line -

"ip nat outside source static 10.255.255.2 192.168.1.2 add-route"

Note the "add-route" option is needed. IOS does a route lookup before a translation from inside to outside.

So what happens without it is the return traffic gets to the router and a route lookup is done and the router sees the 192.168.1.2 IP as part of the directly connected interface IP subnet so it never forwards it to the tunnel interface.

The "add-route" keyword tells IOS to put a host specific route into the IP routing table for 192.168.1.2 pointing to the other end of the tunnel.

If you don't have that option things may get tricky :-)

Jon

0 Helpful

Go to solution
Clutchels
Level 1
Level 1
In response to Jon Marshall

‎06-02-2015 01:34 PM

Brilliant :) thank you so much, that did the trick  !

 

I actually got it to work in another messy way too. What I did was created 192.168.1.2 on my "other device" as a second ip on the tunnel. .. then on this upstream router I did "ip route 192.168.1.2 255.255.255.255 tunnel1"

 

and then I added some policy routing and snat on the "other linux device" to make the traffic look like its coming from 192.168.1.2 ...

 

BUT, your way is much simpler ;) Thank you for the awesome help sir ! now I can sleep well..

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Clutchels

‎06-02-2015 01:36 PM

No problem, glad you got it working.

Jon

0 Helpful
Customers Also Viewed These Support Documents