Re: Cisco IOS NAT OUT-IN

uni1389 · ‎08-15-2024

Hi,

Am trying to NAT from OUTSIDE to Inside (with redline), but unfortunetely not working properly. At same time from Inside to Outside(with Greenline) it is working fine. Configuration is mentioned below and thank for your assistance.

ISP01#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.202.200.100:61294 10.10.13.200:61294 192.168.2.100:61294 192.168.2.100:61294
icmp 202.202.200.100:61806 10.10.13.200:61806 192.168.2.100:61806 192.168.2.100:61806
icmp 202.202.200.100:62318 10.10.13.200:62318 192.168.2.100:62318 192.168.2.100:62318
icmp 202.202.200.100:62830 10.10.13.200:62830 192.168.2.100:62830 192.168.2.100:62830
--- 202.202.200.100 10.10.13.200 --- ---

ISP01#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.202.200.100:6767 10.10.13.200:6767 192.168.2.100:6767 192.168.2.100:6767
icmp 202.202.200.100:7279 10.10.13.200:7279 192.168.2.100:7279 192.168.2.100:7279
icmp 202.202.200.100:7791 10.10.13.200:7791 192.168.2.100:7791 192.168.2.100:7791
icmp 202.202.200.100:61294 10.10.13.200:61294 192.168.2.100:61294 192.168.2.100:61294
icmp 202.202.200.100:61806 10.10.13.200:61806 192.168.2.100:61806 192.168.2.100:61806
icmp 202.202.200.100:62318 10.10.13.200:62318 192.168.2.100:62318 192.168.2.100:62318
icmp 202.202.200.100:62830 10.10.13.200:62830 192.168.2.100:62830 192.168.2.100:62830
--- 202.202.200.100 10.10.13.200 --- ---

SP01#show running-config | sec ip nat
ip nat inside
ip nat outside
ip nat pool POOL28-13 202.202.200.100 202.202.200.150 netmask 255.255.255.0
ip nat pool POOLOUT 202.202.200.50 202.202.200.100 netmask 255.255.255.0
ip nat inside source list 1 pool POOL28-13

ISP01#show running-config | sec access
access-list 1 permit 10.10.28.0 0.0.0.255 log
access-list 1 permit 10.10.13.0 0.0.0.255 log

SP01#show ip int br

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 20.20.20.2 YES NVRAM up up
GigabitEthernet0/1 202.202.200.2 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM down down
GigabitEthernet0/3 unassigned YES NVRAM down down
Loopback0 10.10.100.5 YES NVRAM up up
NVI0 20.20.20.2 YES unset up up

ISP01#show running-config

interface Loopback0
ip address 10.10.100.5 255.255.255.255
!
interface GigabitEthernet0/0
ip address 20.20.20.2 255.255.255.252
ip nat inside

interface GigabitEthernet0/1
ip address 202.202.200.2 255.255.255.0
ip nat outside

router ospf 1
router-id 10.10.100.5
network 0.0.0.0 255.255.255.255 area 0
!
ip nat pool POOL28-13 202.202.200.100 202.202.200.150 netmask 255.255.255.0
ip nat pool POOLOUT 202.202.200.50 202.202.200.100 netmask 255.255.255.0
ip nat inside source list 1 pool POOL28-13
ip nat outside source list ACLOUT pool POOLOUT add-route
!
ip access-list standard ACLOUT
permit 202.202.200.0 0.0.0.255 log

access-list 1 permit 10.10.28.0 0.0.0.255 log
access-list 1 permit 10.10.13.0 0.0.0.255 log
!

--------------------------------------------------------------------------

VPC2-100 NOT WORKING From OUTSIDE-INSIDE

VPCS> show

NAME IP/MASK GATEWAY GATEWAY
VPCS1 192.168.2.100/24 192.168.2.1
fe80::250:79ff:fe66:681c/64

VPCS> ping 10.10.13.200

10.10.13.200 icmp_seq=1 timeout
10.10.13.200 icmp_seq=2 timeout
10.10.13.200 icmp_seq=3 timeout

--------------------------------------------------------------------------

VPC13-200 WORKING From INSIDE-OUTSIDE

VPCS> show

NAME IP/MASK GATEWAY GATEWAY
VPCS1 10.10.13.200/24 10.10.13.1
fe80::250:79ff:fe66:6821/64

VPCS> ping 192.168.2.100

84 bytes from 192.168.2.100 icmp_seq=1 ttl=60 time=7.621 ms
84 bytes from 192.168.2.100 icmp_seq=2 ttl=60 time=4.970 ms
84 bytes from 192.168.2.100 icmp_seq=3 ttl=60 time=4.098 ms
84 bytes from 192.168.2.100 icmp_seq=4 ttl=60 time=3.770 ms
^C

--------------------------------------------------------------------------

MHM Cisco World · ‎08-15-2024

you use dynamic NAT which is unidirectional
you need static NAT which is bidirectional
ip nat inside source static <real IP> <mapped IP>

MHM

uni1389 · ‎08-16-2024

by this I can do one-to-one static mapping not muliple ip . right?

MHM Cisco World · ‎08-16-2024

Yes friend one to one is only NAT that it bidirectional

Note:- one to one can IP to IP or port to port' in case of port to port you can use many internal IP mapped to one IP but using l4 port. Just want to clarify this point.

MHM

paul driver · ‎08-16-2024

Hello

@MHM Cisco World wrote:

one to one is only NAT that it bidirectional

This is incorrect, as I have said nat reversible can be used

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-16-2024

Friend I follow your statement and hop you share lab using reversible' pool of IP to list of IP how router map this IP to this IP.

Anyway maybe I am wrong

But that what I know

MHM

paul driver · ‎08-16-2024

Hello
not completed a lab for a while but here you go as requested..see attached..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-16-2024

Friend the ping from out to in is allow for short time' this time map-real IP entry appear in NAT table.

What you do is pung from In To out the NAT router add entry and then try ping from out to in success since there is entry

Try instead ping directly from out to in without first ping from in to out.

The ping will failed sure.

He need static entry in NAT table and this need static NAT ip to ip or port to port.

MHM

paul driver · ‎08-16-2024

Hello

@MHM Cisco World wrote:

Try instead ping directly from out to in without first ping from in to out.

That is not a feature of nat reversible , it requires an initiation from the internal host first, to create the 121 mapping, but thereafter the extendable mapping are not required- the other way is indeed multiple static mappings but then youll need a lot of static map statements plus you’ll have no control over traffic initiation

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-16-2024

To update ypu there is other cisco solution for one to many NAT access from outside check link below

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200608-Server-Load-Balancing-Using-Dynamic-NAT.html

MHM

paul driver · ‎08-16-2024

Hello

@MHM Cisco World wrote:
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200608-Server-Load-Balancing-Using-Dynamic-NAT.html

This is Dnat, which isnt applicable to the OP request. Dnat can be used for example when you have a internal server cluster which you would like to LB using a single inside global ip address.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎08-15-2024

Hello
You can reverse the nat connection on dynamic NAT, to create the 1-to-1 mapping required so external hosts can have the ability to connect back inside even when the extended nat states expires , however please note that the 1-to-1 mapping will only be valid until nat table is manually cleared then initiation by the inside host is required again to re-create those nat entrys.

no ip nat pool POOLOUT 202.202.200.50 202.202.200.100 netmask 255.255.255.0
no ip nat outside source list ACLOUT pool POOLOUT add-route
ip nat inside source list 1 pool POOL28-13 reversible

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

uni1389 · ‎08-16-2024

I have edited config with reversible option (now shown below), but still not working

ISP01#show running-config | sec ip nat
ip nat inside
ip nat outside
ip nat pool POOL28-13 202.202.200.100 202.202.200.150 netmask 255.255.255.0
ip nat inside source list 1 pool POOL28-13
ISP01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISP01(config)#do show run | sec acce
ISP01(config)#do show run | sec acce
ip access-list standard ACLOUT
permit 202.202.200.0 0.0.0.255 log
access-list 1 permit 10.10.28.0 0.0.0.255 log
access-list 1 permit 10.10.13.0 0.0.0.255 log
access-list 1 permit 10.10.22.0 0.0.0.255 log
ISP01(config)#end

paul driver · ‎08-16-2024

Hello
You probably need to change the nat statement to use a route-map for the reversible to be appended correctly.

Example:
conf t
no ip nat inside source list 1 pool POOL28-13

route-map NAT
match ip address 1
match interface gig01

ip nat inside source route-map NAT pool POOL28-13 reversible

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul