Solved: Re: Complex NAT setup

Hampy · ‎11-18-2019

Hi Guys,

So I have a requirement where I need to setup a fairly complicated NAT config, and at the same time dealing with 2 or 3 other companies that are connecting different parts of the network and limiting my testing possibilities. It's going to be difficult to explain what we are doing and have it understood so I'll have a go:

The situation is that we have a group of hosts that belong to and are on the network of "CompanyA" and these need to make a connection to hosts that belong to and are on the network of "CompanyC". We are in the middle so we are "CompanyB", and we are in control of a single Cisco IOS router that is connected to a standard broadband ADSL connection on one side, and the network of CompanyA on the other side. On this router we have setup and tested an IPSEC VPN connection to CompanyC. However what we have been requested to do is to do a NAT translation so that everything from CompanyC to CompanyA appears to come from a single source IP address. In addition to that, it's a requirement that we provide a range of 58 addresses, that are not used on CompanyA's network the the hosts on CompanyA's network will connect to and the connections will be translated to the "real" ip's on CompanyC's network. This is because CompanyA and CompanyC have conflicting IP addresses.

Wondering if anyone has done this config before and how they did it?

Best Wishes

paul driver · ‎11-20-2019

Hello

@Hampy wrote:
Ok so say I have my PC on 192.168.0.10, and my router is on 192.168.0.1.(and it has an internet connection and a NAT rule to translate the local IP to the public IP)
Say I do:
ip nat outside source static 8.8.8.8 10.1.1.1

If I ping 10.1.1.1 it should actually ping to 8.8.8.8 correct?

So what is the process there and would you need a route for 10.1.1.1?

If you were to manually put a route what would it say?

Then you can do of 1/2 things.

ip route 10.1.1.1 255.255.255.255 x.x.x.x (lan interface or ip)
or
ip nat outside source static 8.8.8.8 10.1.1.1 add-route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎11-18-2019

Hello,

I think the trick here is to use the IP address of the VPN tunnel as the outside NAT address. So basically your tunnel is the NAT outside. If possible, post the full running configuration of your Cisco router...

paul driver · ‎11-19-2019

Hello

@Hampy wrote:
However what we have been requested to do is to do a NAT translation so that everything from CompanyC to CompanyA appears to come from a single source IP address. In addition to that, it's a requirement that we provide a range of 58 addresses, that are not used on CompanyA's network the the hosts on CompanyA's network will connect to and the connections will be translated to the "real" ip's on CompanyC's network

Not sure understand the above comment, can you clarify, Also post a diagram of your topology if applicable.

Would it be something like this
company A<10.x.x.x>< rtr B>1.1.1.x.ipsec><rtrc C>10.x.x.x

FYI - you can indeed apply NAT to external address so when you ping a internal address is it is actually Natted to the external ip

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hampy · ‎11-19-2019

Hi Guys,

Thanks for your help. I think I have it sorted out. I just had to strengthen my understanding of the commands and how the NAT inside/outside system works. Still waiting on the inside host company to complete a successful test and they might have a firewall rule issue, but from the router itself all my tests are working.

Without boring you with the whole config, all I needed was for all connections from the inside to the subnets on the other side of the VPN, to be translated to one source address. So that was just a nat "pool" for the source address, an access list and "ip nat inside source list nat-list pool nat-pool overload"

With the other requirement of having a local address that is the target/destination, that will then get translated to the real destination address before going over the VPN, that was just:

ip nat outside source static <real destination> <fake destination>

I also needed to be careful to ensure that no other nat rules were touching that traffic by excluding it from any of the other natting on the router like the external internet NAT, but it all appears to be working from my end.

Cheers

paul driver · ‎11-20-2019

Hello

glad to hear you sorted it-

regards the static D-NAT not sure you are aware you can either add the specific routes for the translation or you could just use the “add-route” command which personally I think it much better way of of getting the D-Nat route appended.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hampy · ‎11-20-2019

Hi Paul,

Thanks very much for your help. You have lost me with that one, however. Can you clarify what that does?

I didn't have to create any extra routes for this to work?

Cheers

paul driver · ‎11-20-2019

Hello
When you nat from an outside domain to an inside, Network translation happens first then a routing lookup after that.
In this case you are statically translating an outside ip into an inside ip ( on your lan segment) so that any internal host on your lan can ping a specific internal ip and that would relate to the static destination nat statement you’ve created.

Now lets say this translated ip is a spare ip on your internal lan segment or even a totally a different subnet you’ve decided to use specifically for NAT and you wish for your lan hosts to able to reach it, Then the nat router after translation will need to perform a route lookup for it, now depending on how you have routing setup, (let’s say statically) you would need to add a static host route for that natted ip so route lookup is successful or as stated, You could let nat do this for you with the "add-route" feature.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hampy · ‎11-20-2019

Thanks Paul for your patience while I understand this. Ok so say I have my PC on 192.168.0.10, and my router is on 192.168.0.1.(and it has an internet connection and a NAT rule to translate the local IP to the public IP).

Say I do:

ip nat outside source static 8.8.8.8 10.1.1.1

If I ping 10.1.1.1 it should actually ping to 8.8.8.8 correct?

So what is the process there and would you need a route for 10.1.1.1?

If you were to manually put a route what would it say?

paul driver · ‎11-20-2019

Hello

@Hampy wrote:
Ok so say I have my PC on 192.168.0.10, and my router is on 192.168.0.1.(and it has an internet connection and a NAT rule to translate the local IP to the public IP)
Say I do:
ip nat outside source static 8.8.8.8 10.1.1.1

If I ping 10.1.1.1 it should actually ping to 8.8.8.8 correct?

So what is the process there and would you need a route for 10.1.1.1?

If you were to manually put a route what would it say?

Then you can do of 1/2 things.

ip route 10.1.1.1 255.255.255.255 x.x.x.x (lan interface or ip)
or
ip nat outside source static 8.8.8.8 10.1.1.1 add-route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul