06-02-2010 05:15 AM - edited 03-04-2019 08:39 AM
Hey,
I trying to figure out how i can NAT the destination (DNAT?).
The idea is not to route the public ranges in the network, but to use only private range, this beside.
In this setup, the idea is that when the pc 192.168.0.10 goest to 192.168.0.18, he arrives at 172.18.18.18.
What's the best way to do this? Thanks !!!
06-02-2010 05:38 AM
Assuming that you have the following configured currently:
On the router interface 192.168.0.1 --> ip nat inside
On the router interface 172.18.18.1 --> ip nat outside
Then you would need to configure the following:
ip nat outside source static 172.18.18.18 192.168.0.18
Hope that helps.
06-02-2010 05:49 AM
Hey,
Tried this, but isn't working. :$
I think it's because the routers isn't listening on this ip (192.168.0.18).
I've added it as a standby ip, so now it's listening. But also answering directly. So it's not being NAT or forwarded (?).
06-02-2010 05:50 AM
Please make sure that proxy arp is enabled on the router interface (192.168.0.1).
06-02-2010 05:58 AM
Shouldn't this be one by default? :$
I've issued the command (ip proxy-arp) on the interface VLAN2 which is 192.168.0.1, but doesn't change a lot...
i've got debugging on 'ip nat' and 'ip icmp'. But no entries when i try to ping the 192.168.0.18 from the workstation.
06-02-2010 06:01 AM
What is the ARP entry on your PC for 192.168.0.18?
Also, please share the output of "show ip nat translation"
06-02-2010 11:06 PM
See reply below....
06-02-2010 03:25 PM
I am slightly confused about what you want, but you mean something different then
ip route 0.0.0.0 0.0.0.0 172.18.18.18
?
Do you want to not allow LAN users to access each other?
06-02-2010 11:15 PM
The idea is that the router is listening on a ip (in this case 192.168.0.18), and translate it to/as 172.18.18.18.
This way, i don't need to have the 172.18.18.0 network known in the 192.168.0.0 network.
The idea is that the clients pc only can use 192.168.0.0 addresses.
So if they want to reach 172.18.18.18, they need to go to 192.168.18.18.
Maybe a bit of history?
Some compagnies don't allow public ip ranges (in our example 172.18.18.0) in their network (must go by proxy or whatever).
And this way, we can solve the issue of communicating with external server without the need of advertising the public ranges in our network. Just a kind of virtual ip on the router, he translate it to the internet and that's it...
The router here isn't necessary the internet/core router. So a default route on the client isn't the solution. :$
06-03-2010 12:24 PM
Oh.
I guess for some reason I missed the "NAT" part.
Thank you for the explination. Always love new information.
06-03-2010 12:22 AM
Okay,
Just dit a complete 'rebuild' of my setup, and now the ping is answering once i've got the nat in there (without a standby).
But i see that the NAT itself isn't done.
Ping from the router to the server
TestA#ping 172.18.18.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.18.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms
The NAT table on the router
TestA#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.0.18 172.18.18.18
The configuration of the interface
interface Vlan1
ip address 172.18.18.1 255.255.255.0
ip nat outside
ip virtual-reassemblyinterface Vlan2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
The debugging on the router
TestA#sh debugging
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
A ping from the client towards 192.168.0.18 results in:
TestA#
Jun 3 09:10:17.376 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun 3 09:10:17.380 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun 3 09:10:17.384 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun 3 09:10:17.384 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun 3 09:10:17.388 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
But as you can see in the debug, no natting is performed. :$
06-03-2010 01:19 AM
Okay, found it.
I needed to add a route for the 192.168.0.18 towards the other network.
So once i've added
ip route 192.168.0.18 255.255.255.255 vlan 1
And now it works...
Or if you see issues why not to do this....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide