cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1853
Views
0
Helpful
11
Replies

Destination NAT

Brononius
Level 1
Level 1

Hey,

I trying to figure out how i can NAT the destination (DNAT?).

The idea is not to route the public ranges in the network, but to use only private range, this beside.

In this setup, the idea is that when the pc 192.168.0.10 goest to 192.168.0.18, he arrives at 172.18.18.18.

What's the best way to do this? Thanks !!!

forum.jpg

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

Assuming that you have the following configured currently:

On the router interface 192.168.0.1 --> ip nat inside

On the router interface 172.18.18.1 --> ip nat outside

Then you would need to configure the following:

ip nat outside source static 172.18.18.18 192.168.0.18

Hope that helps.

Hey,

Tried this, but isn't working. :$

I think it's because the routers isn't listening on this ip (192.168.0.18).

I've added it as a standby ip, so now it's listening. But also answering directly. So it's not being NAT or forwarded (?).

Please make sure that proxy arp is enabled on the router interface (192.168.0.1).

Shouldn't this be one by default? :$

I've issued the command (ip proxy-arp) on the interface VLAN2 which is 192.168.0.1, but doesn't change a lot...

i've got debugging on 'ip nat' and 'ip icmp'. But no entries when i try to ping the 192.168.0.18 from the workstation.

What is the ARP entry on your PC for 192.168.0.18?

Also, please share the output of "show ip nat translation"

See reply below....

Nathan Cole
Level 1
Level 1

I am slightly confused about what you want, but you mean something different then

ip route 0.0.0.0 0.0.0.0 172.18.18.18

?

Do you want to not allow LAN users to access each other?

The idea is that the router is listening on a ip (in this case 192.168.0.18), and translate it to/as 172.18.18.18.

This way, i don't need to have the 172.18.18.0 network known in the 192.168.0.0 network.

The idea is that the clients pc only can use 192.168.0.0 addresses.

So if they want to reach 172.18.18.18, they need to go to 192.168.18.18.

Maybe a bit of history?

Some compagnies don't allow public ip ranges (in our example 172.18.18.0) in their network (must go by proxy or whatever).

And this way, we can solve the issue of communicating with external server without the need of advertising the public ranges in our network. Just a kind of virtual ip on the router, he translate it to the internet and that's it...

The router here isn't necessary the internet/core router. So a default route on the client isn't the solution. :$

Oh. 

I guess for some reason I missed the "NAT" part. 

Thank you for the explination.  Always love new information.

Brononius
Level 1
Level 1

Okay,

Just dit a complete 'rebuild' of my setup, and now the ping is answering once i've got the nat in there (without a standby).

But i see that the NAT itself isn't done.

Ping from the router to the server

TestA#ping 172.18.18.18

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.18.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms

The NAT table on the router

TestA#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
---   ---                     ---                    192.168.0.18       172.18.18.18

The configuration of the interface

interface Vlan1
ip address 172.18.18.1 255.255.255.0
ip nat outside
ip virtual-reassembly

interface Vlan2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly

The debugging on the router

TestA#sh debugging 
Generic IP:
  ICMP packet debugging is on
  IP NAT debugging is on

A ping from the client towards 192.168.0.18 results in:

TestA#
Jun  3 09:10:17.376 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.380 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.384 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.384 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.388 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10

But as you can see in the debug, no natting is performed. :$

Okay, found it.

I needed to add a route for the 192.168.0.18 towards the other network.

So once i've added

ip route 192.168.0.18 255.255.255.255 vlan 1

And now it works...

Or if you see issues why not to do this....

Review Cisco Networking for a $25 gift card