Solved: Re: Dynamic NAT routing with multiple internal private address ranges

bakerjw · ‎10-02-2023

Good day, all. I am still very fresh when it comes to Cisco routers and how some things are accomplished so please forgive my ignorance.

We have a recently acquired Cisco C1111 router that we are using to route between multiple private range subnets managed as VLANs. This is done to isolate test traffic to each subnet. e.g.

```
VLAN 100 - 192.168.0.0/24
```
```
VLAN 101 - 192.168.1.0/24
```
```
VLAN 102 - 192.168.2.0/24
```

Up until recently we have been running fine with this configuration using a CBS350 to perform layer 3 routing and handling SMTP relay duties. With the Cisco, C1111 router, we are up and running at the same point. All is well.

With the addition of some new product concepts, we now need a way to treat our formerly isolated network as a NAT network and attach it to a single corporate maintained network. e.g.

123.123.123.0/24

Test devices on our subnets will need to establish a connection to a server on the corporate network. e.g.

123.123.123.25

The plan is to use port

GigabitEthernet0/0/0

as the outside interface to the corporate side of things.

In the Cisco 1100 Series Software Configuration Guide, there is not any content regarding configuring NAT, nor have I been able to find anything on using the web interface. I have gotten the hang of the CLI so that is not a problem.

This article by Cisco seems to be pointing down the right track and I added some comments to see if I am heading down the right track.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html?dtid=osscdc000283#toc-hId--711044286

interface ethernet 0 <-- I am using VLANs, so would I add "ip nat inside" to each of the VLAN interfaces?
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.

interface ethernet 1<-- Same as above
  ip address 10.10.20.1 255.255.255.0
  ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.

interface serial 0 <-- In my case, I would be using interface GigabitEthernet0/0/0
  ip address 172.16.10.64 255.255.255.0
  ip nat outside
!--- Defines serial 0 with an IP address and as a NAT outside interface.

ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24 <-- Are address pools necessary? Would I have to set up a pool of an unused subnet? e.g. 192.168.252.0 192.168.252.254 prefix 24
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 172.16.10.1 - 172.16.10.63.

ip nat inside source list 7 pool no-overload
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 has
!--- the source address translated to an address out of the
!--- NAT pool "no-overload".

Since I am using VLANs, would I be adding IP addresses for all VLANs? e.g. 192.168.0.0 0.0.0.254
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31

As always. Any advice or guidance is extremely appreciated. Very much appreciated.

paul driver · ‎10-04-2023

Hello

@bakerjw wrote:

If multiple subnets are configured to access our corporate network, will each need an IP address on the corporate network? The pool thing is where things get fuzzy.

You can also configure with NAT pooling to "match-host" this will allow each inside-host to be translated to an outside equivalent thus providing a 1-1 nat translation but this will require the same amount of inside/outside ip addressing

example:


ip access-list extended 100
permit ip 10.10.10.0 0.0.0.255 any
ip nat pool CORP 172.16.10.1 172.16.10.254 prefix-length 24 match-host
ip nat inside source-list 100 pool CORP

@bakerjw wrote:

I have 1 static IP address to work with (example 123.123.123.25 on our corporate firewalled network). All traffic has to enter the corporate world on that 1 IP address and we cannot expose any router or bridge packets.

This then will require a static PAT statement (port address translation) and depending on the if you are using IOS or IOS-XE software nat will perform its translation differently , the former (IOS) being a symmetric translation thus possibly you could encounter UDP connection issues due to the way an internal ip/port are mapped to an external ip/port and if /when that same host sends packet to a different destination a different mapping is created, so any external host can only return UDP traffic if it had initially receive a UDP packet in the first place, in IOS-XE the translation is not symmetric thus the same ip/port mapping(s) are kept on multiple destinations.


ip access-list extended 100
permit ip 10.10.10.0 0.0.0.31 any
permit ip 10.10.20.0 0.0.0.31 any
ip nat pool CORP 123.123.123.25 123.123.123.25 prefix-length 24
ip nat inside source-list 100 pool CORP overload
ip nat service enable-sym-port ( IOS software ONLY)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎10-03-2023

Hello

@bakerjw wrote:
“Up until recently we have been running fine with this configuration using a CBS350 to perform layer 3 routing and handling SMTP relay duties. With the Cisco, C1111 router, we are up and running at the same point. All is well.”

So Is the router is now performing the intervlan routing for the LAN (router on a stick) and not the L3 switch?

@bakerjw wrote:
“With the addition of some new product concepts, we now need a way to treat our formerly isolated network as a NAT network and attach it to a single corporate maintained network. e.g.
123.123.123.0/24
Test devices on our subnets will need to establish a connection to a server on the corporate network. e.g.
123.123.123.25
The plan is to use port
GigabitEthernet0/0/0
as the outside interface to the corporate side of things”

Based on your OP you are on the right track to implement dynamic NAT so in this case you will require a nat POOL for your inside-global addressing, this relates to any routable address range that your rtr is advertising

(172.16.10.0/26)

and will translate into so hiding all or some of your lan subnets to the corporate network, I suggest to append overload given that the amount of lan users is much greater then your NAT POOL range this will allow the rtr to reuse the nat pool from beginning.

What you do not mention is how you are routing externally, is this simply static or dynamic via IGP/EGP?
Do you have any vpns or certain internal users that do not or cannot be network translated?
If this is so then it will need to be accommodated when you apply the NAT statements.


Example1 = Dynamic NAT with static routing
ip access-list extended 100
permit ip 10.10.10.0 0.0.0.31 any
permit ip 10.10.20.0 0.0.0.31 any

ip nat pool CORP 172.16.10.2 172.16.10.62 prefix-length 26
ip nat inside source-list 100 pool CORP

int x.x
gig0/0/0
ip address 172.16.10.1 255.255.255.192
ip nat outside

int x/x 
no shut

int x/x.10
encapsulation dot1q 10
ip nat inside

int x/x.20
encapsulation dot1q 20
ip nat inside

ip route 0.0.0.0 0.0.0.0 gig0/0/0 172.16.10.66



Example2= Allocating dynamic and static NAT
ip access-list extended 100
deny ip host 10.10.10.10 any
deny ip host 10.10.20.20 any
permit ip 10.10.10.0 0.0.0.31 any
permit ip 10.10.20.0 0.0.0.31 any

ip nat pool CORP 172.16.10.1 172.16.10.60 prefix-length 26
ip nat inside source-list 100 pool CORP
ip nat inside source static 10.10.10.10 172.16.10.61 (specific host - to host)
ip nat inside source static 10.10.20.20 172.16.10.62 (specific host - to host)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bakerjw · ‎10-03-2023

Many thanks for the response, Paul.

in response to your first question, our new C1111-8p is now doing all of our interVLAN routing and our primary CBS350 switch is back to simple layer 2 switching.

We run a somewhat unique isolated test environment consisting almost exclusively of industrial automation devices. These devices are VERY heavy on layer 2 traffic and our isolated network environment isolates each test subnet while allowing TCP and UDP communications across all of our subnets. We have recently encountered a need for some devices to be able to connect to resources on a corporate managed firewalled network, hence the new router.

As for users, the number of systems accessing the corporate firewalled network will be very small. i.e. perhaps a couple of dozen devices checking in to management servers. I have 1 static IP address to work with (example 123.123.123.25 on our corporate firewalled network). All traffic has to enter the corporate world on that 1 IP address and we cannot expose any router or bridge packets. If that occurs, the corporate edge switches will kill the port.

I am learning a lot but I will have to plead ignorance at this point. When I think of NAT routing, I am more familiar with consumer solutions where the WAN port has a single IP Address and typically there is a single LAN subnet on the inside. If multiple subnets are configured to access our corporate network, will each need an IP address on the corporate network? The pool thing is where things get fuzzy.

Many thanks for the help and guidance.

paul driver · ‎10-04-2023

Hello

@bakerjw wrote:

If multiple subnets are configured to access our corporate network, will each need an IP address on the corporate network? The pool thing is where things get fuzzy.

You can also configure with NAT pooling to "match-host" this will allow each inside-host to be translated to an outside equivalent thus providing a 1-1 nat translation but this will require the same amount of inside/outside ip addressing

example:


ip access-list extended 100
permit ip 10.10.10.0 0.0.0.255 any
ip nat pool CORP 172.16.10.1 172.16.10.254 prefix-length 24 match-host
ip nat inside source-list 100 pool CORP

@bakerjw wrote:

I have 1 static IP address to work with (example 123.123.123.25 on our corporate firewalled network). All traffic has to enter the corporate world on that 1 IP address and we cannot expose any router or bridge packets.

This then will require a static PAT statement (port address translation) and depending on the if you are using IOS or IOS-XE software nat will perform its translation differently , the former (IOS) being a symmetric translation thus possibly you could encounter UDP connection issues due to the way an internal ip/port are mapped to an external ip/port and if /when that same host sends packet to a different destination a different mapping is created, so any external host can only return UDP traffic if it had initially receive a UDP packet in the first place, in IOS-XE the translation is not symmetric thus the same ip/port mapping(s) are kept on multiple destinations.


ip access-list extended 100
permit ip 10.10.10.0 0.0.0.31 any
permit ip 10.10.20.0 0.0.0.31 any
ip nat pool CORP 123.123.123.25 123.123.123.25 prefix-length 24
ip nat inside source-list 100 pool CORP overload
ip nat service enable-sym-port ( IOS software ONLY)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bakerjw · ‎10-10-2023

Work gets in the way of some projects, hence the delay in responding. Busy week on many other projects so I am trying to pick back up where I was at last time. So, here is what got me mostly running... Enough to make my things run properly...

We are running enough to meet our needs. If you are ever in N.E. Tennessee, I owe you a cold one.

Access to the corporate world
!
interface GigabitEthernet0/0/0
ip address 123.123.123.27 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast disable
!

One of my VLAN subnets.
!
interface Vlan109
ip address 192.168.9.1 255.255.255.0
ip helper-address 192.168.0.3
ip nat inside
!

Your example code modified a bit.
ip nat pool NAT_Pool 123.123.123.27 123.123.123.27 prefix-length 24
ip nat inside source list NAT_Access pool NAT_Pool overload
!
!
ip access-list extended NAT_Access
10 permit ip 192.168.6.0 0.0.0.255 any
20 permit ip 192.168.7.0 0.0.0.255 any
30 permit ip 192.168.9.0 0.0.0.255 any
40 permit ip 192.168.100.0 0.0.0.255 any
50 permit ip 192.168.101.0 0.0.0.255 any
60 permit ip 192.168.104.0 0.0.0.255 any
70 permit ip 192.168.105.0 0.0.0.255 any
!