Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4911
Views
0
Helpful
4
Replies

Dynamic Source And Destination NAT at the same time.

chira.cipri@gmail.com
Level 1
Level 1

‎01-27-2019 02:10 PM - edited ‎01-27-2019 08:30 PM

Hi all,

 

I'm at the NAT chapter on my Cisco prep and I have the following question. 

 

Is it possible to do dynamic source and destination NAT at the same time ? If so, then how ?

 

More specifically what I'm trying to achieve.

 topology.png

The router R2 from the figure above is the one that is supposed to be performing NAT. Router R1 with the loopback 192.168.10.1 is on the inside, and router J1 (it's a Juniper vMX :) ) is on the outside.

 

What I'm trying to do is at the same time change both the source and destination address when pinging from R1 to J1 at R2. For some reason, this does not seem to work. Am I missing a configuration knob or is this just not possible. I'm not excluding the latter option given that a dynamic mapping of both the source and destination address will mean very inconsistent flows, especially if the translation timer is very low. 

 

The relevant configuration on R2.

 

interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly

 

interface FastEthernet2/0
 ip address 100.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly

 

ip route 101.1.1.0 255.255.255.248 100.1.1.2
ip route 192.168.10.0 255.255.255.248 10.1.1.1

 

ip nat pool nat-pool-in 50.1.1.1 50.1.1.254 prefix-length 24
ip nat pool nat-pool-out 172.16.10.1 172.16.10.254 prefix-length 24
ip nat inside source list nat-list-in pool nat-pool-in
ip nat outside source list nat-outside-list pool nat-pool-out
!
ip access-list extended nat-list-in
permit ip 10.1.1.0 0.0.0.3 any
permit ip 192.168.10.0 0.0.0.7 any
ip access-list extended nat-outside-list
permit ip 101.1.1.0 0.0.0.7 any
permit ip 100.1.1.0 0.0.0.255 any
!

 

The nat-list-in access list defines the I.L address space, and the nat-pool-in defines the I.G address space.

The nat-list-out access list defines the O.L address space, and the nat-pool-out defines the O.G address space

 

When I ping 172.16.10.x from 192.168.10.x , I want the S.A. to be changed dynamically from 192.168.10.x to an address from the 50.1.1.0/24 network, while the D.A. should be changed from 172.16.10.x to 101.1.1.x. Both translations should be done in a single step, at R2. 

 

R1 has a route in the FIB for 172.16.10.0/24 and J1 has a route for the destination 50.1.1.0/24, both pointing to their respective next hops at R2.

 

Regards,

Ciprian Chira

Labels:
0 Helpful
4 Replies 4

tobyarnett
Level 1
Level 1

‎01-27-2019 07:34 PM - edited ‎01-27-2019 08:02 PM

chira.cipri@gmail.com

 

This is absolutely possible. This is actually a fairly common type of setup when going from a corporate network towards a client network. The objective is that your client network will only see a provided IP or range of IP's. What you will want to do is create a loopback interface on your R2 router. The subnet used in that loopback will become your NAT range. That NAT range is used by R1 and any other traffic in R1 to target networks behind J1. 

 

For example, if 172.16.10.251 is a host within J1's network you can then map that IP to 50.1.1.251 with a NAT. You would then use a route-map in your NAT statements to specify that any traffic coming from 192.168.10.0/24 bound for 172.16.10.0/24 will NAT'd to the inside interface of your NAT router (Inside being J2 and outside being R1).

 

All that J2 will see is the Fa2/0 interface IP on R2. Your hosts in R1 will target the 50.1.1.x IP instead of the 172.16.10.x IP. This should give you what you're looking for I believe. You may have to tweak the IP's if I didn't fully understand your topography. 

 

Here is a config example you can reference:

 

Router - R2



interface Loopback10
 description for Host to Host NAT Pool
 ip address 50.1.1.1 255.255.255.0

interface FastEthernet1/0
 description Towards R1
 ip address 10.1.1.1 255.255.255.252
 ip nat outside
!
interface FastEthernet2/0
 description Towards J1
 ip address 10.2.1.1 255.255.255.252
 ip nat inside
!
ip route 50.1.1.0 255.255.255.0 10.2.1.2 name NAT-Range-to-Client
ip route 50.1.1.251 255.255.255.255 10.2.1.2 name Host1-1
ip route 50.1.1.252 255.255.255.255 10.2.1.2 name Host1-2

!
!

ip nat inside source route-map rm-NAT interface FastEthernet2/0 overload
ip nat outside source static 192.168.10.251 50.1.1.251
ip nat outside source static 192.168.10.252 50.1.1.252
!
ip access-list extended acl-NAT-Overload
 permit ip 10.0.0.0 0.127.255.255 172.16.10.0 0.0.0.255
 permit ip 192.168.10.0 0.0.2055.255 172.16.10.0 0.0.0.255
 deny   ip any any

!
!
route-map rm-NAT permit 10
 match ip address acl-NAT-Overload
!
!
!
!
-Toby


Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
0 Helpful

chira.cipri@gmail.com
Level 1
Level 1
In response to tobyarnett

‎01-27-2019 08:27 PM

Hello,

 

Thank you for your response, I'll try the config in the lab. From what I can see, you're using dynamic NAT from the inside -> out direction, but using static from outside -> in mappings and that's not what I'm looking for.

 

Is it possible to dynamic mappings in both directions are the same time ?

 

Regards,

Ciprian Chira

0 Helpful

tobyarnett
Level 1
Level 1
In response to chira.cipri@gmail.com

‎01-27-2019 08:39 PM

I am sure there is a way to architect it like that. It just requires more complex configurations. The static NAT can be changed to do a NAT pool so that you are mapping SubnetA/24 to the SubnetB/24 as a dynamic 1-to-1. To have this done in both directions I would probably split that NAT table up to different devices. i.e. use J2 to dynamic NAT towards R1, and R2 to dynamic NAT towards J1.

 

Trying to do that on the same router would be confusing to read the NAT tables (and the configurations) if you were another engineer working through the configs while troubleshooting. Think of it as if you had a complex problem going how difficult would it be to troubleshoot if you had thousands of lines of translations from many IP’s in both directions. The job to write the original configs, have others maintain it, and then troubleshooting is certainly not something I would ever put into an actual production network.  

 

However, for the purpose of education setting it up in a lab is good to do just to work it out.

-Toby


Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎01-27-2019 09:29 PM

HI,

Change some interface commands as below:

 

interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.252
 ip nat enable
 ip virtual-reassembly

 

interface FastEthernet2/0
 ip address 100.1.1.1 255.255.255.0
 ip nat enable
 ip virtual-reassembly

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card