how to accomplish this nat task?

rmiles · ‎07-13-2005

Ok, here's what I need to do. There is a site with internet access from any given ISP. A node or possibly nodes at this site need to connect to my main site via VPN and it needs to be a site-to-site and not client access. Due to overlap issues I need the node or nodes to NAT when traversing the VPN connection. These nodes also need to access the internet through their standard internet connection. So, they need to PAT to the outside interface when accessing the internet and then they need to static NAT to another address for VPN traffic. With TAC's help I was able to do this on a PIX 501 however it requires policy NAT which renders the PDM unusable. Because these remote device needs to be managed by their low-end site admins it really needs a gui. So, I am now trying to accomplish this task on a router such as a 850, 870, or 1800 running SDM.

Can anyone assist with getting this to work? And yes, I did open a TAC case, but it's been sitting for hours and no one has taken ownership of it. I have had luck with finding help on these boards in the past so I figured I would give it a shot.

Thanks all!

kumarapalani · ‎07-13-2005

Hi,

If I understood right what you want is to do NAT based on the destination address, if that the case try using route-map with your nat.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

HTH

dardanarusha · ‎07-14-2005

Hello,

our problem is quite similar to this one. What we want to achieve is to redirect the http traffic to one IP address. Here is our configuration (omited):

interface FastEthernet0/0

ip address 192.168.253.3 255.255.255.240 secondary

ip address 10.10.10.124 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface Ethernet1/0

ip address 10.17.1.1 255.255.240.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map dnat

duplex full

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.2

no ip http server

no ip http secure-server

!

ip nat pool slb-srv 192.168.253.1 192.168.253.1 prefix-length 28 type rotary

ip nat inside source list internet-clients interface FastEthernet0/0 overload

ip nat inside destination list web pool slb-srv

!

ip access-list extended internet-clients

deny tcp any any eq www

permit ip 10.17.0.0 0.0.15.255 any

ip access-list extended web

permit tcp any any eq www

no cdp run

!

end

As you can see, we want all the traffic from the ACL internet-clients to be SNAT-ed to interface FE 0/0 and all the http traffic to be DNAT-ed to ip address 192.168.253.1.

As you can imagine this didn't work for us. What we see is that it simply doesn't NAT the http packets at all. ICMP and other traffic is OK (we can ping any site), but not http, we are not able to open any site.

Would greatly appreciate any help,

Dardan

kumarapalani · ‎07-14-2005

Hi,

Could you help me with a network drawing showing the interfaces, IP address , I am not sure if I understand your NAT requirements and IP addressing correctly.

rmiles · ‎07-14-2005

Here you go.

Thanks

kumarapalani · ‎07-14-2005

Hi,

Though the following config wont be the best one but still it shoudl help you get going.

I just happened to look into your config and I see you are changing your destination IP address, I wonder if its a place where you wanna look again.

should you still have issues pls get the outputr for

sh ip nat translations

sh ip nat tarnsactions tcp

also a debgut output trying to ping any external web server,

Thank you

HTH

**************************************************

Interface fa0/0

IP NAT outside

Interface fa0/1

IP NAT inside

ip nat pool internet 66.1.1.1 66.1.1.1 prefix 28

ip nat pool intranet 10.3.100.200 10.3.100.207 prefix 28

ip nat inside source route-map http pool internet overload

ip nat inside source route-map traffic pool intranet

route-map http permit 10

match ip address HTTP

route-map traffic permit 10

match ip address all-traffic

ip access-list extended HTTP

permit tcp any any eq www

ip access-list extended all-traffic

deny tcp any any eq www

permit ip host 10.0.0.200 204.1.1.1 0.0.0.255

****************************************************

dardanarusha · ‎07-15-2005

Please find attached a drawing where we tried to explain what we want to achieve.

Thanks in advance,

Dardan