cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1521
Views
0
Helpful
17
Replies

how to source NAT outside interface to outside interface?

JamesS4
Level 1
Level 1

Hi, looking for assistance on an issue.

 

Our Cisco ISR router has three active interfaces -- one inside interface (local LAN), one outside interface to Internet, and one outside interface that is point to point connection to a colocated site.

 

The colocated site only accepts traffic from one subnet, let's say 10.10.10.x.  

 

So on our local network everything is either on 10.10.10.x. or we NAT overload anything else to be on this network.

 

The issue is, we need to have a connection from the Internet get to a server at the colocation via our local site.

 

The destination NAT is not an issue: ip nat inside source static tcp [colocation server IP] 1111 [our Internet static IP] 1111 extendable

 

But trying to determine how to source NAT so that the public IP coming from the Internet is translated to a 10.10.10.x address.

 

I have tried: ip nat inside source list [ACL that permits the public IP] pool [10.10.10.x address pool] overload

 

Also tried: ip nat outside source list [ACL that permits the public IP] pool [10.10.10.x address pool]

 

But admittedly I don't really know the distinction.  At any rate, neither works.  Looking at the NAT translations, shows the Outside local and Outside global source IP is unchanged.  If my understanding is correct, I think I need to get the Outside local IP to be a 10.10.10.x address.

 

Happy to provide any further info.

 

Thanks!

17 Replies 17

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Really, I didn't get your question. Please attach a network diagram.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Basic diagram is attached.  text in RED is what I am having difficulties with.  thank you!

Hello

If i understood correctly then only what you need to do it enable nat on all three interfaces of the onsite router.

 

example:
int gig0/0
description WAN
ip address 12.12.12.1 255.255.255.252

ip nat outside

int gig0/1
description LAN
ip address 10.10.9.1 255.255.255.0
ip nat  inside

int gig0/2
description collocation
ip address 10.10.10.1 255.255.255.0
ip nat inside

access-list 1 permit 10.10.9.0 0.0.0.255
access-list 1 permit host 10.10.10.100  <---collocation host to access internet

ip nat inside source-list 1 interface gig0/0
ip nat inside source static tcp 10.10.10.100 80 12.12.12.1 80 extendable  <--for outside access to collocation host 10.10.10.100 via http port 80

ip route 0.0.0.0 0.0.0.0 gig0/0 12.12.12.2


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul, thank you for the response.  This only addresses half of the issue, which is to make the 10.10.10.x host accessible via the public IP address.  The issue is also that INCOMING connection from the Internet in needs to also get NATed to 10.10.10.x network.  I think I have solved it with this line 

 

ip nat outside source static [public address from internet] 10.10.10.2

 

so now, NAT translation looks like it should:

 

Pro  Inside global         Inside local          Outside local         Outside global

tcp  12.12.12.1:30001  10.10.10.100:1111    10.10.10.2:1111    [public address from internet] :56604

 

But now, the only issue is incomplete ARP

 

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.10.2 0 Incomplete ARPA

 

I am trying to resolve this now..

Hello


@JamesS4 wrote:

Hi Paul, thank you for the response.  This only addresses half of the issue, which is to make the 10.10.10.x host accessible via the public IP address.  The issue is also that INCOMING connection from the Internet in needs to also get NATed to 10.10.10.x network.


ip nat inside source static tcp 10.10.10.100 80 12.12.12.1 80 extendable

This is why i added the above PAT statement as an example but are saying you wish to for a specific outside global address to be seen as a collocation address?





Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yes, the outside global address must be NATed to 10.10.10.x address.  

 

The colocation endpoint (which I have no control over) only passes traffic to the 10.10.10.x network

 

I also would like to reiterate that Gi0/2 is an outside interface as well, not inside, which cannot be changed either.

Hello


@JamesS4 wrote:

Pro  Inside global         Inside local          Outside local         Outside global

tcp  12.12.12.1:30001  10.10.10.100:1111    10.10.10.2:1111    [public address from internet] :56604

 

But now, the only issue is incomplete ARP

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.10.2 0 Incomplete ARPA



The possible reason is the nat router now does not have a valid route for 10.10.10.2 ( i am assuming 10.10.2 is a spare ip address in this subnet and not a specific live host?)

Either the below should work:-

ip nat outside source static [external public address from internet] 10.10.10.2 add-route
or
ip route 10.10.10.2 255.255.255.255 (your own public ip)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for your continued assistance.

 

You are correct that 10.10.10.2 is a spare unallocated IP I selected.

 

I did try both of your suggestions (actually prior to your response).  The 'add-route' option does not appear to have any impact.

 

The routing statement causes 10.10.10.2 to disappear from the ARP table altogether.  It doesn't show incomplete -- it just does not appear in the table at all.

 

If I remove 'ip route 10.10.10.2 255.255.255.255 (your own public ip)' then I see the incomplete entry again.

 

Any other ideas?  I feel like I am so close  =/

Hello

Okay maybe we’re missing someone fundermental so can you post the confitif your nat router please - 

 

by by the way I had a typo rregard the static route it needed to be pointed to your external public interface not ip -as it needs to be seen as a more specific connected route 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Here is all the relevant config, sanitized.  The line in bold appears to have been added by the 'add-route' option FYI, not a specific requirement of ours in any way.  Thank you!!

 


interface GigabitEthernet0/0

description WAN
ip address [our public ip] 255.255.255.248
ip nat outside

!

interface GigabitEthernet0/1

description LAN
ip address 10.10.10.1 255.255.255.192
ip nat inside
!
interface GigabitEthernet0/2

description colo
ip address 192.168.1.117 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 [our public IP next hop]
ip route 10.10.10.0 255.255.255.0 [our public IP next hop]
ip route 192.168.2.0 255.255.255.240 192.168.1.118
!
ip nat inside source static tcp 192.168.2.10 1111 [our public ip] 1111 extendable
ip nat inside source static tcp 10.10.10.2 15914 [our public ip] 15914 extendable
ip nat outside source static [external public IP] 10.10.10.2 add-route
!

Hello

 

1) remove “add route” from the static nat statement added earlier 

2) no ip route 10.10.10.0 255.255.255,0 public ip 

Ip route 10.10.10.2 255.255.255.255 gig0/0

 

3) int gig0/2

ip nat inside

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

this I sent to you is oversimplified a bit.  I cannot change int gi0/2 to be 'ip nat inside'.

 

The reason is we currently have other VLANs that also need to access the colo, and again those addresses need to be translated to 10.10.10.x  So we do have some inside to outside NATing already occurring on the gi0/2 interface and cannot change it to be inside.  hence the  original question, how to source NAT from outside interface (WAN) to outside interface (colo).

 

I'll try the rest of what you've suggested...

 

EDIT***

 

I've tried as you've outlined, but I suspect designating gi0/2 as inside interface is the critical missing piece here.  It still does not work, and there is Incomplete ARP entry for 10.10.10.x.

 

Is there any way to accomplish without changing the interface to inside? 

So I took the whole P2P and outside interface to outside interface issue out of the equation.

 

I did this by setting up an open port on our inside network and just focusing on the public to private source NAT.  This is what does not work.  So now we have only traffic going in and out of GI0/0.  The source IP NAT for inbound traffic is what is breaking this.   

 

I opened a new, simplified thread here:

 

https://community.cisco.com/t5/routing/how-to-source-nat-from-public-to-private-ip/m-p/3777898#M307419

Hello

Opening a new thread probably will mean you need to explain your topology again what your trying to accomplish,


The assumption until your last post was that you had two internal interfaces and one external but it seems its the other away around, and you want to source NAT from outside interface (WAN) to another outside interface (colo).internally, 

 

Is this still the case or has this now changed?

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: