12-23-2010 04:09 PM - edited 03-04-2019 10:53 AM
Here is my situation:
I have an intranet that I connect to on the 152.x.x.x network.
(It is a public address range, but it is not routed to the Internet).
A router that I do not control is used to access this intranet, with an IP address of 152.73.41.45
(not the actual IP range)
I placed a router on the intranet to be able to host servers on the 152.0.0.x intranet.I have a couple of web servers that I publish to the 152.x.x.x network, through an ASA which has an inside IP address of 172.22.0.2. There are one to one nat statements that translate from the 152.x.x.x to the 172.21.12.X network.
Here is what I need to do:
On my VPN 3000 there is a site to site IP sec VPN that connects me to a 192.168.60.x network.
I need the users on the 152.x.x.x network to access a web server that is on the 192.168.60.x network.
I do have an available IP address (152.73.41.156) that I can use, but I don’t know how to do this on the router.
I tried the IP nat inside source, but I couldn’t get it to work.
This router has the following Interfaces:
VLAN 22
interface FastEthernet0/0
ip address 172.22.0.5 255.255.255.0
ip nat inside
duplex auto
speed auto
VLAN 152
interface FastEthernet0/1
ip address 152.73.41.147 255.255.255.240
ip access-group 101 in
ip nat outside
duplex auto
speed auto
no cdp enable
This is the route on this router to the 192.168.x.x network
ip route 192.168.0.0 255.255.0.0 172.22.0.13
The ASA, although I don’t think has anything to do in this situation is as follows:
ASA 5520
VLAN 152
interface GigabitEthernet0/2.152
vlan 162
nameif IntraNet
security-level 10
ip address 152.73.41.146 255.255.255.240
VLAN 22
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.22.0.2 255.255.255.0
VLAN 21
interface GigabitEthernet0/2.9
vlan 9
nameif DMZ
security-level 40
ip address 172.21.12.1 255.255.255.0
The final piece is a VPN 3000 concentrator. This concentrator has 3 interfaces:
Private 172.22.0.13
Public (public Ip address to the Internet)
External 152.73.41.152
What do I need to do to allow users on the 152.x.x.x intranet to access a web server which is on the 192.168.x.x network (over an IP Sec VPN) using an IP address of 152.73.41.156?
Thank you all for your help.
01-02-2011 09:44 PM
What do I need to do to allow users on the 152.x.x.x intranet to access a web server which is on the 192.168.x.x network (over an IP Sec VPN) using an IP address of 152.73.41.156?
Create a NAT pool with 152.73.41.156.
Create a route-map allowing the traffic flow from 152.x.x.x to 192.168.x.x
Create a Dynamic NAT overload with the above defined route-map.
HTH,
Mani
01-03-2011 06:59 AM
I entered these commands, but it still doesn't work.
Would you please review these and tell me if they are correct.
Thank you.
ip nat pool Case 152.73.41.156 152.73.41.156 netmask 255.255.255.240
ip nat inside source static 192.168.60.80 152.73.41.156
access-list 25 permit 156.0.0.0 0.255.255.255
route-map Traffic-to-Case permit 10
match ip address 25
set ip next-hop 172.22.0.13
interface FastEthernet0/0
ip address 172.22.0.5 255.255.255.0
ip nat inside
ip policy route-map Case
duplex auto
speed auto
access-list 60 permit 162.0.0.0 0.255.255.255
ip nat inside source list 60 pool case overload
Thank you for your help.
01-03-2011 08:52 AM
I think I was not clear enough in my previous post to explain the purpose of the route-map in this scenario. What I meant was policy based NAT where the route-map will just check if the traffic stream matches the condition defined, to go ahead with NAT or not.
I just noticed this in the config of the router. Could you confirm me the following :
VLAN 22
interface FastEthernet0/0
ip address 172.22.0.5 255.255.255.0
ip nat inside
duplex auto
speed auto
VLAN 152
interface FastEthernet0/1
ip address 152.73.41.147 255.255.255.240
ip access-group 101 in
ip nat outside
duplex auto
speed auto
no cdp enable
1. Traffic flow would be from 152.x.x.x to 192.168.x.x network , In that case is the traffic direction from NAT outside to NAT inside interface ? If so ip nat inside source will not work.
2. And we want all the users from 152.x.x.x network to take the ip 152.73.41.156 when they try to reach the server in 192.168. network ? If tat is the case the static rule "ip nat inside source static 192.168.60.80 152.73.41.156" need to be removed, as it is not one to one.
Now, coming to the NAT with route-map, it would look like this :
access-list 125 permit 156.0.0.0 0.255.255.255 192.168.60.x
route-map NAT-Case permit 10
match ip address 125
ip nat pool Case 152.73.41.156 152.73.41.156 netmask 255.255.255.240
ip nat inside source route-map NAT-Case pool case overload
However for the above to work, traffic should be from NAT inside to NAT outside interface. What I mean the interface vlan 152 witrh the 152 ip range should be an ip nat Inside interface and thre exit interface towards the remore net 192.168 should be ip nat outside.
I know the above can be a little confusing, because the traffic direction is important in dynamic NAT for the translations to occur.
HTH,
Mani
01-03-2011 09:20 AM
So,
Is there a way to do this, while keeping the current nat config:
VLAN 22
interface FastEthernet0/0
ip address 172.22.0.5 255.255.255.0
ip nat inside
duplex auto
speed auto
VLAN 152
interface FastEthernet0/1
ip address 152.73.41.147 255.255.255.240
ip access-group 101 in
ip nat outside
duplex auto
speed auto
no cdp enable
The reason I need to keep it that way is that I need users from the 172.x.x and 192.x.x to access the 152 network.
I have a spare router I can use, and configure it with a 152.73.41.156 address. Would this be the way to go about this?
Thank you for your help.
01-03-2011 07:09 PM
We could have used outside source NAT, where the source ip address of packets from OUT to IN would be translated. The problem here is in outside source we do not have the option of overload. NAT overloading has always traditionally been used for IN to OUT.
How many users are there in 152.x.x.x that should take 152.73.41.156 as the source ? If it is just one, we can go for a simple one to one outside source NAT as follows :
ip nat outside source static 152.x.x.x 152.73.41.156, This would translate the source when packets goes from out to in, but only for the single user specfied in the NAT rule.
Yeah, putting another router and making this ip 152.73.41.156 as a part of IP NAT OUTSIDE would help, but I would ask you to think if placing a router just for this purpose would be worth it ot not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide