Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3501
Views
0
Helpful
5
Replies

NAT a remote IP address

william-espana
Level 1
Level 1

‎12-23-2010 04:09 PM - edited ‎03-04-2019 10:53 AM

Here is my situation:

I have an intranet that I connect to on the 152.x.x.x network. 
(It is a public address range, but it is not routed to the Internet).  
A router that I do not control is used to access this intranet, with an IP address of 152.73.41.45
 (not the actual IP range)

I placed a router on the intranet to be able to host servers on the 152.0.0.x intranet.I have a couple of web servers that I publish to the 152.x.x.x network, through an ASA which has an inside IP address of 172.22.0.2.  There are one to one nat statements that translate from the 152.x.x.x to the 172.21.12.X network.

Here is what I need to do:

On my VPN 3000 there is a site to site IP sec VPN that connects me to a 192.168.60.x network.

I need the users on the 152.x.x.x network to access a web server that is on the 192.168.60.x network.

I do have an available IP address (152.73.41.156) that I can use, but I don’t know how to do this on the router.

I tried the IP nat inside source, but I couldn’t get it to work.

This router has the following Interfaces:

VLAN 22

interface FastEthernet0/0

ip address 172.22.0.5 255.255.255.0

ip nat inside

duplex auto

speed auto

VLAN 152

interface FastEthernet0/1

ip address 152.73.41.147 255.255.255.240

ip access-group 101 in

ip nat outside

duplex auto

speed auto

no cdp enable

This is the route on this router to the 192.168.x.x network

ip route 192.168.0.0 255.255.0.0 172.22.0.13

The ASA, although I don’t think has anything to do in this situation is as follows:

ASA 5520

VLAN 152

interface GigabitEthernet0/2.152

vlan 162

nameif IntraNet

security-level 10

ip address 152.73.41.146 255.255.255.240

VLAN 22

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.22.0.2 255.255.255.0

VLAN 21

interface GigabitEthernet0/2.9

vlan 9

nameif DMZ

security-level 40

ip address 172.21.12.1 255.255.255.0

The final piece is a VPN 3000 concentrator.  This concentrator has 3 interfaces:

Private 172.22.0.13

Public (public Ip address to the Internet)

External 152.73.41.152

What do I need to do to allow users on the 152.x.x.x intranet to access a web server which is on the 192.168.x.x network (over an IP Sec VPN) using an IP address of 152.73.41.156?

Thank you all for your help.

Labels:
0 Helpful
5 Replies 5

Mani Ganesan
Level 4
Level 4

‎01-02-2011 09:44 PM

What do I need to do to allow users  on the 152.x.x.x intranet to access a web server which is on the  192.168.x.x network (over an IP Sec VPN) using an IP address of  152.73.41.156?

Create a NAT pool with 152.73.41.156.

Create a route-map allowing the traffic flow from 152.x.x.x to 192.168.x.x

Create a Dynamic NAT overload with the above defined route-map.

HTH,

Mani

0 Helpful

william-espana
Level 1
Level 1
In response to Mani Ganesan

‎01-03-2011 06:59 AM

I entered these commands, but it still doesn't work.

Would you please review these and tell me if they are correct.

Thank you.

ip nat pool Case 152.73.41.156 152.73.41.156 netmask 255.255.255.240

ip nat inside source static 192.168.60.80 152.73.41.156

access-list 25 permit 156.0.0.0 0.255.255.255

route-map Traffic-to-Case permit 10
match ip address 25
set ip next-hop 172.22.0.13

interface FastEthernet0/0
ip address 172.22.0.5 255.255.255.0
ip nat inside
ip policy route-map Case
duplex auto
speed auto

access-list 60 permit 162.0.0.0 0.255.255.255
ip nat inside source list 60 pool case overload

Thank you for your help.

0 Helpful

Mani Ganesan
Level 4
Level 4
In response to william-espana

‎01-03-2011 08:52 AM

I think I was not clear enough in my previous post to explain the purpose of the route-map in this scenario. What I meant was policy based NAT where the route-map will just check if the traffic stream matches the condition defined, to go ahead with NAT or not.

I just noticed this in the config of the router. Could you confirm me the following :

VLAN 22

interface FastEthernet0/0

ip address 172.22.0.5 255.255.255.0

ip nat inside

duplex auto

speed auto

VLAN 152

interface FastEthernet0/1

ip address 152.73.41.147 255.255.255.240

ip access-group 101 in

ip nat outside

duplex auto

speed auto

no cdp enable


1. Traffic flow would be from 152.x.x.x  to  192.168.x.x network , In that case is the traffic direction from NAT outside to NAT inside interface ? If so ip nat inside source will not work.


2. And we want all the users from 152.x.x.x network to take the ip 152.73.41.156 when they try to reach the server in 192.168. network ? If tat is the case the static rule "ip nat inside source static 192.168.60.80 152.73.41.156" need to be removed, as it is not one to one.

Now, coming to the NAT with route-map, it would look like this :

access-list 125 permit 156.0.0.0 0.255.255.255 192.168.60.x

route-map NAT-Case permit 10

match ip address 125

ip nat pool Case 152.73.41.156 152.73.41.156 netmask 255.255.255.240

ip nat inside source route-map  NAT-Case pool case overload

However for the above to work, traffic should be from NAT inside to NAT outside interface. What I mean the interface vlan 152 witrh the 152 ip range should be an ip nat Inside interface and thre exit interface towards the remore net 192.168 should be ip nat outside.

I know the above can be a little confusing, because the traffic direction is important in dynamic NAT for the translations to occur.

HTH,

Mani

0 Helpful

william-espana
Level 1
Level 1
In response to Mani Ganesan

‎01-03-2011 09:20 AM

So,

Is there a way to do this, while keeping the current nat config:

VLAN 22

interface FastEthernet0/0

ip address 172.22.0.5 255.255.255.0

ip nat inside

duplex auto

speed auto

VLAN 152

interface FastEthernet0/1

ip address 152.73.41.147 255.255.255.240

ip access-group 101 in

ip nat outside

duplex auto

speed auto

no cdp enable

The reason I need to keep it that way is that I need users from the 172.x.x and 192.x.x to access the 152 network.

I have a spare router I can use, and configure it with a 152.73.41.156 address.  Would this be the way to go about this?

Thank you for your help.

0 Helpful

Mani Ganesan
Level 4
Level 4
In response to william-espana

‎01-03-2011 07:09 PM

We could have used outside source NAT, where  the source ip address of packets from OUT to IN would be translated.  The problem here is in outside source we do not have the option of overload. NAT overloading has always traditionally been used for IN to OUT.


How many users are there in 152.x.x.x that should take 152.73.41.156 as the source ? If it is just one, we can go for a simple one to one outside source NAT as follows :


ip nat outside source static 152.x.x.x 152.73.41.156, This would translate the source when packets goes from out to in, but only for the single user specfied in the NAT rule.

Yeah, putting another router and making this ip 152.73.41.156 as a part of  IP NAT OUTSIDE would help, but I would ask you to think if placing a router just for this purpose would be worth it ot not.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card