10-07-2013 12:23 AM - edited 03-04-2019 09:14 PM
Dear all,
I have some issue to ask you that i would like to translate address to other addresss as below:
i have 3 router please see in the attach file.
router1 connection to router2 by VPN connection ( Local Loop) and router3 allow only ip add 192.168.10.1 and 2 to passtrought.
so i mean that router3 block everything but it allow only 192.168.10.1-2. so if my lan 192.168.0.10 want to access to lan 192.168.50.10 , the router 3 will block because the router 3 allow only 192.168.168.10.1 and 2,
How can we translate from 192.168.0.10 to 192.168.10.2?
best Regards,
Rechard
10-07-2013 01:12 AM
Hi Rechard,
what about enabling NAT on Router2? I don't know how big your LAN is, so I am gonna write this only for that one host(?) you mentioned. Change it accordingly to your situation/subnetting.
Router2(config)#ip nat inside source list 1 interface [interfaceToRouter3] overload
Router2(config)#access-list 1 permit 192.168.0.10 0.0.0.0
Don't forget to put commands ip nat inside and ip nat outside on the appropriate interfaces on Router2.
ip nat inside on R2 to R1
ip nat outside on R2 to R3
Best regards,
Jan
10-07-2013 01:41 AM
Dear Jan,
How can we know that 192.168.0.10 translate to 192.168.10.2?
i worry that the router 3 block, if it cannot translate to 192.168.10.2 mean that it block.
Let me explain that on router 3 they don't allow use to change something, so they allow PC connect to Router 3 by 192.168.10.10 and GW: 192.168.10.2 but extend network ( 2 router with VPN connection ) and i want to connect 192.168.0.10 translate to 192.168.10.2, the router 3 don't care about 192.168.0.10 but it care about ip 192.168.10.2 to allow to outside.
do you hvae any advice on this?
Best Regards,
Rechard
10-07-2013 02:42 AM
Hi Rechard,
the router 3 will block because the router 3 allow only 192.168.168.10.1 and 2
That's why I suggested to translate the 192.168.0.10 address to the interface with address 192.168.10.1, because you have no control of .2
This can be achieved as I said earlier. That way, only 192.168.0.10 will be translated to 192.168.10.1 and therefore R3 should allow it, right?
OR you can create static nat mapping. If this is what you are looking for, check this link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html
Best regards,
Jan
10-07-2013 03:35 AM
This can be achieved by PAT
As per your packet flow it will be traversing over VPN and reaching to R2 there it will be decrypted.Then u need translation so that 192.168.0.0/24 subnet gets translated to 192.168.10.1 it can't be translated to 192.168.10.2 because NAT is configurable on R2 and 10.2 belongs to R3.
Now the question comes how we can translate the packet.
Here is the solution
VPN====(f0/1)R2(f0/0)---------R3- ----------Destination
Int f0/1
IP Nat inside
Int f0/0
IP Nat outside
IP access-list exte 121
Permit IP 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
IP Nat inside source list 121 interface f0/1 overload
Run the command
"Show IP Nat translations" to see/check the translation table
Sent from Cisco Technical Support Android App
10-07-2013 03:55 AM
Hi Guarav,
That's what I suggested in my post.
One more thing:
VPN====(f0/1)R2(f0/0)---------R3- ----------Destination
IP Nat inside source list 121 interface f0/1 overload
If you put it like this, I think that there should be f0/0 instead of f0/1.
Best regards,
Jan
10-07-2013 08:06 PM
dear all,
It still not work on nat.
i try to show : show ip nat tra but it nonthing come up .
one more thing on R3 we cannot add any routing or other subnetting on Router 3 , they just to route only ip 192.168.10.1-2
do you have any idea on this?
for troubleshooting i skip configure VPN, i just to do routing from router1 to Router 2. to make sure we can translate to from 192.168.0.10 to 192.168.10.2
How to troubleshooting on this?
Best Regards,
rechard
10-08-2013 06:53 PM
Dear all,
do you have any advice?
Best Regards,
rechard
10-09-2013 02:52 AM
Hi Rechard,
do you think it would be possible to post sanitazed configuration files routers R1,R2 and maybe R3 as well? I just don't know where could the problem be and it is really to troubleshoot hard without any direct information.
i try to show : show ip nat tra but it nonthing come up .
Well, NAT is definitely not working. Are you sure, that the packets from LAN reach R2? Have you tried to do traceroute from some PC on the LAN?
Best regards,
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide