Solved: NAT CE Router MPLS network

Brian Smith · ‎11-10-2010

Hi All,

Our MPLS network consists of 15 remote offices, we are adding another office to our MPLS network, but it has the same LAN subnet (192.168.1.0/24) as one of our other remote offices. Is there any way to configure NAT on the Router so it uses a different subnet? If so, how would that is configured?

Jon Marshall · ‎11-10-2010

bsmith@banknorthinsurance.com
Ok...so if I only use the config for nat below.  How from my main site do I access a server from the remote office?  If I want to RDP to a server that is on the Remote LAN (192.168.1.3), I'm assuming I need more that just this config?  Bear with me, I'm not very good at understanding NAT configs
ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

Brian

That statement should do it because it is static NAT. Each host should map to it's equivalent natted address eg.

192.168.1.1 -> 192.168.5.1

192.168.1.2 -> 192.168.5.2

192.168.1.3 -> 192.168.5.3

etc..

this is in contrast to a NAT pool which is dynamic (not static) NAT and this means you can only connect in to out and not out to in.

Jon

View solution in original post

Jon Marshall · ‎11-10-2010

bsmith@banknorthinsurance.com

Hi All,

Our MPLS network consists of 15 remote offices, we are adding another office to our MPLS network, but it has the same LAN subnet (192.168.1.0/24) as one of our other remote offices. Is there any way to configure NAT on the Router so it uses a different subnet? If so, how would that is configured?

Brian

LAN -> fa0/0 router fa0/1 -> MPLS

int fa0/0

ip nat inside

int fa0/1

ip nat outside

ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

would NAT the internal addresses of 192.168.1.x to 192.168.5.x.

Couple of points -

1) i have used a static network NAT but you could use a NAT pool. Which one to use depends on whether you will be only initiating connections from the new office in which case you could use a NAT pool or whether you will also be initiating connections to the new office in which case you need a static NAT.

2) Obviously you will need to advertise the Natted subnet into the MPLS cloud ie. 192.168.5.x from the above example.

Jon

Brian Smith · ‎11-10-2010

Thanks for the e-mailI Jon,

I'll need to use static nat since the connections will be initiating to the new office. I only need to get to 2 servers at this remote office. Any issues with the config below?

int fa0/0

ip nat inside

int fa0/1

ip nat outside

ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

ip nat inside source static 192.168.1.4 192.168.5.4

ip nat inside source static 192.168.1.5 192.168.5.5

router bgp 1

network 192.168.5.0

Jon Marshall · ‎11-10-2010

bsmith@banknorthinsurance.com
Thanks for the e-mailI Jon,
I'll need to use static nat since the connections will be initiating to the new office. I only need to get to 2 servers at this remote office.  Any issues with the config below?
int fa0/0
ip nat inside
int fa0/1
ip nat outside
ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0
ip nat inside source static 192.168.1.4 192.168.5.4
ip nat inside source static 192.168.1.5 192.168.5.5
router bgp 1
network 192.168.5.0

Brian

You shouldn't need both entries ie.

ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

ip nat inside source static 192.168.1.4 192.168.5.4

ip nat inside source static 192.168.1.5 192.168.5.5

you only need -

ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

and that would also include the other 2.

If however you want to restrict what can be accessed from the main site you could -

1) have the 2 specific statements as above

ip nat inside source static 192.168.1.4 192.168.5.4

ip nat inside source static 192.168.1.5 192.168.5.5

2) have a NAT pool for the other addresses in the new office. I'm assuming the new office needs to make outbound connections ??

with the above you couldn't initiate a connection to any 192.168.5.x address (other than .4 and .5) from any other site but all the clients could still get out from the new office. Obviously if you do that make sure you exclude 192.168.5.4/5 from the NAT pool.

Jon

Brian Smith · ‎11-10-2010

Ok...so if I only use the config for nat below. How from my main site do I access a server from the remote office? If I want to RDP to a server that is on the Remote LAN (192.168.1.3), I'm assuming I need more that just this config? Bear with me, I'm not very good at understanding NAT configs

ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

Jon Marshall · ‎11-10-2010

bsmith@banknorthinsurance.com
Ok...so if I only use the config for nat below.  How from my main site do I access a server from the remote office?  If I want to RDP to a server that is on the Remote LAN (192.168.1.3), I'm assuming I need more that just this config?  Bear with me, I'm not very good at understanding NAT configs
ip nat inside source static network 192.168.1.0 192.168.5.0 mask 255.255.255.0

Brian

That statement should do it because it is static NAT. Each host should map to it's equivalent natted address eg.

192.168.1.1 -> 192.168.5.1

192.168.1.2 -> 192.168.5.2

192.168.1.3 -> 192.168.5.3

etc..

this is in contrast to a NAT pool which is dynamic (not static) NAT and this means you can only connect in to out and not out to in.

Jon

Jon Marshall · ‎11-10-2010

Brian

Quick follow up to previous post. There can be issues using a source static network statement depending on IOS so if you do hit an issue then simply use the 2 specific NAT statements that you want to use for the servers you need to connect to and then create a NAT pool for the other IPs.

Jon

Brian Smith · ‎11-10-2010

Thanks for the explanation and your help.

Jon Marshall · ‎11-10-2010

Brian

Apologies, there was a syntax error in that command, it should be -

ip nat inside source static network 192.168.1.0 192.168.5.0 /24

Jon