Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1930
Views
2
Helpful
20
Replies

NAT configuration for servers which act as both initiator & Responder

Aaida
Level 1
Level 1

‎05-29-2023 08:03 AM

Hi,

I am having below scenario.

1. I have one internal server a.a.a.a which having NATed IP b.b.b.b

2. The internal server is connecting to outside server c.c.c.c over ipsec VPN.

3. The outside server c.c.c.c will also initiate traffic to inside servers NAT IP b.b.b.b. which means both side initiation is there. Please note that i am not talking about reverse traffic of same session.

Now my question is whether i need to put two NAT rules, one to translate for inbound traffic and other to translate for outbound traffic. is that required. or one NAT rule will serve the purpose?

Labels:
20 Replies 20

Flavio Miranda
VIP
VIP

‎05-29-2023 08:08 AM - edited ‎05-29-2023 08:08 AM

Hi

If b.b.b.b is the natted IP for a.a.a.a this means that server c.c.c.c can call b.b.b.b and talk to a.a.a.a.a directly. I dont see the need for two NAT.

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎05-29-2023 08:21 AM - edited ‎05-29-2023 08:22 AM

@Flavio Miranda said there is no need for two NAT rules.

but here are my thoughts you will need Outbound NAT, This rule is needed to translate the source IP address of the internal server (a.a.a.a) to the NAT IP address (b.b.b.b) when it initiates traffic to the outside server (c.c.c.c) over the IPsec VPN. This ensures that the outside server sees the traffic coming from the NAT IP. YOu will also need Inbound NAT as the outside server (c.c.c.c) initiates traffic to the internal server's NAT IP (b.b.b.b), you need an inbound NAT rule to translate the destination IP address from the NATed IP (b.b.b.b) to the internal server's IP (a.a.a.a). This allows the internal server to receive traffic initiated by the outside server.

By configuring both outbound and inbound NAT rules, you ensure that bidirectional communication is established correctly between the internal server and the outside server over the IPsec VPN.

please do not forget to rate.
0 Helpful

Aaida
Level 1
Level 1
In response to Sheraz.Salim

‎05-29-2023 08:28 AM

@Sheraz.Salim this is what I was looking for. So two nat rules are required one to translate inbound packet and other translate outbound packet as both side individual initiation are there.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Sheraz.Salim

‎05-29-2023 08:41 AM

If b.b.b.b is the NATed IP address for a.a.a.a and this IP (b.b.b.b) can reach IP c.c.c.c, why c.c.c.c can not iniciate traffic to b.b.b.b directly?

We are not calling an internal IP address a.a.a.a here from outside, we are calling an NATed IP address b.b.b.b which, theorically should be "visible" by c.c.c.c. 

 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Flavio Miranda

‎05-29-2023 08:57 AM

@Flavio Miranda 

Apologies for any confusion caused. You are correct that if the NATed IP address b.b.b.b is reachable by the outside server c.c.c.c, it should be possible for c.c.c.c to initiate traffic directly to b.b.b.b.

In the scenario, where outbound NAT translates the source IP address of the internal server (a.a.a.a) to the NAT IP address (b.b.b.b) and inbound NAT translates the destination IP address from the NATed IP (b.b.b.b) to the internal server's IP (a.a.a.a), bidirectional communication is established over the IPsec VPN.

However, if there is a need for c.c.c.c to directly initiate traffic to b.b.b.b without going through the IPsec VPN, additional network configurations may be required. These configurations could involve routing, firewall rules, or other etc to allow direct communication between c.c.c.c and b.b.b.b.

please do not forget to rate.
0 Helpful

Flavio Miranda
VIP
VIP
In response to Sheraz.Salim

‎05-29-2023 09:01 AM

No appologies needed  @Sheraz.Salim  I am also trying to understand.

0 Helpful

Aaida
Level 1
Level 1
In response to Flavio Miranda

‎05-29-2023 09:20 AM

Thank you so much everyone.  I will try with one nat rule. Most probably this should work according to above conversation. 

0 Helpful

Flavio Miranda
VIP
VIP
In response to Aaida

‎05-29-2023 09:26 AM

If I undertood right, it should. But, nothing better then give it a try.

 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Flavio Miranda

‎05-29-2023 12:52 PM

Try it mate. it will clear it out.

please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP

‎05-29-2023 10:16 AM

You have Router or FW? 

0 Helpful

Aaida
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2023 11:11 AM

Router sir

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aaida

‎05-29-2023 12:58 PM

from My view why you want to NATing from a.a.a.a to b.b.b.b, VPN is used to connect privates network over public. 
NATing to interface that you config crypto under is not work, if you want c.c.c.c to connect to b.b.b.b only and not to subnet a.a.a.a then you need config LO with b.b.b.b and do route-map and ip nat enable in LO, that long story.
can you more elaborate why you need it ?

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to MHM Cisco World

‎05-29-2023 12:52 PM

@MHM Cisco World Its the ASR-1000 series Router.

please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP
In response to Sheraz.Salim

‎05-29-2023 12:53 PM

I see his label but I need to be sure 

0 Helpful
Customers Also Viewed These Support Documents