NAT for no default gateway device

Mario Lessard · ‎10-15-2015

Hi,

I have a device that I can't add a default gateway but I want a service from this computer from an other network. So I think I have to use NAT. What I did is this:

int tunnel2

ip add 10.1.1.2 255.255.255.0

ip nat outside

int gi0/1

ip add 10.1.2.1 255.255.255.0

ip nat inside

ip nat inside source static tcp 10.1.2.100 6010 10.1.1.2 6010 extendable

So, in the client computer from WAN, I use 10.1.1.2:6010 to communicate with 10.1.2.100:6010.

In this case, the device 10.1.2.100 suppose to answer to 10.1.2.1 (int gi0/1) and than if no gateway on this device it suppose to work?

Let me know if I'm completly wrong.

Thank you

Jon Marshall · ‎10-15-2015

No that won't work because with your configuration you are translating the destination IP not the source IP.

Do you need to present 10.1.2.100 as 10.1.1.2 to the client on the WAN or does the client on the WAN know how to get to 10.1.2.100 anyway ?

What you really want is to translate the client IP address not the device with no default gateway.

So can you answer the following -

1) do you need to translate the destination IP ie. 10.1.2.100 or can the client on the WAN just route to that IP

2) how many clients need access to the device ?

3) were the "ip nat inside" and "ip nat outside" commands already there or did you add them ie. can they flipped around.

Jon

Mario Lessard · ‎10-15-2015

Here is my topology, I hope it will be better to understand what I want to. All ip are fake.

Thank you

Jon Marshall · ‎10-15-2015

It doesn't look like you need to translate 10.1.2.100 because the clients can get to 10.1.2.1 anyway.

So what you need to do is translate the source IPs of the clients.

The problem is you already have "ip nat inside" and "ip nat outside" setup because of internet access and you can't change these and you cannot overload from outside to inside which is a limitation of IOS.

So are those the only clients that need access ie. the ones shown in your diagram ?

If so do you have two spare IPs from the 10.1.2.x IP subnet ?

They must be spare IPs ie. you cannot use the routers 10.1.2.1 IP address.

Jon

Jon Marshall · ‎10-15-2015

edited - ignore this.

Jon

milan.kulik · ‎10-16-2015

Hi,

wouldn't enabling proxy arp on the router LAN ports fix the issue?

Best regards,

Milan

Jon Marshall · ‎10-16-2015

Milan

That's a good point.

I was assuming it wouldn't fix the issue because it is usually enabled by default and most people don't turn it off and because I have had similar posts where the end device without a default gateway will not send any arp requests at all.

Still worth checking though before messing around with NAT.

Jon

Mario Lessard · ‎10-16-2015

I have spare ip on 10.1.2.x. It's not a problem. I'm not sure to understand enable proxy arp. If I understand, the best solution could be to use an other device and install it on 10.2.1.X and do what Cisco can't do because nat feature is already use for the wrong side.

Just confirm this affirmation. I'm not sure that proxy arp could be my best solution.

Thank you

Jon Marshall · ‎10-16-2015

If you have spare IPs the router can do what you want.

In terms of proxy arp some devices without a default gateway will send an arp for every IP address and the router can respond with it's own mac address.

This is fine if your device does send arps without a default gateway but some devices don't in which case proxy arp isn't going to help.

If you want to see whether or not it would then do a "sh ip int gi0/1" on your router.

If it says proxy arp is enabled but you still can't connect then it looks like your device does not send arps.

If it doesn't can you answer the questions I asked in my other posts ie.

how many clients need access to this device, is it just the ones shown in your diagram ?

If so you need a spare IP per client.

If you have that like I say we should be able to get it work on the router.

Jon

Mario Lessard · ‎10-16-2015

I will have 4 clients in total. But I have 4 spares IPs anyways.

Proxy ARP is enable

When you say " you still can't connect" do you mean a ping? Because yes, from local router I could ping 10.1.2.100.

Base on this informations, could you provide me what I could do with virtual IPs I suppose in the router?

Thank you

Jon Marshall · ‎10-16-2015

No, I meant can you connect from a remote client ?

If not then you have the spare IPs anyway.

Do you need to know which client is connecting to the device ?

Basically you can do static NAT where a client IP is mapped to one of your spare IPs and it will always be the same IP.

Or you can use a NAT pool where the client will randomly be assigned one of the spare IPs from a pool.

Do you care which one it is ?

Jon

Mario Lessard · ‎10-16-2015

For sure I can't. That's the reason of this post.

I can't from Remote client but locally I could. Just from local router. The server 10.1.2.100 has no gateway.

Let me know if it still possible?

Jon Marshall · ‎10-16-2015

Okay, just wanted to check.

So last question before the configuration.

Do the spare 10.1.2.x IPs go up in order or are they just random IPs from the same IP subnet ?

If they do go up in order see my last post about whether you want to use statics or a NAT pool.

If they are just random then we will use statics.

Jon

Mario Lessard · ‎10-16-2015

It's random ip on same subnet.

But I have already nat inside and outside configure on port. So, could I use static NAT? If yes, could you send me an exemple?

Thank you

Jon Marshall · ‎10-16-2015

You need to use this command -

"ip nat outside source static <client IP> <spare 10.1.2.x IP> add-route"

you need one of those lines for each client IP mapped to a spare IP.

Note the "add-route" keyword is important and needed.

This will translate client IPs but it doesn't translate the 10.1.2.100 IP so the clients should connect to that IP.

If you want we can translate this as well using a different command but there may not be a need for it.

Jon