NAT help

pmarques · ‎08-23-2017

Hi Community,

I'm trying to setup NAT for the following scenario with no success so far.

I need machine 10.5.2.33 to communicate with 189.23.0.85 and vice versa.

Only RT1 "knows" how to reach both sides.

I almost managed to have this working with the following configuration on RT1 but still not entirely functional. And that's why I need help sorting this one out.

NOTE: I'm using TCP port 445 for testing purposes between these windows machines.

RT1 relevant config:

interface FastEthernet0/0
ip address 10.17.8.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 192.168.138.86 255.255.255.252
ip nat outside
ip virtual-reassembly
!
ip nat inside source list NAT_OUT interface GigabitEthernet2.138 overload
ip nat inside source static tcp 10.5.2.33 445 192.168.138.86 2000 extendable

!

ip route 10.5.2.0 255.255.255.0 10.17.8.254
ip route 192.168.0.0 255.255.255.0 192.168.138.85
!
ip access-list standard NAT_OUT
permit 10.5.2.0 0.0.0.255
permit 10.17.8.0 0.0.0.255

Hope the info provided is enough.

Thanks in advance,

Pedro

Julio E. Moisa · ‎08-23-2017

Hi

Please correct me but the diagram does not have the same IP addressing, well on your configuration you have configured the IP nat outside under the interface FastEthernet0/1, but your NAT statement is using a subinterface.

You could use: show ip nat translations or debup ip nat <acl> ; where the ACL could check the specific host.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

pmarques · ‎08-23-2017

Hi Julio
Thank for the prompt reply. It is indeed a typo. It should be:
ip nat inside source list NAT_OUT interface FastEthernet0/1 overload
I will collect both outputs and share.
Thanks

pmarques · ‎08-31-2017

Hi Julio,

Here's the output from both show ip nat translations and debug ip nat. The following outputs are the result of a telnet 189.23.0.85 445 from 10.5.2.33. If i try to telnet to10.17.8.100 445 from the same machine nothing happens.

RT1#show ip nat tra

RT1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 189.23.138.86:445 10.5.2.33:445 --- ---

tcp 189.23.138.86:63755 10.5.2.33:63755 189.23.0.85:445 189.23.0.85:445

RT1#debug ip nat

*Aug 31 13:13:07.639: NAT*: s=10.5.2.33->189.23.138.86, d=189.23.0.85 [461]

*Aug 31 13:13:07.639: NAT*: s=189.23.0.85, d=189.23.138.86->10.5.2.33 [612]

*Aug 31 13:13:07.639: NAT*: s=10.5.2.33->189.23.138.86, d=189.23.0.85 [462]

*Aug 31 13:13:28.411: NAT*: s=10.5.2.33->189.23.138.86, d=189.23.0.85 [467]

*Aug 31 13:13:28.635: NAT*: s=189.23.0.85, d=189.23.138.86->10.5.2.33 [626]

*Aug 31 13:13:37.643: NAT*: s=189.23.0.85, d=189.23.138.86->10.5.2.33 [627]

paul driver · ‎08-31-2017

Hello
The example i provided should work however you are now showing addressing not shown on any of your OP and files.

Your outside interface is
interface FastEthernet0/1
ip address 192.168.138.86 255.255.255.252
ip nat outside

So with this new information are you double natting somewhere and if so you will need to staic nat on that device also.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎08-23-2017

Hello

R3
ip route 0.0.0.0 0.0.0.0 fa0/0 10.17.8.100

R1
ip access-list standard NAT_OUT
deny host 10.5.2.33 <--remove this if you wish this host to iniciate 445 connection to r2's host
permit 10.5.2.0 0.0.0.255
permit 10.17.8.0 0.0.0.255

ip nat inside source list NAT_OUT interface fa0/1 overload
ip nat inside source static tcp 10.5.2.33 445 192.168.138.86 445

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul