NAT multiple identical subnets from a single catalyst

danielknueven · ‎10-26-2011

I have multiple standalone networks on the same IP subnet 192.168.0.0/24. Now I need to tie them all together and I can’t change the existing addresses. What I’d like to do is assign a different public facing subnet to each standalone network and use NAT to map between them. So 10.0.0.0/24 would map to 192.168.0.0/24 on interface G0/1, 10.0.1.0/24 would map to 192.168.0.0/24 on interface G0/2, 10.0.2.0/24 would map to 192.168.0.0/24 on interface G0/3, etc. Interface G0/0 would be the public facing interface. All the hosts on the standalone networks point to 192.168.0.1 for their gateway.

Is it possible to do this on a single catalyst or router? Assigning 192.168.0.1 on multiple interfaces on a single piece of gear doesn’t seem realistic. My fallback would be to use a smaller router for each standalone network and tie them all together. If I could get away with a single larger piece of gear, that would be my preference.

Any help would be much appreciated.

Thanks,

-Daniel

Marwan ALshawi · ‎10-31-2011

Hi Daniel

you can do it on single device but as long as the subnets overlap you will need to use VRF lite

in this case keep the outside interface in the global routing table while the the over lapped interfaces can be put in differnt VRF

and by using NATed VRF you can nat each subnet-per vrf to diffrent global IP

hope this help

if helpful Rate

danielknueven · ‎11-02-2011

Thanks for the tip on VRF marwanshawi. That seems to be exactly what I need to use. It’s not supported on my 3560-E catalyst, but it is supported on my 2911 router. I’ve been trying to make it work and I’m getting the packets correctly one way, but not the other. Here my (abridged) config:

ip vrf net1

!

ip vrf net2

!

interface GigabitEthernet0/0

ip address 10.0.0.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip vrf forwarding net1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

ip vrf forwarding net2

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat inside source static network 192.168.1.0 10.0.1.0 /24 vrf net1

ip nat inside source static network 192.168.1.0 10.0.2.0 /24 vrf net2

!

So, I have laptop A on 10.0.0.20 hooked to interface g0/0 and laptop B on 192.168.1.20 hooked to interface g0/1. When I ping 10.0.1.20 from laptop A, I see the ICMP packet on laptop B with the NATed addresses looking correct (src=10.0.0.20 dst=192.168.1.20). When laptop B tries to respond (src=192.168.1.20 dst=10.0.0.20) it get an ICMP destination unreachable response from the router (192.168.1.1). When I dump the routing table for vrf net1 I get:

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, GigabitEthernet0/1

L 192.168.1.1/32 is directly connected, GigabitEthernet0/1

When I dump the global routing table I get:

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.0.0.0/24 is directly connected, GigabitEthernet0/0

L 10.0.0.1/32 is directly connected, GigabitEthernet0/0

This leaves me with a few questions.

When a packet destined for 10.0.1.20 comes in on g0/0, how is it getting to the vrf net1? Is the NAT rule somehow routing it?
Why aren’t packets destined for 10.0.0.20 on g0/1 getting to the global routing table and out port g0/0?

Thanks,

-Daniel