04-23-2010 01:59 PM - edited 03-04-2019 08:15 AM
Hi Guys,
Quick question. Does anyone know how to NAT BOTH the source and destination IP address on a router? I've been through several articles and it looks like this functionality is reserved for the ASA firewall but was looking for confirmation.
Need to configure a router for an Extranet with overlapping IP space. So source IP NAT is needed to hide the partners IP space and Destination NAT is needed to access the database IP on our network as that IP overlaps as well.
Hoping someone has some very creative advice
Solved! Go to Solution.
04-23-2010 02:35 PM
I'm trying to think ;-)
ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4
In the above example,
when host 1.1.1.1 wants to access 3.3.3.3 in reality what's going to happen is that
host 1.1.1.1 is translated to 2.2.2.2 and the destination IP 3.3.3.3 to 4.4.4.4
In this way the real IP address of the communication are 1.1.1.1 and 3.3.3.3
But the communication flows between 2.2.2.2 and 4.4.4.4
I have not tried this, but I'm just thinking it can be done. I might be wrong. Is this the configuration you have looked up?
Federico.
04-23-2010 02:03 PM
Hi,
On a router normally you NAT the source address.
This is done with the command: ip nat inside source....
If you want to translate the destination address, you can do so with the command: ip nat outside source....
In both options you can reference an ACL or a route-map.
Federico.
04-23-2010 02:15 PM
Thanks Fredrico,
Unfortunatly what I'm trying to do is a little more complex. I need to translate both the source and destination IPs in the same packet.
ip nat inside source static and ip nat outside will do only one of those at a time.
Incidentally, in nat inside source static and ip nat outside perform very similar function as both will take traffic initiated on the outside interface and translate the destination IP to the inside destination address but only ip nat inside source statice will allow traffic initiated on the inside of the network to be source natted out.
To better explain, here is an article I've been referencing. It is a cisco authored doc but comes from another web site:
http://www.firewall.cx/downloads/articles/sample%20config%20using%20ip%20nat.pdf
So if anyone knows how I can nat both the source and destination IPs of the same packet, that would be very helpful.
Thanks!
Dave
04-23-2010 02:19 PM
Ok, I see...
What is the option you mentioned on the ASA to translate both the source and destination addresses on the same packet?
Federico.
04-23-2010 02:24 PM
well....the option is not to use the ASA, lol!
I know firewalls in general have this capability. Checkpoint certainly does and I'm confident the ASA has the ability too but there is no firewall in the network path for this connectivity so I'm trying to find out if it can be done on a router.
04-23-2010 02:35 PM
I'm trying to think ;-)
ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4
In the above example,
when host 1.1.1.1 wants to access 3.3.3.3 in reality what's going to happen is that
host 1.1.1.1 is translated to 2.2.2.2 and the destination IP 3.3.3.3 to 4.4.4.4
In this way the real IP address of the communication are 1.1.1.1 and 3.3.3.3
But the communication flows between 2.2.2.2 and 4.4.4.4
I have not tried this, but I'm just thinking it can be done. I might be wrong. Is this the configuration you have looked up?
Federico.
04-23-2010 02:36 PM
Federico
On an ASA
static (inside.outside) 195.177.10.10 192.168.5.1 netmask 255.255.255.255
static (outside,inside) 10.228.53.6 212.22.10.10 netmask 255.255.255.255
so a packet sent from the inside of 192.168.5.1 to destination of 10.228.53.6 would get it's source translated to 195.177.10.10 and it's destination translated to 212.22.10.10
however i don't think this is possible on IOS. I have a feeling you can use a NAT pool for outside addresses but it's been a while since i did it.
Jon
04-23-2010 02:44 PM
Jon,
That's what I was thinking on a router:
ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4
But I don't know if it's going to work.
Federico.
04-23-2010 03:08 PM
Dave
I'll lab this up tomorrow but from memory it's a real bear to get working.
One thought. Do you have more than one router in the path ? If so you could do
(ip nat inside f0/0) R1 (fa01/ ip nat outside) <---> (ip nat outside fa0/0) R2 (fa0/1 ip nat inside)
then translate the source addresses on R1 and the destination addresses on R2
Jon
04-24-2010 05:23 AM
Thanks Jon! Keep me posted
Frederico,
ip nat outside source static and ip nat inside source static will both nat the Destination IP address when packets are sourced from the network behind the Outside interface. The only difference between the two commands is that when packets are sourced from the network behind the Inside interface, 'ip nat inside source static' will nat the Source IP address and 'ip nat outside source static' will not.
Neither command will NAT BOTH the source and destination IP address of the packet that flows from outside to inside.
Check out the link to the doc I sent. It explains the two well.
Thanks!
Dave
04-25-2010 12:10 PM
Fredrico,
Please ignore my last post. I must have been having a senior moment
I have tried to use 'ip nat inside source static' to translate packets originating on the outside network destined for inside. Destination IP is correctly being natted.
I then added 'ip nat outside source static' to translate the source IP of packets originating from the outside network and have had limited success. I can see in a sniffer trace that both source IP and destination IP are being NATted but the router for some reason for return traffic is not NATting the Destination IP back to the original IP. I've isolated the issue to be with the 'ip nat outside source static' command as when I only have that configured I'm getting the same issue.
I'll continue to test and let you guys know.
Thanks again!
Dave
04-25-2010 04:12 PM
Ok, I managed to get this working in a friends lab.
I used two lines of configuration:
ip nat inside source static
ip nat outside source static
Having both of those lines in the configuration did infact translate both the SA and DA of packets. Very cool!
The snag that I was running into was that when the SA of traffic originating on the Outside interface was an IP on the same network interface (ie on the NAT router ip 1.1.1.3 was used and the 'ip nat outside' interface had an ip of 1.1.1.1) return packets would not be forwarded to from the NAT router over the outside interface and on to the destination. But when I made the SA address on a network beyond the local network to the NAT router it worked.
Thanks again guys! Your help is much appreciated!!
Dave
04-25-2010 04:31 PM
Dave,
I am very glad that it worked and thank you much for letting us know.
Great feedback.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide