Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
2
Replies

NAT outside problem

tprochazka
Level 1
Level 1

‎06-17-2011 07:01 AM - edited ‎03-04-2019 12:44 PM

Hi all,

currently I face problem with outside nat translation and Im not sure how to solve it.

I gotta 881 router

int vlan1

ip address 10.10.10.1 255.255.255.0

ip nat inside

int vlan 2

ip address 20.20.20.1 255.255.255.0

ip nat inside

int fa0/0

ip address 1.1.1.1 255.255.255.252

ip nat outside

and remote server 100.100.100.25 routed to interface fa0/0.

So the problem is that hosts from Vlan 1 and Vlan 2 want to communicate to this server, but they cannot route, which means, that

I have to "give" them some IP from their range as fake address of this server and translate it.

So I did

ip nat outside source static 100.100.100.25 10.10.10.7 (for Vlan 1)

ip nat outside source static 100.100.100.25 20.20.20.7 (for Vlan 2)

but I get

% 100.100.100.25 already mapped (10.10.10.7 -> 100.100.100.25)

Do somebody know how to solve this issue? As far as I understand router doesnt allow this translation, because if the communication would be started from outside (initial packet would come from server side), router wouldnt know how to translate its source address...

Thanks in advance for some solution.

Labels:
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-17-2011 02:21 PM

100.100.100.25 is a server on the internet? Sorry, I don't understand the problem.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎06-18-2011 07:21 AM

Your error message is because you have mapped 100.100.100.25 to 10.10.10.7. You can't then map it to 20.20.20.7 also as the router wouldn't know which address to use.

But why do you need to do this. Surely vlan 1 and vlan 2 clients send all their traffic for remote destinations to the router on their respective vlan interfaces. So why do you need to NAT. All the router needs is a default-route pointing out to the internet  ie.

ip route 0.0.0.0 0.0.0.0

so if a client on vlan 1 sends traffic to 100.100.100.25 it will go to the vlan 1 interface on the router. The router will then forward the packet to the ISP next-hop.

You will however need to NAT the client addresses ie. something like this should be in your config -

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 20.20.20.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0 overload

Edit - you shouldn't but if you get issues with NAT between the 2 networks change the acl 101 to -

access-list 101 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

access-list 101 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 20.20.20.0 0.0.0.255 any

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card