cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1519
Views
5
Helpful
7
Replies

Nat scenario where two companies hide from each other

darkbeer
Level 1
Level 1

Hi all,

i need some help to create the following nat scenario on a cisco 29xx router.

Two companies should hide from each other because they have overlapping networks. There should be a "demarcation" subnet where each company can

route to. (see picture)  The router is manged by the us (the customer)

1.) We (customer) should hide all our networks behind the ip address 6.6.6.1

     So service provider should see our packets coming from 6.6.6.1

2.) Since we (customer) cannot route to service provider host 3.3.3.10 directly, we want to address target ip 5.5.5.10 to get to service provider host 3.3.3.10, in other words SP host 3.3.3.10 should be visible as 5.5.5.10 for us.

3) Service provider host should be able to address printers (our real address 1.1.1.20), but should address the printer as 6.6.6.20

So we like to have those two demarcation subnets 5.5.5.0/24 and 6.6.6.0/24 to communicate.

Both networks should know only about the demarcation subnets (except our final cpe router that has eth1 in the SP network 2.2.2.0/24)

I tried a lot of setups in my lab, mixing inside/outside definitions, but i must say that i get confused now, and i'm not getting this to work.

Can someone please provide me with a sample code snippet and show me the right direction?

Thanks in advance!

7 Replies 7

andrew.prince
Level 10
Level 10

You just need a simple network NAT.  You could make it almost bullet proof using Policy Based NAT.

However there is a question - who will be NATTing the SP 3.3.3.x - them or you?

Hi Andrew,

thanks for your answer. I'm not sure if a simple network nat will do the job. This is only a simplified example. The customer network is a large company network with lots of subnets. Only the SP host is a single host that we have to address.

The nat is done by us (customer side) and should be configured only on the router in my picture.

Multiple clients should hide themselves behind an address the SP can accept, and the SP host should be visible under an address that we (customer) can live with. The SP also must address static printers on the customer side.

All that translations should happen on that single (customer) router in my picture.

From your diagram:-

1) Hiding the 1.1.1.0/24 behind 6.6.6.1 is not an issue.

2) Since the SP is behind a "firewall" - I would presume they would/should NAT 3.3.3.10 to 5.5.5.10, if not this can be done on your router.

3) Your printer just needs a static NAT translation.

If the diagram is the simple one, then you need to attach the complicated one.  As every NAT solution is specific to the requirement, there is no "one NAT fits all" solutions in my opnion.

i aggree.

Just imagine a larger customer network on the left side of my picture, using 10.0.0.0/8 address space, having clients and printers in various different subnets. That all basically. The right side is correct and consists only of the small SP network.

I aggree. Hiding 1.1.1.0/24 or other source networks behind 6.6.6.1 or behind the ETH1 address of our router is no issue.

Asuming i will configure nat INSIDE on the left customer side, and nat OUTSIDE on the right SP side......

1) Hiding the customer network could be done with a ip nat inside soure list blabla interface eth1 overload

(or with a small nat-pool 6.6.6.0/24 or whatever )

3) Printers will be covered with a static nat translation: ip nat inside source static 1.1.1.20 6.6.6.20

  for example...

BUT: how do i configure that the customers on the left side address the SP host destination on the right side with an address different from the SP host's real address (3.3.3.10), because the customer can not route to 3.3.3.10. (overlapping networks).

How do i combine all these features on that router?

OK using your diagram I would configure the router something like :-

int fa 0/0

description *** LAN ***

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

int fa 0/1

description *** WAN ***

ip address 2.2.2.1 255.255.255.0

ip nat outside

!

!
ip nat pool SP 6.6.6.2 6.6.6.2 prefix-length 30
!
ip nat inside source list 1 pool SP

!
ip nat inside source static 1.1.1.20 6.6.6.20

!
ip nat outside source static 3.3.3.3 5.5.5.2 add-route
!
access-list 1 permit 1.1.1.0 0.0.0.255
!

Thank you very much Andrew,

that worked for me. I have tested it in my lab and it really worked.

Thanks again..

np - glad to help

Review Cisco Networking for a $25 gift card