Solved: Re: NAT to replace the source address

DriverCiscoPL · ‎02-03-2021

Hello, I don't know how to make NAT for 192.168.0.0/24 network to replace the source address to the router address 172.23.120.5 for packets going to the network 10.10.21.100/32.

I have working configuration in VyOS system, but how to make it in Cisco 1921 router?

rule 01 {
    destination {
        address 10.10.21.100/32
    }
    outbound-interface any
    protocol all
    source {
        address 192.168.0.0/24
    }
    translation {
        address 172.23.120.5
    }
}

Georg Pauwen · ‎02-03-2021

Hello,

if you want the translation only to take place when the source is 192.168.0.0/24 and the destination 10.10.21.100/32, you need a configuration that looks like the one below. Keep in mind that any other destination address will not lead to a translation.

It doesn't matter whether the translated address 172.23.120.5 is actually configured on an interface (which means the NAT outside interface can have a different IP address).

interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 172.23.120.5 255.255.255.0
ip nat outside
!
ip nat pool DEST 172.23.120.5 172.23.120.5 netmask 255.255.255.0
ip nat inside source list 101 pool DEST overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 host 10.10.21.100

View solution in original post

balaji.bandi · ‎02-03-2021

Looik at good examples :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i3.html#wp1284532593

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DriverCiscoPL · ‎02-03-2021

Should I set interface of the router address 172.23.120.5 to "ip nat enable" ?
and then

ip nat source static 192.168.0.0/24 172.23.120.5

?

balaji.bandi · ‎02-03-2021

that should work, test and advise. if any issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎02-03-2021

Hello,

if you want the translation only to take place when the source is 192.168.0.0/24 and the destination 10.10.21.100/32, you need a configuration that looks like the one below. Keep in mind that any other destination address will not lead to a translation.

It doesn't matter whether the translated address 172.23.120.5 is actually configured on an interface (which means the NAT outside interface can have a different IP address).

interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 172.23.120.5 255.255.255.0
ip nat outside
!
ip nat pool DEST 172.23.120.5 172.23.120.5 netmask 255.255.255.0
ip nat inside source list 101 pool DEST overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 host 10.10.21.100

DriverCiscoPL · ‎02-04-2021

Thank you, it works, however I've noticed that I have a loop when I try to ping from any host behind GigabitEthernet0/1 to any host which is behind GigabitEthernet0/0

ping 192.168.0.30
PING 192.168.0.30 (192.168.0.30) 56(84) bytes of data.
64 bytes from 172.23.120.5: icmp_seq=1 ttl=127 time=1.97 ms
From 172.23.120.4: icmp_seq=2 Redirect Host(New nexthop: 172.23.120.5)
64 bytes from 172.23.120.5: icmp_seq=2 ttl=127 time=0.749 ms
64 bytes from 172.23.120.5: icmp_seq=3 ttl=127 time=0.544 ms
64 bytes from 172.23.120.5: icmp_seq=4 ttl=127 time=0.506 ms

traceroute 192.168.0.30
traceroute to 192.168.0.30 (192.168.0.30), 30 hops max, 40 byte packets
1 (172.23.120.5) 5.094 ms 5.342 ms 5.905 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 *

Georg Pauwen · ‎02-04-2021

Hello,

it is not a loop. The traffic just gets stuck. The NAT only works when traffic is initiated from the inside.

DriverCiscoPL · ‎02-04-2021

Hello,

What can I do to be able to initiate traffic from outside to inside?

Maybe route the packet with 172.23.120.5 to null0 ?

paul driver · ‎02-04-2021

Hello
FYI - You shouldn’t be able to ping an ip address that resides on the nat inside network from a nat outside ip address?

The whole idea about nat it to “hide” an network meaning the outside network shouldn’t be aware of the inside lan subnet - hence why the lan is 99% non routable addressing.

If you want a particular outside host to reach a particular inside ip address then you need to perform static 1-1 nat/pat

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎02-03-2021

Hello
You dont state if that translation address is actually part of you router egress interface or you want to use that address specifically for that translation and then nat all other traffic to the routers interface

Example:
router wan interface =172.23.120.1

specific nat address =172.23.120.5 - this can be any routable address reachable via your wan rtr
access-list 100 permit ip 192.168.0 0 0.0.0.255 host 10.10.21.100

access-list 101 deny ip 192.160.0.0 0.0.0.255 host 10.10.21.100
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

ip nat pool specific-nat 172.13.120.5 172.13.120.5 netmask 255.255.255.240

ip nat inside source list 100 pool specific-nat
ip nat inside source list 101 interface xx (wan interface)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul