Solved: NAT Translation - source/destination

JohnyCisco · ‎04-11-2023

Hi, I have a problem with configuring and undestranding correctly the NAT.

What I have in im environment:

- I have a test subnet, where all test servers are stored, they have IPs from subnet 172.23.107.0/24

- I also have production subnet (vlan 412), where all productions servers are stored, they have IPs from subnet 172.23.82.0/24

- users are in the segment "smiley face", let's take one IP address - 192.168.10.5/32

The router at the top will perform NAT. I want to create new VLAN 512 - with the addresses same as in production (vlan 412). This way, the users that want to access the test environment will be directed to the Top router, it will translate theese addresses to the production addresses and transfer them in new vlan 512 (separate from production vlan) to the servers.

That way, if someone wants to access production servers, will be transfered directly to the servers from the switch and if he wants to access test servers, he will go to Top router and then to switch, and servers.

Is it possible to make?

I image it to like like these:

User (192.168.10.5) want to access TestSRV_1 (172.23.107.131). So it goes to the top router, it translates the address from 172.23.107.131 to 172.23.82.34 and pushes it to the switch in vlan 512, the switch grabs this and pushes it in vlan 512 to server. The frame remains with the source address: 192.168.10.5.

In the other way, so from the TestSRV_1(172.23.82.34) to the User (192.168.10.5) it goes to the top router, the source address is translated from 172.23.82.34 to 172.23.107.131 and goes back to the switch, and then to the user.

I am trying to test it in my environment. I have cisco router (R1) and switch (S1).

S1 and R1 is connected with 2 trunks, one with vlan 412 and second with vlan 512. To S1 there are 2 PCs connected with access ports.

This is my config on R1:


R1#show run brief
Building configuration...hostname R1
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
%not used at the moment%interface GigabitEthernet0/0/0
%not used at the moment%no ip address
%not used at the moment%negotiation auto
!
%not used at the moment%interface GigabitEthernet0/0/0.412
%not used at the moment%encapsulation dot1Q 412
%not used at the moment%ip nat inside
!
%not used at the moment%interface GigabitEthernet0/0/0.512
%not used at the moment%encapsulation dot1Q 512
!
interface GigabitEthernet0/1/0
switchport trunk allowed vlan 412,512
switchport mode dynamic desirable
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
switchport trunk allowed vlan 412
switchport mode trunk
!
interface GigabitEthernet0/1/3
switchport trunk allowed vlan 512
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan412
ip address 10.10.10.254 255.255.255.0
ip nat inside
!
interface Vlan512
ip address 10.10.20.254 255.255.255.0
ip nat outside
!
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source static 10.10.10.1 10.10.20.1
ip route 0.0.0.0 0.0.0.0 192.168.126.1
ip ssh version 2
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
session-timeout 480
login local
transport input ssh
!
!
!
!
!
!
end




R1#

Right now, if i ping from PC1 (vlan 412 / 10.10.10.1) to PC2 (vlan 512 / 10.10.20.10) it shows that source of the pings is 10.10.20.1. So if I assume, that PC1 is a server, then it looks ok. But in the other way, it shows their originate addresses.

How can i reconfigure it so that it works as I mentioned at the begining? I probably need destination NAT from user to server and source NAT from server to user.

I know it can be confusing, so feel free to ask any questions, I will try to reply asap.

JohnyCisco · ‎04-21-2023

I did manage to make it work. I have used the static nat. I only need it for these few addresses.

Please find a solution below:

interface GigabitEthernet0/0/0
ip address 192.168.126.175 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
switchport trunk allowed vlan 412,512
switchport mode trunk
!
interface GigabitEthernet0/1/1
switchport access vlan 410
switchport mode access
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan410
ip address 172.23.44.22 255.255.255.224
!
interface Vlan412
ip address 172.23.107.129 255.255.255.224
ip nat outside
!
interface Vlan512
ip address 172.23.44.33 255.255.255.224
ip nat inside
!
ip default-gateway 172.23.107.129
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static 172.23.44.34 172.23.107.131
ip nat inside source static 172.23.44.35 172.23.107.132
ip nat inside source static 172.23.44.36 172.23.107.133
ip nat inside source static 172.23.44.38 172.23.107.135
ip nat inside source static 172.23.44.39 172.23.107.136
ip nat inside source static 172.23.44.40 172.23.107.137
ip nat inside source static 172.23.44.56 172.23.107.154
ip nat inside source static 172.23.44.59 172.23.107.155

View solution in original post

balaji.bandi · ‎04-11-2023

First off all what is the use case ? why do you want to NAT ? any reason ?

Seconds you can do PBR based on the Destination, when it reached to Gateway ?

where is the Gateway for 192.168.10.x/24 network ? (on the picture you have typo, correct it when you get chance 192.168.105/33 - is wrong)

I take Switch act as Layer 2 and Server gateway also in Router ? is this correct ?

The config you posted is Test Lab ? you trying to simulate ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JohnyCisco · ‎04-11-2023

First off all what is the use case ? why do you want to NAT ? any reason ?

I have production and test servers. I would like to be able just to copy the production servers to some new environment within new vlan - 512, and then without chanings its IP addresses, just leave them there. This router I configure with NAT will translate these new test servers from production IPs to test IP. This way I can delete and make new test environment every day, without reconfiguration of the servers. j

Seconds you can do PBR based on the Destination, when it reached to Gateway ?

please explain further what exactly do you mean by that

where is the Gateway for 192.168.10.x/24 network ? (on the picture you have typo, correct it when you get chance 192.168.105/33 - is wrong)

in my simulation it is on a top router, in reality i have no clue, i have no access to the network devices that are on the left (smiley face), but do i really need it? I mean, right now in production it works - there are 2 vlans one for test env and one for prod env, there is no top router, both traffic are forwarted to the switch, i just want to route test traffic to the top router (that will be added) and then back to the switch with new vlan, switch will have only 1 way for this vlans (test and new) so it will push it that way, or I am totally wrong and it wont work like that?

I take Switch act as Layer 2 and Server gateway also in Router ? is this correct ?

it acts as simple l2 switch, gateway is further on the left side of the network, not visible on the scheme, there is main router, but i wont be able to acces it, it is managed by someone else.

The config you posted is Test Lab ? you trying to simulate ?

yes, exactly i try to simulate how it is going to look in production

Flavio Miranda · ‎04-11-2023

Hi

I wouldn´t say it is not possible but If I undertood it correctly, not the way you want. I will comment on this:

"That way, if someone wants to access production servers, will be transfered directly to the servers from the switch and if he wants to access test servers, he will go to Top router and then to switch, and servers. "

Not exactly. If Users and servers (test or production dont matter) are in different networks, they will have to pass through the gateway which in your case seems to be the router.

The only way of the first half of your statement be true is if the Users and productions servers to be on the same network segment. If they were in the same sagment, you dont need a gateway and Users can call out the servers directly just using ARP translation.

But the problem does not stop here. Lets look what you said: "...This way, the users that want to access the test environment will be directed to the Top router, ..."

If you want to access two different environment with the same IP addressing by use NAT, you need to call a different IP in order to differentiate boths Production and Test. You can not call the same Ip address and expect to get in on environment or on the other.

If users are calling an IP in a different network, they will be send to the gateway always.

Source routing will not help either as the source will be always the same.

It is not clear what you are trying to achieve with this setup but maybe we can help you to find a solution if you try to explain.

JohnyCisco · ‎04-11-2023

The gateway is a router that is on the far left side of the network, i do not know exactly how it looks like there. But traffic from user to test server is directed to the switch on the scheme, so i want to leave it as it is and just delete the actual test vlan from the trunk that is set right now from switch to the server and add this vlan to the trunk to my new router, that way the switch will transfer this traffic only to my router, isnt it? If yes, then user that try to access test server will be directed there, test server ip will be translated to production server ip, and then will be transfered with new vlan (512) to switch, switch will also have only 1 possible way, for than vlan to the servers.

So basically, i thought about pushing same ip addresses but with different vlans. Users, prod servers and test servers would be in separate vlans.

Flavio Miranda · ‎04-11-2023

Hi

" But traffic from user to test server is directed to the switch on the scheme,"

then they are on the same network.

" i want to leave it as it is and just delete the actual test vlan from the trunk that is set right now from switch to the server and add this vlan to the trunk to my new router, that way the switch will transfer this traffic only to my router, isnt it? "

So, if I undertood correctly, you want to have two routers connected to the switch and each one using a trunk with different vlans?

But in which vlan the Users will be ?

" If yes, then user that try to access test server will be directed there, test server ip will be translated to production server ip, and then will be transfered with new vlan (512) to switch, switch will also have only 1 possible way, for than vlan to the servers."

This part is a bit confuse. Would be great if you do some kind of diagram shown the flow. Does your diagram will look like this?

JohnyCisco · ‎04-11-2023

please see attached diagram, the one the left is the actual one, and the one on the right is the one I would like to prepare, so with added router with configured NAT and added/removed some vlans in trunks

i do not know exactly how the network looks under the left router, I assume it looks similiar to this, shown at diagram

Flavio Miranda · ‎04-11-2023

Hi,

Can you edit this diagram and add where the Production server is and put the IP addressing you want to use?

MHM Cisco World · ‎04-11-2023

Configuring dynamic NAT with route-maps - Cisco Community

this is solution I think for your case

JohnyCisco · ‎04-11-2023

It may solve my problems, I will read about this solution and get back to you with the info if I was able to use it in my scenario

JohnyCisco · ‎04-21-2023

I did manage to make it work. I have used the static nat. I only need it for these few addresses.

Please find a solution below:

interface GigabitEthernet0/0/0
ip address 192.168.126.175 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
switchport trunk allowed vlan 412,512
switchport mode trunk
!
interface GigabitEthernet0/1/1
switchport access vlan 410
switchport mode access
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan410
ip address 172.23.44.22 255.255.255.224
!
interface Vlan412
ip address 172.23.107.129 255.255.255.224
ip nat outside
!
interface Vlan512
ip address 172.23.44.33 255.255.255.224
ip nat inside
!
ip default-gateway 172.23.107.129
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static 172.23.44.34 172.23.107.131
ip nat inside source static 172.23.44.35 172.23.107.132
ip nat inside source static 172.23.44.36 172.23.107.133
ip nat inside source static 172.23.44.38 172.23.107.135
ip nat inside source static 172.23.44.39 172.23.107.136
ip nat inside source static 172.23.44.40 172.23.107.137
ip nat inside source static 172.23.44.56 172.23.107.154
ip nat inside source static 172.23.44.59 172.23.107.155

paul driver · ‎04-21-2023

Hello
If I understand this,
You have two lots of servers (412 & Test) with the same ip addressing.

So to negate keep on changing those TEST srvs ip addressing you want to segregate them from the production vlan 412 srvs?

If so, the most simplistic solution would be to put the TEST srvs in a VRF, this way you do not need to nat anything and they will be completely isolated from the production vlan 412 users

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul