cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2040
Views
0
Helpful
10
Replies

NAT with inbound PAT on Private WAN

Hi

I have a private WAN.  We would like to do directed outbound NATing on our CPE to the internet, however would like to keep LAN to LAN networks fully accessible to the private to private addresses

One site (SITE A)  has a server in it hosting several services to the internet, which the other private site (SITE B) needs direct private LAN access to.  Let say this is a web server.

I have setup NAT on site A as follows (example only):

interface GigabitEthernet0/0
ip address 192.168.24.4 255.255.255.0
ip nat outside
!
interface GigabitEthernet1/0
ip address 192.168.45.4 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.45.5 80 192.168.24.4 80 

!
ip access-list extended NAT
deny ip 192.168.45.0 0.0.0.255 host 3.3.3.3
permit ip 192.168.45.0 0.0.0.255 any

3.3.3.3 is a IP in SITE B private LAN that needs to get access to the webserver on the web servers private IP address:  192.168.45.5.

When it tried to access the webserver we get this in the NAT translation table, even though the ACL denies this:

Pro Inside global Inside local Outside local Outside global
tcp 192.168.24.4:80 192.168.45.5:80 3.3.3.3:29159 3.3.3.3:29159
tcp 192.168.24.4:80 192.168.45.5:80 --- ---

Basically its NATing return traffic!  I dont understand.  Can anyone help?

Thanks

2 Accepted Solutions

Accepted Solutions

You need to change this:

ip nat inside source static tcp 192.168.45.5 80 interface GigabitEthernet0/0 80

To something more like the below.  Play with access-list 104.  What is this saying is only perform the NAT port forward if access-list 104 is true - so notch out the cases you don't want it to be true.

access-list 104 deny ip 192.168.45.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 104 permit ip any any

route-map no-nat permit 1
  match ip address 104

ip nat inside source static tcp 192.168.45.5 80 <ip on gig0/0> 80 route-map no-nat reversible extendable

View solution in original post

Perhaps you missed it but I posted the answer above a while back. 

You need to use a route map with your static NAT statement.

Jon

View solution in original post

10 Replies 10

Philip D'Ath
VIP Alumni
VIP Alumni

How are the Internet and Private WAN circuits delivered?  Are they actually two separate circuits?  If not, how does traffic actually get to the WAN and Internet?

Hi Philip Thanks for your response.  Good to see another Kiwi in the ranks :)

My explaination is a little vague.  I have a third router in between acting as the hub.  This provides the internet connectivity.  We had NAT running on this initially, but due to some commercial / technical reasons now need to put NAT on the CPE directly instead to the internet, with the default router to the HUB.  The hub now has NO NAT on it, if that makes sense.  The spokes used to have direct access to the private network in between without NAT fine, as expected, but now that there is NAT on the CPE, services at the head office have now stopped for the other spoke as these have NAT entries for access to these services from the internet (if that makes sense)?

Does that help? 

Hi Brad, if possible can you show us the network diagram, why dont you try to do something like below, so the rest will be deny by default...

ip access-list extended NAT
 permit ip xx.xx.0.0 0.0.255.255 any

 

regards

Hi Brad.

I'm thinking there are two ways.  The hard way, and the really hard way.

Lets try the hard way first.  So the hub has a point to point link to site A, and another point to point link to site B.  Correct?

Can you convert these links to using /30 public IP addresses?  This would allow the CPE to do NAT to its local public IP address, except when routing to another private IP address.

This is my preferred option, as it makes the hub look like a service provider.

The next option, can you convert the two point to point links to a shared medium, like a VPLS circuit?  Then the two sites routes can talk directly to each other without going through the hub.  They would only go through the hub to get to the Internet.

The next option.  Is it possible to run dual links between the hub and spokes, such as using VLAN tags?  Then you could tag a packet as either being "internal" or "external".

The next option.  Throw away what is there, and start with a clean slate and design.

The really hard way would be to use route-maps on all three routers, and NAT in and out of difference address spaces based on the intention.

Hi Philip

"Can you convert these links to using /30 public IP addresses?  This would allow the CPE to do NAT to its local public IP address, except when routing to another private IP address.

This is my preferred option, as it makes the hub look like a service provider"

This is actually what I am doing (except for the /30 bit - I have just changed that in my lab).  I am trying to the the CPE to route between the CPE private networks.  This works, and if I ping from the remote site to the head site I get a response.  This is with the head site having NAT applied to the external public address as follows:

ip nat inside source list NAT interface GigabitEthernet0/0 overload

!
ip access-list extended NAT

!

deny ip 192.168.45.0 0.0.0.255 host 3.3.3.3
permit ip 192.168.45.0 0.0.0.255 any

!

G0/0 is the external Public interface with the "public" address 192.168.24.1.  192.168.45.0/24 is the head site private LAN.  3.3.3.3 is a host in the private LAN of the remote site.

So I can ping from 3.3.3.3 all the way through to 192.168.45.5.  When I do, I get the following in th NAT translation table on R4, the head office site thats doing the NATing (see attached diagram):

Pro Inside global Inside local Outside local Outside global
icmp 192.168.24.1:1024 192.168.45.5:9 3.3.3.3:9 3.3.3.3:1024

(Sorry for the formatting).

Basically even though the rule has a deny for this traffic, there is still a NAT entry created - BUT I can ping, and this works fine.  I have a problem when I have a publicly accessible web server, or RDP server with an inbound NAT on the head end router that also needed to be accessed by a host on the remote LAN.  The remote LAN host 3.3.3.3 cant connect to the service on the private address of the server if that inbound static NAT exists.  See below:

I add:

ip nat inside source static tcp 192.168.45.5 80 interface GigabitEthernet0/0 80

and after trying to connect on port 80 I get the following and cant connect:

R4#
*Mar 11 16:31:48.368: %IPNAT-6-NAT_CREATED: Created tcp 192.168.45.5:80 192.168.24.1:80 3.3.3.3:13780 3.3.3.3:13780
R4#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.24.1:80 192.168.45.5:80 3.3.3.3:13780 3.3.3.3:13780
tcp 192.168.24.1:80 192.168.45.5:80 --- ---
R4#

But I can still ping because there is no INBOUND NAT for this ICMP traffic.  This is what I dont get.  How can I avoid this from happening?

I dont want top create a VPLS circuit, as this needs to be a template, and easily supportable although yes this would be great.  

Im thinking the really hard way with route-maps, but not quite sure the exact config - Ill have a look around at the config, but any hints would be appreciated.  I was sure the deny in the ACL would sort this, so I dont know what this doesnt work.

You need to change this:

ip nat inside source static tcp 192.168.45.5 80 interface GigabitEthernet0/0 80

To something more like the below.  Play with access-list 104.  What is this saying is only perform the NAT port forward if access-list 104 is true - so notch out the cases you don't want it to be true.

access-list 104 deny ip 192.168.45.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 104 permit ip any any

route-map no-nat permit 1
  match ip address 104

ip nat inside source static tcp 192.168.45.5 80 <ip on gig0/0> 80 route-map no-nat reversible extendable

Hi Jon / Philip

Ill test the route map on site tonight and let you know.  Early tests using the lab looking really good so Im stoked.

Cheers.

Perhaps you missed it but I posted the answer above a while back. 

You need to use a route map with your static NAT statement.

Jon

Actually I should add, I dont want to tunnel either through GRE / VPN.  This adds a licensing cost and also some configuration anomalies to the network.  I will do this if its an absolute last resort and there are no other options.

Jon Marshall
Hall of Fame
Hall of Fame

That won't work because the static NAT will always match.

You need to use a route map referencing your NAT acl and then include that route map in the static NAT statement.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: