Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
4
Replies

Natting a server

Go to solution
Wes Smith
Level 1
Level 1

‎02-18-2014 01:52 PM - edited ‎03-04-2019 10:22 PM

I've a Nat problem that is confounding me.

Today .. in our lab I have a video server that sits on subnet 10.16.42.91/26 

This subnet is run by a L3 switch with L3 routing back to the rest of the network.

I need to test this server over an emulated WAN access to validate branch office performance.

The WAn Emulator is all setup and works fine

Now I'd like to extend this slow acess outside the lab, so that any one can test the slow path from their desk.

Do do this I've added a 2nd router between the video server subnet and the rest of the network

I'd like to NAT the 10.16.42.91  address to 10.16.44.91, 

Such that .. anyone referencing 10.16.44.91 goes via the slow path, and anyone using 10.16.42.91 goes via the GigE

The NAting router is an 881 running 15.3

It would need to do hide-nat so  return traffic would flow via the NAT router

I've tried several nat configs, but remain confounded.

Diagram below .. would appreciate any suggestion 

Thanks in advance

Nat1.png

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-18-2014 02:30 PM

Wes

You need two things -

1) for the return traffic to go back to the 881 you need to NAT overload all the user IPs to the 10.16.42.x interface IP on the 881. You have the inside facing the users which makes it a lot easier so -

access-list 101 permit ip 10.0.0.0 0.0.0.255 host 10.16.44.91

ip nat inside source list 101 interface overload  <- where is the one facing the server.

Note i'm not entirely sure the exact order of processing in terms of the two NAT statements so in the acl above where you have the host 10.16.44.91 you might need to change it to the real IP of the server. Try the above first.

2) a NAT for the server -

ip nat outside source static 10.16.42.91 10.16.44.91 netmask 255.255.255.255

Edit - i'm assuing you have already assigned "ip nat inside" to the interface on the 881 facing the users and "ip nat outside" on the interface facing the server.

Jon

View solution in original post

0 Helpful

Go to solution
willwetherman
Spotlight
Spotlight
In response to Jon Marshall

‎02-18-2014 03:01 PM

Hi Wes,

Also to add to Jon's post, you may need to add a static route on the 881 that routes 10.16.44.91 out of the interface facing the server. Something like

ip route 10.16.44.91 255.255.255.255   - or -  ip route 10.16.44.91 255.255.255.255 10.16.42.91

This is required as inside to outside NAT needs to make a routing desicion first before packets will be translated

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-18-2014 02:30 PM

Wes

You need two things -

1) for the return traffic to go back to the 881 you need to NAT overload all the user IPs to the 10.16.42.x interface IP on the 881. You have the inside facing the users which makes it a lot easier so -

access-list 101 permit ip 10.0.0.0 0.0.0.255 host 10.16.44.91

ip nat inside source list 101 interface overload  <- where is the one facing the server.

Note i'm not entirely sure the exact order of processing in terms of the two NAT statements so in the acl above where you have the host 10.16.44.91 you might need to change it to the real IP of the server. Try the above first.

2) a NAT for the server -

ip nat outside source static 10.16.42.91 10.16.44.91 netmask 255.255.255.255

Edit - i'm assuing you have already assigned "ip nat inside" to the interface on the 881 facing the users and "ip nat outside" on the interface facing the server.

Jon

0 Helpful

Go to solution
willwetherman
Spotlight
Spotlight
In response to Jon Marshall

‎02-18-2014 03:01 PM

Hi Wes,

Also to add to Jon's post, you may need to add a static route on the 881 that routes 10.16.44.91 out of the interface facing the server. Something like

ip route 10.16.44.91 255.255.255.255   - or -  ip route 10.16.44.91 255.255.255.255 10.16.42.91

This is required as inside to outside NAT needs to make a routing desicion first before packets will be translated

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to willwetherman

‎02-18-2014 03:03 PM

Will

Good spot. For some reason i always forget the route when doing that particular NAT

Jon

0 Helpful

Go to solution
Wes Smith
Level 1
Level 1
In response to Jon Marshall

‎02-18-2014 05:58 PM

Thanks Guys

I didn't think to combine the interface hide-nat along with the static source nat.

The NAT ACL had to be the inside IP vs the actual server ip

works like a charm now

ip nat inside source list 102 interface FastEthernet4 overload        << hide-nat behind the router outside addr

ip nat outside source static 10.16.42.95 10.16.226.95 extendable add-route        << static nats per host

ip nat outside source static 10.16.42.94 10.16.226.94 extendable add-route

access-list 102 permit ip any host 10.16.226.95                    <<<<  had to be the inside address

access-list 102 permit ip any host 10.16.226.94 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card