Solved: Re: Need help with NAT

ja raju · ‎04-04-2011

Hi guys,

Need some help on how to perform NAT on Router A (shown in the attached diagram).

I have a vpn tunnel between two site, and I need to access a device in 172.16.1.x from 172.24.103.x segment. The problem is I have another 172.16.1.x on the LAN. So I'd like to configure static NAT on Router A, lets say 192.168.145.50 -> 172.16.1.50.

I configured this on Router A but it's not working:

ip nat inside source static 192.168.145.54 172.16.2.54
ip nat inside source static 172.16.2.54 192.168.145.54

How can I make this work?

Thanks in advance.

Laurent Aubert · ‎04-13-2011

HI,

Could you please remove the following NAT entry which is not needed:

no ip nat inside source static 192.168.145.54 172.16.1.54

When you are sending some traffic from 172.16.1.54 to 172.64.103.x, run a debug ip nat on the router to see if the translation really occurs. If it's the case then check those packets are well encrypted.

Thanks,

Laurent.

View solution in original post

Laurent Aubert · ‎04-04-2011

Hi,

Did you try to configure the NAT on the FW ? I think it makes more sense from a design perspective.

Thanks,

Laurent.

ja raju · ‎04-05-2011

Thanks Laurent.

I do not have access to that firewall. Is it not possible to make the NAT work from Router A?

Laurent Aubert · ‎04-13-2011

Yes it should work.

Can you post the config of Router A ?

Thanks,

Laurent.

ja raju · ‎04-13-2011

Hi Laurent,

This is the config on the router:

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
enable secret 5
!
no aaa new-model
!
!
!
clock timezone WST 8
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key address
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-TUNNEL 10 ipsec-isakmp
set peer
set transform-set ESP-3DES-SHA
set pfs group1
match address ACL-VPN
!
!
!
!
!
interface GigabitEthernet0/0
description Interface facing Internal network -- Inside
ip address 192.168.145.5 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description Interface facing Internet -- Outside
ip address 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-TUNNEL
!
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 172.16.1.54 192.168.145.54
ip nat inside source static 192.168.145.54 172.16.1.54
ip route 0.0.0.0 0.0.0.0
ip route 172.16.0.0 255.240.0.0 192.168.145.1
ip route 172.24.103.0 255.255.255.0
!
ip access-list extended ACL-VPN
permit ip 192.168.145.0 0.0.0.255 172.24.103.0 0.0.0.255
permit ip 172.24.103.0 0.0.0.255 192.168.145.0 0.0.0.255
!
logging trap debugging
logging facility local5
!
no cdp run

!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 15 0
logging synchronous
line aux 0
exec-timeout 15 0
no exec
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Laurent Aubert · ‎04-13-2011

HI,

Could you please remove the following NAT entry which is not needed:

no ip nat inside source static 192.168.145.54 172.16.1.54

When you are sending some traffic from 172.16.1.54 to 172.64.103.x, run a debug ip nat on the router to see if the translation really occurs. If it's the case then check those packets are well encrypted.

Thanks,

Laurent.

ja raju · ‎04-21-2011

Hi,

Thanks. I'll try it out and get back here if there's any issue.

ja raju · ‎06-09-2011

I got the NAT to work with the info you guys provided. I also had to get the clients to add firewall rules and routing to get the whole thing to work.