Solved: Overlapping 192.16.x.x subnets

Steve Coady · ‎10-16-2013

Hello

I acquired a comany comprising of 5 sites. I am phasing these onto my AVPN network which currently consists of 12 sites.

The phasing aspect is being done by denying their subnets from my current routers and vice-verse.

The new sites have re-ip addresssed their LAN subnets. However, -These new sites are using a specific subnet, say 192.168.101.x for their VoIP system.

-I am already using that same subnet for my data center.

The same subnet range plays an important role for each company.

I am using Cisco 29xx and 39xx routers for ALL sites with "universalk9-mz.SPA.152-4.M3.bin"

It seems I should be able to create a pool on the (5) new site routers that NAT that subnet, 192.168.101.x to some other subnet range. I could then allow

that subnet to be rouer only amongst the new sites until their new VoIP system is in place. I could deny that natted subnet from my current AVPN routers.

The plan seems simple enough.

Can this be done?

If so, please provide configuration examples to help me implement this.

sMc

sganpat · ‎10-16-2013

Hi Steve,

I assume that you want to create a 1-to-1 NAT with the servers in your data centre. That is, you want to translate 192.168.101.10 --> 192.168.226.10. So that users can connect to 192.168.226.10 and access the services.

If so, then you need to use static NAT. Use this instead.

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

Sachin

View solution in original post

sganpat · ‎10-17-2013

Yes. Your LAN interface or translation source should have "ip nat inside" and your WAN interface or translation destination should have "ip nat outside".

So

!

interface fastEthernet0/0

description LAN

ip address

ip nat inside

!

interface fastEthernet0/1

description WAN

ip address

ip nat outside

!

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

!

Hope this helps.

Sachin

View solution in original post

sganpat · ‎10-17-2013

The no-alias command prevents the router from responding to arp requests (aka proxy arp). This is not required in this case as the subnet is not attached to an existing network (at least I assume it's not).

"ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias" replaces all of your NAT commands. You are not creating a pool, you are creating static 1-to-1 NAT.

Sachin

View solution in original post

sganpat · ‎10-17-2013

No, you won't need the access-list.

Sachin

View solution in original post

sganpat · ‎10-17-2013

Hmmm. Honestly, I don't have an answer for that. I've never tried NAT and routing protocols before.

Since this is temporary, can you use static routes instead.

Sachin

View solution in original post

sganpat · ‎10-17-2013

Ok. So at one of your newly acquired sites, they are using the same subnet as your data centre. You want to translate that one subnet to something else (192.168.226.0/24 in this case) and send it for the other sites. Am I correct?

Why can't you just change the subnet? Because that may be the less complicated option.

I was suggesting that you put a static route on each of the other four routers rather than advertising it over BGP, unless there is a reason for doing that. Because you are denying access from your existing sites to that subnet.

Sachin

View solution in original post

sganpat · ‎10-17-2013

Yes. That static is correct.

But since this is a VoIP network, you might have some problems because voice traffic, whether it's H.323 or SIP, embeds the IP within the payload, and that does not get translated. Calls will go through, but you will not hear anything.

Sachin

View solution in original post

sganpat · ‎10-17-2013

I have no experience with ALG but you can try it. Your IOS version should already support it.

ip nat service sip udp port 5060

ip nat service sip tcp port 5060

Sachin

View solution in original post

Steve Coady · ‎10-16-2013

Please review and advise on syntax

ip nat pool "name" 192.168.226.0 192.168.226.254 netmask 255.255.255.0
ip nat inside source list 226 pool "name"
access-list 226 permit 192.168.101.0 0.0.0.255

sMc

sganpat · ‎10-16-2013

Hi Steve,

I assume that you want to create a 1-to-1 NAT with the servers in your data centre. That is, you want to translate 192.168.101.10 --> 192.168.226.10. So that users can connect to 192.168.226.10 and access the services.

If so, then you need to use static NAT. Use this instead.

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

Sachin

Steve Coady · ‎10-17-2013

sganpat

Thank you for the reply.

I am unsure what command to put on interface.

Should the inside LAN interface have "ip nat inside" configured on it?

sMc

sganpat · ‎10-17-2013

Yes. Your LAN interface or translation source should have "ip nat inside" and your WAN interface or translation destination should have "ip nat outside".

So

!

interface fastEthernet0/0

description LAN

ip address

ip nat inside

!

interface fastEthernet0/1

description WAN

ip address

ip nat outside

!

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

!

Hope this helps.

Sachin

sganpat · ‎10-17-2013

The no-alias command prevents the router from responding to arp requests (aka proxy arp). This is not required in this case as the subnet is not attached to an existing network (at least I assume it's not).

"ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias" replaces all of your NAT commands. You are not creating a pool, you are creating static 1-to-1 NAT.

Sachin

Steve Coady · ‎10-17-2013

Sachin

Awesome!! Thank you

sMc

Steve Coady · ‎10-17-2013

Sachin

What is the benefit of using the "no-alias" command?

sMc

Steve Coady · ‎10-17-2013

Sachin

Please forgive me for my "slowness to understand"

This command " ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias" replaces which command from my original post?

ip nat pool "name" 192.168.226.0 192.168.226.254 netmask 255.255.255.0

ip nat inside source list 226 pool "name"

sMc

Steve Coady · ‎10-17-2013

Sachin

will I still need the "access-list 226 permit 192.168.226.0 0.0.0.255"

sMc

Steve Coady · ‎10-17-2013

Also

Will I need to advertise the 192.168.226.x out to my other sites using BGP?

This way my other site can continue to advertise its .101

sMc

sganpat · ‎10-17-2013

Hmmm. Honestly, I don't have an answer for that. I've never tried NAT and routing protocols before.

Since this is temporary, can you use static routes instead.

Sachin

Steve Coady · ‎10-17-2013

Sachin

That confuses me a little.

A summary of network, (mostly to organize this in my own head)

-My network is on an AVPN cloud

-I have 5 new sites that need to continue to communicate to each other on this subnet for their VoIP.

-I am or will need to advertise this subnet from my VoIP Call Manager site to the other 4 sites on my AVPN cloud.

So would the static look like ip route 192.168.226.0 255.255.255.0 (LAN interface ip)

router bgp x

redistribute static

sMc

sganpat · ‎10-17-2013

Ok. So at one of your newly acquired sites, they are using the same subnet as your data centre. You want to translate that one subnet to something else (192.168.226.0/24 in this case) and send it for the other sites. Am I correct?

Why can't you just change the subnet? Because that may be the less complicated option.

I was suggesting that you put a static route on each of the other four routers rather than advertising it over BGP, unless there is a reason for doing that. Because you are denying access from your existing sites to that subnet.

Sachin

Steve Coady · ‎10-17-2013

Sachin

1). Yes to your first paragraph

2). The VoIP vendor advised the new sites not to change the subnet. Although this would be the best solution.

The new AVPN site where the VoIP Call manager is located has a WAN ip address of 172.16.240.1 (example)

So my static on the other (4) sites (241.1, 242.1 etc..) would be "ip route 192.168.226 0 255.255.255.0 172.16.240.1"

sMc