Re: PAT from outside to inside?

osdwo · ‎02-24-2009

Hello,

I'm looking for a way to do PAT from an outside to an inside interface, on a 2811 router running IOS 12.4

I've checked the documentation and only found information for PAT from inside to outside, but it is not clearly said that we can't do it on the other side.

The "ip nat outside" command does not accept the "overload" keyword...

Is there a way to implement PAT this way or do I have to switch nat configuration (inside <-> outside)?

Thanks in advance for your help.

Jeremie

Jon Marshall · ‎02-24-2009

Jeremie

Unfortunately i don't have a router to test with at the moment but from memory i don't believe you can specify the "interface overload" with ip nat outside.

What you can do though is use a NAT pool ie.

access-list 101 permit ip any any

ip nat pool SNAT 192.168.5.1 192.168.5.10 netmask 255.255.255.0

ip nat outside source list 101 pool SNAT

This should translate all incoming src addresses to 192.168.5.1 - 10. If you just want to translate to 1 address make the NAT pool only have 1 address.

Jon

osdwo · ‎02-24-2009

Hi Jon,

Thanks for your answer.

If I understand correctly, you propose a NAT solution, and not a PAT solution.

That means my pool must contains as many addresses as the number of source IP to NAT. Is that right?

Regarding my needs, many people, from a customer company, with private addresses (not routable) need to reach a server in my company.

As the router is owned by my company and is used to protect it, the "inside" has been defined on our side and outside on customer's side.

But, as you said, "overload" keywork is not available with "ip nat outside".

Does that mean I'll have to change all the nat configuration by switching inside to outside (and outside to inside)?

Thx in advance for your help.

Jeremie

Jon Marshall · ‎02-24-2009

Jeremie

Apologies, after reading my original post i can see how it may have confused the issue. Yes i am proposing a one-to-one NAT because as you say the overload keyword is not available. Interestingly this type of thing is trivial to do with a pix/ASA. I thought i had done this before on a router but perhaps i am remembering incorrectly.

My point was that you can use any unused IP range (private IP's) to NAT the customer IP's to. As long as the IP range you select is routed back to the inside interface of your router when the server sends a packet back to the client it should work fine.

Jon

t4tauseef33 · ‎03-03-2009

Hi, I require the same thing. Have you got any solution?

osdwo · ‎03-04-2009

Hi t4tauseef33,

No, I did not find any solution.

What proposes Jon works but, in my case, I can't use private addresses. I can only use one public address...

The only solution I found is to reverse the NAT (outside->inside changed to inside->outside)

zenon_electronics · ‎04-13-2009

Hi,

did you found decision of your problem?

If you make a static PAT translation from inside to outside it can be uset from outside to inside too.

for example:

ip nat inside source static tcp (inside_interface) 80 interface (outside_interface) 80

Thatway when you attempt to connect from internet to the outside address of your router on 80 port you will be redirected to the inside address that you have defined.

The other thing is to specify witch interface is inside and witch is outside:

#int (inside)

ip nat inside

#int (outside)

ip nat outside

Hope i helped!

regards.

lamav · ‎04-14-2009

Jeremie:

You cannot PAT from outside to inside because of the NAT order of operations.

When a packet is received on a NAT inside interface, it will route before it NATs. So, when a packet has a destination address that matches the NAT inside interface address, the packet will be routed right there and die with no NAT translation.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH

Victor

sdoremus33 · ‎04-14-2009

..

Rupesh Kashyap · ‎04-15-2009

You can NOT implement PAT from Outside to inside. Overload is made to translate only Inside traffic.