Hi Mark,

That's helped thanks.

I really now need to think about how to setup an outside NAT. i.e - NAT the incoming source traffic destinted for the old London host IP address using an ACL, then NAT the London destination into the Frankfurt new destination host IP address Outside Global......... ip nat destination outside

with a ACL routemap for self ip next hop

As above, if the customer points to the old London IP address I need to NAT this specific London destination addresses into the new Frankfurt host before the self ip next hop........I've rarely used ip nat destination outside! Can you suggest a config.

Can you just clarify why you need destination NAT ?

You say you are migrating the IPs to the new office so why is it not just a routing issue ?

Or are you using new IPs in the new office ?

Jon

I should say migrating services but not IP addresses! the new destination hosts/servers for customers will be new IP addresses hosted by Frankfurt office. So for this reason if customers are still pointing to the old IP addresses in London I would like to somehow send this London destination traffic to the new Frankfurt IP address without the customer knowing and eliminate any downtime until the end users finally make the Frankfurt IP address change ( a lot of users do not use DNS, they use IP address in the API) ...in case you asked about DNS.

Not something I like doing, but I need to eliminate any risk or loss of connection when the servers are switched from old  London IP to new Frankfurt IP. There are thousands of customers!

So is this going to be done on one device ie. the translation.

And if so what is this device and how exactly is the NAT setup on that device for the existing public IP.

This could be somewhat tricky because you need to effectively translate the IP and then probably send it back out of the same interface it came in on unless the offices are connected via different links than the one the internet requests come in on.

Can you provide some more details.

Jon

One device

What I was thinking, it's messy........traffic will be coming in and sending out on same public internet facing interface, so obviously NAT is required. There's no existing interface NAT statements on the ISP serial link.

So is it a router ?

And these public IPs, you want to redirect them off the router before they are passed through to a firewall for example ?

Just trying to get an idea of exactly what the setup is as I can do a quick test in a lab.

I suspect you are going to have route via a loopback interface on the router.

So does the router have any NAT statements (guessing not from what you have said) and could add loopbacks to that router if needed ?

Jon

ISP Router is a ASR1002-X

We can create a loopback interface if needed. These are public IP addresses.

No NAT, all the NAT's are taken care by the Firewall and Abor. Traffic comes in to s0/1>Gi0/1 off to the Firewall and Abor...if validated traffic.

Just to let you know still testing this but so far no luck.

Tried with s0/1 as both inside and outside NAT etc. and using a loopback with PBR to try and force traffic back the way it came but not working as of yet.

Will have another look when I get the chance.

Jon

ok, thanks for your help on this.

I think I have a working solution but you obviously need to test it especially as I was using IOS and ASRs are different.

I tested with two IPs one of which should still be routed to the firewall and one which should be translated to one of your new IPs and then routed back out via the serial interface.

So using private IPs as an example where 192.168.3.1 is the existing IP and 192.168.4.1 is the new IP -

1) create a loopback and it can have any IP you want (not one of the public ones), and add "ip nat inside"

The loopback is purely for NAT so need to advertise the IP in your routing tables.

2) add "ip nat outside" to the serial interface.

3) configure PBR and this has to applied to the serial interface ie.

access-list 101 permit ip any host 192.168.3.1

route-map PBR permit 10                                                        
match ip address 101                                                          
set interface Loopback <x> 

int s0/1                                                       
ip policy route-map PBR   

4) configure a static NAT translation for the IPs -

ip nat inside source static 192.168.4.1 192.168.3.1

that worked in the lab ie. traffic to any 192.168.3.x IP that was meant to go to the firewall did whereas traffic to 192.168.3.1 was translated to 192.168.4.1 and redirected back out of the serial interface.

Obviously your router needs a route to 192.168.4.1 but I suspect you have a default route anyway.

Like I say, definitely needs testing.

Any questions etc. let me know.

Jon

followed perfectly! and understand why this would work.

I'm going to test in a week or so.....I'll let you know the results and post here.

There is no reason I would've thought why this will not work. Unless this is something local to out setup.

Thanks.