cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4137
Views
0
Helpful
9
Replies

SNAT and DNAT at the same time?

m4rk0
Level 1
Level 1

Hi Group,

 

I have posted a more detailed post about this issue, but it got blocked by the moderator.

 

I'm wondering if any of you know if the following scenario is possible and maybe give me some tips:

 

I need to configure 3900 to do source and destination NAT at the same time.

The router needs to hide the original source address (random hosts on the internet) from the internal server

In essence, I'm looking to do the following:

 

Inbound packet (from the internet): source 33.33.33.33 destination 22.22.22.234

Outbound packed (to the test server): source 10.0.0.1 destination 10.0.0.65

 

Has anyone tried this scenario?

 

Thanks,

 

9 Replies 9

Dennis Mink
VIP Alumni
VIP Alumni

Yes this is possible, what have you got so far and what is not working?  `

Please remember to rate useful posts, by clicking on the stars below.

Hi,

 

Here is where I got so far:

 

interface GigabitEthernet0/1

ip address 22.22.22.226 255.255.255.240

ip nat outside

interface GigabitEthernet0/0.100

ip address 10.0.0.1 255.255.255.0

ip nat inside

 

ip nat pool nat-pool 22.22.22.226 22.22.22.226 netmask 255.255.255.240

ip nat pool source-nat-pool 10.0.0.1 10.0.0.0.1 netmask 255.255.255.0

ip nat inside source list 120 pool nat-pool overload

ip nat inside source static tcp 10.0.0.65 22 22.22.22.234 22 extendable

ip nat outside source list 90 pool source-nat

 

access-list 90 permit 33.33.33.33

access-list 120 permit ip 10.0.0.0 0.0.0.255 any

 

This is what I captured using tcpdump on the server.

13:34:17.010680 IP 10.0.0.1.11993 > 10.0.0.65.22: Flags [S], seq 550116875, win 65535, options [mss 1452,sackOK,TS val 56150304 ecr 0,nop,wscale 13], length 0
13:34:17.010701 IP 10.0.0.65.22 > 10.0.0.1.11993: Flags [S.], seq 440139489, ack 550116876, win 28960, options [mss 1460,sackOK,TS val 370492902 ecr 56150304,nop,wscale 7], length 0
13:34:17.010946 IP 10.0.0.1.11993 > 10.0.0.65.22: Flags [R], seq 550116876, win 0, length 0

 

router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 10.0.0.1 33.33.33.33

tcp 22.22.22.234:22 10.0.0.65:22 --- ---

 

Can anyone help me?

M4rk0

Hello


@m4rk0 wrote:
The router needs to hide the original source address (random hosts on the internet) from the internal server

You show only a specific destination nat in you example but given the above statement(random hosts) Are you implying there will be multiple hosts connecting just to one specific server or a cluster or severs with VIP address.

 

Also are you wanting just one public ip assigned to the internal server?

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

Yes - ACL 90 is only here for testing and will be replaced with any/any statement when I this is working.

Yes - mulitple servers connecting to one VIP.

 

This is what the situation is:

Multiple_IPs (S) -> Port_on_Router (D)

NATed to

Router_LAN_IP (S) -> Port_on_Linux_Server (D)

 

Any ideas what am I doing wrong?

 

Hello

The below should allow any external host hitting 22.22.22.234  to be LB towards the internal servers stated in the nat pool

 

access-list 10 permit 22.22.22.234

ip nat pool real-servers 10.0.0.x 10.0.0.x prefix-length 24 type rotary
ip nat inside destination list 10 pool real-servers

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hey Paul,

 

Thanks for that, but it's not quite what I'm looking for. I need a way of changing the source IP address as packets go through the router. Currently, when they reach the internal server, the source is set to the original IP of the client (33.33.33.33 in this example), and I need the router to change it to its interface address (10.0.0.1) or a VIP from the same subnet.

 

Any ideas?

 

Hello

Can you try the following then:

Internal insdie host 10.0.0.1
Public outside host 22.22.22.234
Public nat pool 22.22.22.224/28


access-list 90 permit any
ip nat pool nat-pool 22.22.227 22.22.233 netmask 255.255.255.240
ip nat outside source list 90 pool nat-pool
ip nat inside source static 10.0.0.1 22.22.22.234. 

 

This should make any external source address outside the nat boundary (the Internet) to be seen as coming from the nat pool public subnet when trying g to connect to 22.22.22.234 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

 

After adding these entries I've noticed some dynamic mappings:

--- --- --- 22.22.22.227 1.132.111.190
--- --- --- 22.22.22.228 1.128.111.59
--- --- --- 22.22.22.229 1.128.109.71
--- --- --- 22.22.22.230 1.132.105.220
--- --- --- 22.22.22.231 1.128.110.24
--- --- --- 22.22.22.232 1.0.14.1
--- --- --- 22.22.22.233 1.128.104.70

I don't know what these 1.x.x.x IP addresses are, but now no packets are making it to the internal server

 

Please advise,

 

Hello

Maybe the ace entry any any in the acl is to generic make it to be more specific for say one host and also the nat pool and test again:

access-list 90 permit xxx
ip nat pool nat-pool 22.22.226 22.22.226 netmask 255.255.255.240


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco