Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
204
Views
0
Helpful
4
Replies

Source NAT help needed! Combining 2 router configurations

freeman6351
Level 1
Level 1

‎11-04-2016 12:15 PM - edited ‎03-05-2019 07:24 AM

Hello Cisco Support Community!!!

 

Please reference the attached diagram and router configurations. I need to combine the functionality of the PEL NAT router into the main PEL router so I can remove the NAT router. Any guidance including specific configuration changes would be greatly appreciated.

Current NAT functionality summary:

Network hosts at ZNET and XNET sites send data over IPSec tunnels to specific 10.254.6.x addresses (ip access-list extended PARTNER_DESTINED) on the PEL router which are then routed to the PEL NAT router where they are translated to specific Partner site 172.25.200.x addresses via ip nat outside source static. Traffic is then routed back to the main PEL router and sent out the Partner tunnel (ip access-list extended PARTNER_ORIGINATED). ZNET and XNET cannot see traffic to or from the Partner site subnet (they only see the 10.254.6.x subnet). Traffic between the ZNET/XNET sites and the Office site is not translated. There is a different set of hosts at ZNET/XNET sites that send traffic to a server directly connected to the PEL router.

Conditions:

Network hosts at ZNET/XNET cannot show traffic to or from the Partner subnet (172.25.200.0/24). Network hosts at XNET/ZNET cannot change their traffic destination address (10.254.6.x) and the Partner IP addresses (172.25.200.x) they are mapped to can’t change either. The Partner router cannot have an IPSec tunnel directly to ZNET or XNET sites or change the Partner router configuration. Ideally all changes needed to combine the 2 PEL routers needs to be done in the main PEL router.

 

I tried removing the route-map NAT_PARTNER on the main PEL router and added ip nat inside source static (example: ip nat inside source static 172.25.200.76 10.254.6.46) to get traffic routing from ZNET/XNET to Partner, but this won't hide the Partner destination/source subnet.

 

Again, any guidance or help to combine these 2 routers into 1 would be appreciated!

Labels:
Preview file
4 KB
Preview file
9 KB
Preview file
60 KB
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎11-04-2016 04:01 PM

Hello,

it looks like, basically, all your PEL_NAT_ROUTER  is doing is NAT. It should be possible to achieve that in the PEL_ROUTER. I am currently labbing this...might take a while. I'll be back with a proposed config...

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎11-06-2016 12:56 PM

Hello,

I labbed your setup in GNS3, and here is what I have come up with so far:

To move all static NAT entries from PEL_NAT_ROUTER to PEL_ROUTER, configure the static route on the PEL_ROUTER:

PEL_ROUTER(config)#ip route 172.25.200.0 255.255.255.0 GigabitEthernet0/0

Then add static NAT entries on PEL_ROUTER

ip nat outside source static 172.25.200.70 10.254.6.42 add-route
ip nat outside source static 172.25.200.71 10.254.6.43 add-route
ip nat outside source static 172.25.200.72 10.254.6.41 add-route
ip nat outside source static 172.25.200.73 10.254.6.44 add-route
ip nat outside source static 172.25.200.74 10.254.6.45 add-route
ip nat outside source static 172.25.200.76 10.254.6.46 add-route
ip nat outside source static 172.25.200.83 10.254.6.40 add-route
ip nat outside source static 172.25.200.230 10.254.6.34 add-route
ip nat outside source static 172.25.200.231 10.254.6.37 add-route
ip nat outside source static 172.25.200.235 10.254.6.35 add-route
ip nat outside source static 172.25.200.236 10.254.6.36 add-route
ip nat outside source static 172.25.200.237 10.254.6.38 add-route
ip nat outside source static 172.25.200.245 10.254.6.32 add-route
ip nat outside source static 172.25.200.250 10.254.6.33 add-route
ip nat outside source static 172.25.200.252 10.254.6.39 add-route

Question: what is the purpose of the secondary IP address on interface GigabitEthernet0/2 on PEL_ROUTER ? The interface doesn't do any NAT, and it seems that it is only used as the next hop for the static route for network 172.25.200.0 coming from PEL_NAT_ROUTER ?

0 Helpful

freeman6351
Level 1
Level 1
In response to Georg Pauwen

‎11-06-2016 03:56 PM

Hi!

The purpose of the secondary IP on G0/2 is just as you interpreted. It is the next hop for the static route for network 172.25.200.0 coming from PEL_NAT_ROUTER. Will we will still need to figure out how the route map NAT_PARTNER and the 2 ACLs for PARTNER_ORIGINATED and PARTNER_DESTINED will need to be adjusted?

0 Helpful

freeman6351
Level 1
Level 1
In response to freeman6351

‎11-07-2016 01:33 PM

Hello,

I tried the configuration adjustments above, but it still would not NAT correctly. I removed the route-map NAT_PARTNER from G0/0, added the ip nat outside source static lines, and the ip route 172.25.200.0. When I run a ping from a XNET PC (10.17.0.10) to 10.254.6.46, the main PEL router responds instead of routing the traffic to the matching Partner endpoint 172.25.200.76.  

If I remove for example

ip nat outside source static 172.25.200.76 10.254.6.46 add-route

and replace it with

ip nat inside source static 172.25.200.76 10.254.6.46 (ip nat inside won't allow add-route)

and then run a ping from XNET PC 10.17.0.10 to 10.254.6.46, the Partner PC 172.25.200.76 receives the icmp packet and replies, but the XNET PC never receives the reply from packet captures on both ends.

Also when I ping from the Partner PC 172.25.200.76 to XNET PC 10.17.0.10, the XNET PC never recieves the echo request.

Did I do something wrong and if not, does anyone have any input on what I can try next?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card