Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1633
Views
0
Helpful
5
Replies

Static NAT question

Go to solution
leowls
Level 1
Level 1

‎03-12-2019 08:02 AM

Capture.JPG

I have been following a NAT tutorial and I have a simple to ask.

Assume there is only 1 IP 209.165.100.30 configured on g0/0and  we want to NAT the IP 209.165.100.29 to the HoneyPot server, where and how are we going to set the IP 209.165.100.29 at? Do I install a 2nd NIC on HoneyPot server and give it the 209.165.100.29 IP? 

 

 

company#conf t
company(config)#int g0/0
company(config-if)#ip nat out
company(config-if)#int g0/1
company(config-if)#ip nat inside
company(config-if)#
company(config)#ip nat inside source static 10.0.0.240 209.165.100.29

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to leowls

‎03-13-2019 11:49 AM - edited ‎03-13-2019 11:53 AM

Hi @leowls ,

 

The network linking the routers YourRouter and Company has a /28 mask.

This mask is necessary for the types of NAT that ask for it.

 

As I understand by the image that you attach:

In the router Company you need 2 public IP addresses, one for the physical interface (209.165.100.30) and another to be able to do the static NAT (209.165.100.29).

In the router YourRouter you were assigned 8 public IP addresses(209.165.100.17-24), of which, you must use one for the physical interface and the others to be able to do the dynamic NAT.

 

As you can see, the public IP you will use for static NAT, and the public IPs that you will use for dynamic NAT, are not assigned to any physical interface, but are only used to translate private IPs.

 

Anyway, all those public IPs are part of the same network, so you need a mask that can include them, like the mask /28 in your case.

 

Remember to mark the correct answers as solved, because that helps other users with similar doubts.

 

Regards

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎03-12-2019 08:10 AM - edited ‎03-12-2019 08:13 AM

Hi @leowls ,

 

No, since, after the translation of the IP, the border router announces that address as the origin of the messages sent by the server, even though it does not exist physically in any interface.

When the messages return to the frontier router, it translates the IP and sends the message to the corresponding private IP.

 

Remember to mark the correct answers as solved, because that helps other users with similar doubts.

 

Regards

0 Helpful

Go to solution
leowls
Level 1
Level 1
In response to luis_cordova

‎03-13-2019 10:34 AM

Hi luis,

 

So  209.165.100.29 is not necessary to configured at any router interface since it is already included in /30 mask in g0/0 interface?

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to leowls

‎03-13-2019 11:49 AM - edited ‎03-13-2019 11:53 AM

Hi @leowls ,

 

The network linking the routers YourRouter and Company has a /28 mask.

This mask is necessary for the types of NAT that ask for it.

 

As I understand by the image that you attach:

In the router Company you need 2 public IP addresses, one for the physical interface (209.165.100.30) and another to be able to do the static NAT (209.165.100.29).

In the router YourRouter you were assigned 8 public IP addresses(209.165.100.17-24), of which, you must use one for the physical interface and the others to be able to do the dynamic NAT.

 

As you can see, the public IP you will use for static NAT, and the public IPs that you will use for dynamic NAT, are not assigned to any physical interface, but are only used to translate private IPs.

 

Anyway, all those public IPs are part of the same network, so you need a mask that can include them, like the mask /28 in your case.

 

Remember to mark the correct answers as solved, because that helps other users with similar doubts.

 

Regards

 

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-12-2019 08:12 AM - edited ‎03-12-2019 08:13 AM

Hello,

 

You can create a second nic on your honey pot with this ip or create a port forward(nat) on Company router redirecting to your server

 

if i understood your doubt.

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
paul driver
VIP
VIP

‎03-12-2019 08:27 AM - edited ‎03-13-2019 06:51 PM

Hello

Honeypot to me means to blackhole traffic however if my understanding is correct here you wish just to have a 1-to-1 static nat entry and if that’s the case than your config looks okay assuming  your inside global addressing range is indeed /28 and not /30 then 209.65.100 .29 will be available to use in that subnet.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents