11-28-2009 01:07 PM - edited 03-04-2019 06:49 AM
Hi, All!
Configuration:
interface FastEthernet0/0
ip address 172.22.2.63 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 172.22.4.63 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip nat inside source list nat_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable
!
ip access-list extended nat_acl
permit ip host 172.22.4.64 host 172.22.2.60
!
!
route-map nat-rmap permit 10
match ip address nat_acl
Goal:
I need to translate 172.22.4.64 to 172.22.2.63 only if 172.22.2.60 tries to communicate with 172.22.2.63.
Problem:
172.22.4.64 natted to 172.22.2.63 even if any of 172.22.2.x trying to connect to 172.22.2.63.
debug ip nat is not helpful, nat_acl logging too.
11-28-2009 01:50 PM
ekhabarov wrote:
Hi, All!
Configuration:
interface FastEthernet0/0
ip address 172.22.2.63 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 172.22.4.63 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip nat inside source list nat_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable
!
ip access-list extended nat_acl
permit ip host 172.22.4.64 host 172.22.2.60
!
!
route-map nat-rmap permit 10
match ip address nat_aclGoal:
I need to translate 172.22.4.64 to 172.22.2.63 only if 172.22.2.60 tries to communicate with 172.22.2.63.
Problem:
172.22.4.64 natted to 172.22.2.63 even if any of 172.22.2.x trying to connect to 172.22.2.63.
debug ip nat is not helpful, nat_acl logging too.
Not really clear what you are trying to do.
You have 2 nat statements but they seem to trying to do the same thing ie. when 172.22.4.64 sends IP traffic to 172.22.2.60 NAT the source address to 172.22.2.63.
But you say you need to translate 172.22.4.64 to 172.22.2.63 only of 172.22.2.60 tries to communicate with 172.22.2.63. Not really clear what you want.
Can you explain
1) the original src and destination IP addresses and the direction of traffic.
2) what you would like to NAT ie. src or dst or both and when you want to NAT it ie. what conditions.
Jon
11-29-2009 12:02 AM
OK.
My example is not correct. Let me explain:
I need src nat for inside hosts (172.22.4.0/24, for example internet access for private network) and i also need dst nat for one outside host:
dst 172.22.2.63 -> 172.22.4.64
All other outside hosts should not initiate connections from outside.
i.e. my configuration:
!
ip nat inside source list inside_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable
ip access-list extended inside_acl
permit ip 172.22.4.0 0.0.0.255 any
!
ip access-list extended nat_acl
permit ip host 172.22.4.64 host 172.22.2.60
!
route-map nat-rmap permit 10
match ip address nat_acl
In real world expiriens not only 172.22.2.60 can initiate connections from outside. For example i can connect to 172.22.2.63 from 172.22.2.59 and it also will be dst nated to 172.22.4.64.
Another interesting observation:
route-map nat-rmap, permit, sequence 10
Match clauses:
ip address (access-lists): nat_acl
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Nothing matches route-map.
11-30-2009 08:41 AM
ekhabarov wrote:
OK.
My example is not correct. Let me explain:
I need src nat for inside hosts (172.22.4.0/24, for example internet access for private network) and i also need dst nat for one outside host:
dst 172.22.2.63 -> 172.22.4.64
All other outside hosts should not initiate connections from outside.
i.e. my configuration:
!
ip nat inside source list inside_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendableip access-list extended inside_acl
permit ip 172.22.4.0 0.0.0.255 any
!ip access-list extended nat_acl
permit ip host 172.22.4.64 host 172.22.2.60
!
route-map nat-rmap permit 10
match ip address nat_aclIn real world expiriens not only 172.22.2.60 can initiate connections from outside. For example i can connect to 172.22.2.63 from 172.22.2.59 and it also will be dst nated to 172.22.4.64.
Another interesting observation:
route-map nat-rmap, permit, sequence 10
Match clauses:
ip address (access-lists): nat_acl
Set clauses:
Policy routing matches: 0 packets, 0 bytesNothing matches route-map.
Apologies for the delay in replying to this but i had to test it with dynamips.
Okay, firstly the problem with the route-map not matching is because you haven't applied it to an interface. However that isn't the solution.
The main problem is that a static NAT is bi-directional ie. it works whether connections are initiated from the inside or from the outside. So the closest i got was this
int fa0/0
ip address 172.22.4.63 255.255.255.0
ip nat inside
ip policy-route nat-rmap
int fa0/1
ip address 172.22.2.63 255.255.255.0
ip nat outside
ip access-list extended inside_acl
permit ip 172.22.4.0 0.0.0.255 any
ip access-list extended nat_acl
permit ip host 172.22.4.64 host 172.22.2.60
ip access-list extended deny_acl
permit ip host 172.22.4.64 any
route-map nat-rmap permit 10
match ip address nat_acl
route-map nat-rmap permit 20
match ip address deny_acl
set interface Null0
what the above does is
1) Only allows 172.22.2.60 to connect to 172.22.2.63 which then gets natted to 172.22.4.64. All other outside hosts cannot make a connection.
2) Allows all inside hosts (with the exception of 172.22.4.64) to make connections outbound and the source addresses get patted to 172.22.2.63
But
3) It allows 172.22.4.64 to make outbound connections to 172.22.2.60 but not to any other IP address which i'm guessing is not what you want.
So i took a different approach. Because the static NAT is bi-directional the only way i found to control this properly is to use an acl on the outside interface and because of this there is no need for the route-map configuration ie.
int fa0/0
ip address 172.22.4.63 255.255.255.0
ip nat inside
int fa0/1
ip address 172.22.2.63 255.255.255.0
ip nat outside
ip nat inside source list all interface fa0/1 overload
ip nat inside source static 172.22.4.64 172.22.2.63
ip access-list extended all
permit 172.22.4.0 0.0.0.255 any
access-list 101 permit ip host 172.22.2.60 host 172.22.2.63
....
access-list 101 deny ip any host 172.22.2.63
in acl 101 above the .... represents acl entries that you need to include for any traffic that you want to allow to 172.22.2.63 ie. the 172.22.4.64 server inside. Key thing to note is that you will have to allow any return traffic from a connection initiated by 172.22.4.64 to the outside otherwise it will be dropped by acl 101.
If it's TCP you could obviously use the established keyword. Or you can use reflexive acls to allow TCP/UDP/ICMP.
That is the only way i could get this to work. There is a nagging thought that it should work with NAT and route-maps but i haven't managed to find a way as yet.
Jon
11-30-2009 09:06 AM
Slight update to previous post
All traffic will be returning to 172.22.2.63 so the acl 101 i used in previous example just won't work.
So the only way would be to either use reflexive acls to allow the return traffic or IOS firewall.
Jon
11-30-2009 09:28 AM
Very interesting, John. Thank you very much for your response.
>>
>>But
>>
>>3) It allows 172.22.4.64 to make outbound connections to 172.22.2.60 but not to any other IP address which i'm guessing is not what you want.
>>
This is perfectly suited to us. To be precise, 172.22.2.60 and 172.22.2.63 - is ipsec-peers.
But there is another very important requirement for such a configuration. It must allow, for example, to establish an ssh connection or GRE-tunnel to the router itself from the external network.
12-22-2009 11:45 PM
Is it possible? Any ideas?
12-23-2009 04:00 AM
ip nat pool pool1 172.22.2.60 172.22.2.60 prefix 24
ip nat inside source list inside_acl interface FastEthernet0/0 overload
ip nat inside source route-map nat-map pool pool1 extendable
!
ip access-list extended nat_acl
permit ip host 172.22.4.64 host 172.22.2.60
!
!
route-map nat-rmap permit 10
match ip address nat_acl
this will do it
and let me know
good luck
12-23-2009 04:34 AM
Oh, thanks! I will test it and mark you answer correct if it helps me.
01-08-2010 06:13 AM
So it was tested and this is completely not works. I can't connect to inside host (my outside connection is not dst-natted)
BTW:
R1(config)#ip nat inside source route-map nat-map pool pool1 extendable
^
% Invalid input detected at '^' marker.
R1(config)#ip nat inside source route-map nat-map pool pool1 ?
mapping-id Associate a mapping id to this mapping
overload Overload an address translation
reversible Allow out->in traffic
vrf Specify vrf
R1#sh ver | i Soft
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)
ROM: 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)
01-08-2010 03:27 PM
by default when you use nat with route-map the entry extendable will be added which prevent an external user to open a reveres connection to inside
no one one to one entries will be available
to avoid this issue use the keyword command "reversible" at the end of your nating configuration:
ip nat inside source route-map nat-map pool pool1 reversible
good luck
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide