Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4075
Views
0
Helpful
6
Replies

Twice NAT Cisco ISR 4431

Go to solution
jamesupcott1
Level 1
Level 1

‎03-26-2020 02:32 AM

i All

 

I currently have a twice NAT setup on Cisco ASA 5506 which works perfectly. However we are now implementing a Cisco ISR 4431 to replace the ASA, and wish for this device to perform the twice NAT function like the ASA is currently doing.

 

Here is the configuration from our ASA of which I need to replicate on the ISR:

nat (outside,RA_VPN) source dynamic any interface destination static 1.1.1.1 10.14.62.2

 

Any help would be much appreciated.

 

Kind Regards

James

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to jamesupcott1

‎03-26-2020 11:21 AM

Hi,

 

    Unfortunately, things are not that easy. When Cisco designed inside/outside NAT, with outside facing the Internet, why would you wanted to NAT the Internet as traffic comes inbound to your network? So this is not possible, for traffic going outside-->inside, you can't do PAT/overload. There is a solution, it may sound weird, but have done it couple of times, working good.

     1. You would have to swap your logic, and configure the Internet facing interface as "ip nat inside" and the LAN/private facing interface as "ip nat outside".

     2. You configure overload/PAT for Internet:

                  access-list 100 permit ip any any

                  ip nat inside source list 100 interface xyz overload

      3. You statically NAT your inside host to the Internet, ensure NOT to forget the "add-route" keyword:

                  ip nat outside source static 10.14.64.2 1.1.1.1 add-route

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 04:04 AM

Hi,

 

   It's conn work, but to with a single NAT statement, there is no Twice-NAT in a single rule on IOS. You would have to configure dynamic NAT/PAT in one direction and static NAT in the other direction. Post your interfaces, who is connected where, what are your inside/outside NAT interfaces, so a solution can be build.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
jamesupcott1
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 06:08 AM

Hi Cristian

 

Thanks for your reply, much appreciated.

 

I have listed the NAT rule below, hopefully should be enough to confirm? So any client out on the internet hits this rule and is NAT'd to 10.14.64.1, when they target address of 1.1.1.1, where we also NAT the destination address to 10.14.62.2.

 

nat (outside,RA_VPN) source dynamic any 10.14.64.1 destination static 1.1.1.1 10.14.62.2.

 

From your response I am able to configure the following NAT within GNS3 (Router on order):

 

ip nat inside source static 10.14.64.2 1.1.1.1

            The above would take care of the return traffic to the client presumably?

 

The inbound NAT from the internet, I guess would look something like the following:

 

ip nat outside source dynamic any 10.14.64.1 

(I don't think I can use the "any" command as source, so how would I ensure this is any address? Looks like I am unable to input 0.0.0.0/0 aswell.)

 

Let me know your thoughts, and appreciate you taking the time.

 

Kind Regards

James

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to jamesupcott1

‎03-26-2020 11:21 AM

Hi,

 

    Unfortunately, things are not that easy. When Cisco designed inside/outside NAT, with outside facing the Internet, why would you wanted to NAT the Internet as traffic comes inbound to your network? So this is not possible, for traffic going outside-->inside, you can't do PAT/overload. There is a solution, it may sound weird, but have done it couple of times, working good.

     1. You would have to swap your logic, and configure the Internet facing interface as "ip nat inside" and the LAN/private facing interface as "ip nat outside".

     2. You configure overload/PAT for Internet:

                  access-list 100 permit ip any any

                  ip nat inside source list 100 interface xyz overload

      3. You statically NAT your inside host to the Internet, ensure NOT to forget the "add-route" keyword:

                  ip nat outside source static 10.14.64.2 1.1.1.1 add-route

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
jamesupcott1
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 06:48 AM

Thanks Cristian, did the job perfectly.

 

Kind Regards

James

0 Helpful

Go to solution
jamesupcott1
Level 1
Level 1
In response to Cristian Matei

‎04-04-2020 11:53 PM

Hi Cristian

 

This configuration works on my lab environment and a 897 router. However when I apply the same config to the ISR 4431 it doesn’t work. When I check the translation table via the show ip translations command, there is no translation from clients on the internet “any”. 

Is there additional/different syntax required on the ISR 4431 or perhaps additional feature?

 

Kind Regards

James

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to jamesupcott1

‎04-05-2020 05:18 AM

Hi,

 

    What doesn't work, translating the "internet"? As traffic is being initiated, there are no translations created? If so have you tried upgrading the router?

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card