cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4076
Views
0
Helpful
6
Replies

Twice NAT Cisco ISR 4431

jamesupcott1
Level 1
Level 1

i All

 

I currently have a twice NAT setup on Cisco ASA 5506 which works perfectly. However we are now implementing a Cisco ISR 4431 to replace the ASA, and wish for this device to perform the twice NAT function like the ASA is currently doing.

 

Here is the configuration from our ASA of which I need to replicate on the ISR:

nat (outside,RA_VPN) source dynamic any interface destination static 1.1.1.1 10.14.62.2

 

Any help would be much appreciated.

 

Kind Regards

James

1 Accepted Solution

Accepted Solutions

Hi,

 

    Unfortunately, things are not that easy. When Cisco designed inside/outside NAT, with outside facing the Internet, why would you wanted to NAT the Internet as traffic comes inbound to your network? So this is not possible, for traffic going outside-->inside, you can't do PAT/overload. There is a solution, it may sound weird, but have done it couple of times, working good.

     1. You would have to swap your logic, and configure the Internet facing interface as "ip nat inside" and the LAN/private facing interface as "ip nat outside".

     2. You configure overload/PAT for Internet:

                  access-list 100 permit ip any any

                  ip nat inside source list 100 interface xyz overload

      3. You statically NAT your inside host to the Internet, ensure NOT to forget the "add-route" keyword:

                  ip nat outside source static 10.14.64.2 1.1.1.1 add-route

 

Regards,

Cristian Matei.

View solution in original post

6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   It's conn work, but to with a single NAT statement, there is no Twice-NAT in a single rule on IOS. You would have to configure dynamic NAT/PAT in one direction and static NAT in the other direction. Post your interfaces, who is connected where, what are your inside/outside NAT interfaces, so a solution can be build.

 

Regards,

Cristian Matei.

Hi Cristian

 

Thanks for your reply, much appreciated.

 

I have listed the NAT rule below, hopefully should be enough to confirm? So any client out on the internet hits this rule and is NAT'd to 10.14.64.1, when they target address of 1.1.1.1, where we also NAT the destination address to 10.14.62.2.

 

nat (outside,RA_VPN) source dynamic any 10.14.64.1 destination static 1.1.1.1 10.14.62.2.

 

From your response I am able to configure the following NAT within GNS3 (Router on order):

 

ip nat inside source static 10.14.64.2 1.1.1.1

            The above would take care of the return traffic to the client presumably?

 

The inbound NAT from the internet, I guess would look something like the following:

 

ip nat outside source dynamic any 10.14.64.1 

(I don't think I can use the "any" command as source, so how would I ensure this is any address? Looks like I am unable to input 0.0.0.0/0 aswell.)

 

Let me know your thoughts, and appreciate you taking the time.

 

Kind Regards

James

Hi,

 

    Unfortunately, things are not that easy. When Cisco designed inside/outside NAT, with outside facing the Internet, why would you wanted to NAT the Internet as traffic comes inbound to your network? So this is not possible, for traffic going outside-->inside, you can't do PAT/overload. There is a solution, it may sound weird, but have done it couple of times, working good.

     1. You would have to swap your logic, and configure the Internet facing interface as "ip nat inside" and the LAN/private facing interface as "ip nat outside".

     2. You configure overload/PAT for Internet:

                  access-list 100 permit ip any any

                  ip nat inside source list 100 interface xyz overload

      3. You statically NAT your inside host to the Internet, ensure NOT to forget the "add-route" keyword:

                  ip nat outside source static 10.14.64.2 1.1.1.1 add-route

 

Regards,

Cristian Matei.

Thanks Cristian, did the job perfectly.

 

Kind Regards

James

Hi Cristian

 

This configuration works on my lab environment and a 897 router. However when I apply the same config to the ISR 4431 it doesn’t work. When I check the translation table via the show ip translations command, there is no translation from clients on the internet “any”. 

Is there additional/different syntax required on the ISR 4431 or perhaps additional feature?

 

Kind Regards

James

Hi,

 

    What doesn't work, translating the "internet"? As traffic is being initiated, there are no translations created? If so have you tried upgrading the router?

 

Regards,

Cristian Matei.

Review Cisco Networking for a $25 gift card