04-01-2019 07:35 PM
Hi,
I am trying to Nat a network 10.1.1.0/24 to another network 192.168.1.0/24. When this happens, the last octets Z should remains (e.g 10.1.1.50 to 192.168.1.50), otherwise packets will be lost. Basically it's a 1-to-1 NAT. May i know whts the steps to do this?
04-01-2019 07:55 PM - edited 04-01-2019 07:56 PM
Hi @getaway51 ,
If you want each session to be translated by a specific ip, you must do a static NAT for each IP.
Now, for several IPs to be translated by several IPs, the way is by dynamic NAT.
This type of NAT does not guarantee an exact correspondence, since the sessions are occupied in order of arrival
In this case:
access-list 1 permit 10.1.1.0 0.0.0.255 <- private addresses
ip nat pool test 192.168.1.0.192.168.1.255 netmask 255.255.255.0 <- public addresses
ip nat inside source list 1 pool test
Then, you should only apply the NAT in the corresponding interfaces
Regards
04-01-2019 08:02 PM
Basically to minimize changes in LAN Workstations, the "Servers Destination" IP address will be NAT in Router 2.
Hence Workstations will be accessing maybe 172.17.0.x/24 which will be Nat to 192.168.1.0/24 in Router 2.
I think the Destination NAT part is sort out. Other than that, I am concerned about the Source NAT where packets need to travels from "Workstations" to "Servers Destination LAN ". Ideally all source packets shld be 10.4.2.x/30 because the "Servers Destination LAN" only have routing to 10.4.2.x/30 and is not going to change its configuration.
therefore how can i perform NAT source & destination in Router 2?
Which means when a packets goes thru router 2 to router 1, source changes to 10.4.2.2 (for source ANY) and destination changes to 192.168.1.0/24 (for destination matching 172.17.0.x/24)
what should be the config like in Router 2 for NAT source & destination?
Servers Destination LAN Router1 Router2 Workstations LAN
192.168.1.0/24 ==========10.4.2.1/30(LAN)----10.4.2.2/30(WAN)-----172.16.0.x/16
172.16.1.1/32 172.16.0.1/16(LAN)
04-01-2019 11:30 PM - edited 04-02-2019 12:05 AM
Hi,
Here is the configuration as:
access-list 7 permit 192.168.1.0 0.0.0.255
ip nat pool 10_Series 10.1.1.1 10.1.1.0.254 netmask 255.255.255.0 ip nat inside source list 7 pool 10_Series
ip nat outside source list 7 pool 10_Series
04-02-2019 12:27 AM - edited 04-02-2019 12:32 AM
Hello
@getaway51 wrote:
Hi,
I am trying to Nat a network 10.1.1.0/24 to another network 192.168.1.0/24. When this happens, the last octets Z should remains (e.g 10.1.1.50 to 192.168.1.50), otherwise packets will be lost. Basically it's a 1-to-1 NAT. May i know whts the steps to do this?
@Deepak Kumar FYI you dont require any static nat statements you can do this dynamically your above post doesn't look as it would match on the last octet of the natted address as OP originally queried
You could however try to utilize the match host feature withing nat to perform this task.
Example
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
ip nat pool match-host 192.168.1.1 192.168.1.254 prefix-length 24 type match-host
ip nat inside source list 100 pool match-host
04-02-2019 12:45 AM
Hi @paul driver
Thanks for correct me. What will happen if my destination network wants to connect to my system?
04-02-2019 12:56 AM
Hello
@Deepak Kumar wrote:
Hi @paul driver
Thanks for correct me. What will happen if my destination network wants to connect to my system?
This isnt PAT it is basically one-to-one mapping dynamically be it you do require the pool addressing to perform the above so as long as the translation is correct they should be able to connect via its inside global translated address.
04-02-2019 01:01 AM
Hi,
Thanks. This is the benefits of a senior and experienced person. I will try in the lab today and come back.
Regards,
Deepak Kumar
04-02-2019 08:42 AM
Thanks Paul!
1)So basically yr config below are destination NAT right?
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
ip nat pool match-host 192.168.1.1 192.168.1.254 prefix-length 24 type match-host
ip nat inside source list 100 pool match-host
2)How about source NAT, i also nd the source IP address of traffic (from inside to outside) NAT to outside interface IP. vice versa when the packets from outside to inside as well.
04-02-2019 09:27 AM - edited 04-02-2019 09:29 AM
Hello
@getaway51 wrote:
Thanks Paul!
1)So basically yr config below are destination NAT right?
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
ip nat pool match-host 192.168.1.1 192.168.1.254 prefix-length 24 type match-host
ip nat inside source list 100 pool match-host
2)How about source NAT, i also nd the source IP address of traffic (from inside to outside) NAT to outside interface IP. vice versa when the packets from outside to inside as well.
Okay maybe i have confused you here,- the above isn't destination nat, it is basically allowing 121 nat from inside your local network to outside your network matching on the host that initiated that translation, Now with this kind of nat you would be ONLY able to actively ping/access the natted public matched address of the inside host as along a there is an existing translation created from the inside, you WONT be able to initiate a connection from the outside which is what destination nat is?
04-02-2019 09:42 AM
04-02-2019 03:18 PM - edited 04-03-2019 12:32 AM
Hello
@getaway51 wrote:
I m a little confused here. Tht means the cmd u provided was source NAT?
Can u share with me wht the destination NAT cmd looks like? When someone
accessing x.y.z.150, it will be nat to a.b.c.150. & vice versa for return
traffic.
Okay i now understand what you require.
But firstly I would just like to clarify the previous nat configuration if i may?
This WOULD allow return traffic on the nat host (matched on last octet) from the original initiated inside-outside translation (inside 10.1.1.10 <> outside 192.168.1.10 ) , so the following would be allowed
(outside 192.168.1.10 <> inside 10.1.1.10 ) ONLY that is if a translated entry existed in the nat table, once this had timed out no traffic from (outside 192.168.1.10 <> inside 10.1.1.10 ) would NOT be allowed unless another internal translation was created. - does that make sense?
What you require is to be able to initiate an outside connection to the internal host matching on the host last octet EVEN when the dynamic inside -outside entry has timed out
This can be accomplish using the below nat configuration statements however, The caveat is if you every manually clear the nat table or it is cleared say after a reload of the router, you will need to initiate an inside <>outside connection first to populate the nat table once more with a 1to1 entry which will be available after its dynamic relation has timed out, This will again allow you to initiate an outside <>inside connection.
Example:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
route-map lan permit 10
match ip address 100
ip nat pool destnatpool 192..168.1.3 192.168.1.254 netmask 255.255.255.0 type match-host
ip nat inside source route-map lan pool destnatpool reversible
Let me know how you get on?
04-03-2019 12:57 AM
Hi,
How about NAT source IP to outside interface ip when traffic goes inside->outside, and vice versa (for return traffic)?
The command you have provided were all NAT destination right?
04-03-2019 02:29 AM - edited 04-03-2019 02:31 AM
Hello
You could say it a mixture of source and destination nat and yes It will works both ways -
As stated the difference between the two nat configuration is the "reversible" feature which will install a 1-2-1 nat entry so when the dynamic entry times out (inside-outside) you will still be allowed to initiate an outside-inside connection.
04-03-2019 07:39 AM
Perhaps let me try to explain the scenario. I am trying to understand which of the command does the work.
Pls help me check the command if anything left out. Much appreciated!!!
1)In " Workstations LAN" 172.16.0.x/16 trying to reach servers in 192.168.1.0/24 & 172.15.1.1/32.
Only 10.4.2.0/30 route is visible from Servers Destination LAN to Router 2. Workstations LAN is hidden(NAT)
Therefore Router 2 needs NAT every source IP from inside to outside as 10.4.2.2. This is source NAT
access-list 100 permit ip 172.16.0.0 0.0.255.255 any
route-map lan permit 10
match ip address 100
ip nat pool destnatpool 192.168.1.1 192.168.1.254 netmask 255.255.255.0 type match-host
ip nat inside source route-map lan pool destnatpool reversible
Servers Destination LAN Router1 Router2 Workstations LAN
192.168.1.0/24 ==========10.4.2.1/30(LAN)----10.4.2.2/30(WAN)-----172.16.0.x/16
172.15.1.1/32 172.16.0.1/16(LAN)
2)Since Workstations LAN cant see 192.168.1.0/24 & 172.15.1.1/32,Router 2 needs to NAT its destination to host 192.168.1.0/24 & 172.15.1.1/32.
For e.g every source in 172.16.0.x/16 who access 172.16.7.0/24, its destination in Router 2 will be NAT to 192.168.1.0/24.-Whole Dest Network NAT
If access 172.16.8.1, Router 2 will NAT the Dest host to 172.15.1.1.- Single Dest Host NAT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide