What is the command to NAT a destination network 10.1.1.Z to another network 192.168.1.Z?

getaway51 · ‎04-01-2019

Hi,

I am trying to Nat a network 10.1.1.0/24 to another network 192.168.1.0/24. When this happens, the last octets Z should remains (e.g 10.1.1.50 to 192.168.1.50), otherwise packets will be lost. Basically it's a 1-to-1 NAT. May i know whts the steps to do this?

luis_cordova · ‎04-01-2019

Hi @getaway51 ,

If you want each session to be translated by a specific ip, you must do a static NAT for each IP.

Now, for several IPs to be translated by several IPs, the way is by dynamic NAT.

This type of NAT does not guarantee an exact correspondence, since the sessions are occupied in order of arrival

In this case:

access-list 1 permit 10.1.1.0 0.0.0.255 <- private addresses

ip nat pool test 192.168.1.0.192.168.1.255 netmask 255.255.255.0 <- public addresses

ip nat inside source list 1 pool test

Then, you should only apply the NAT in the corresponding interfaces

Regards

getaway51 · ‎04-01-2019

Basically to minimize changes in LAN Workstations, the "Servers Destination" IP address will be NAT in Router 2.

Hence Workstations will be accessing maybe 172.17.0.x/24 which will be Nat to 192.168.1.0/24 in Router 2.

I think the Destination NAT part is sort out. Other than that, I am concerned about the Source NAT where packets need to travels from "Workstations" to "Servers Destination LAN ". Ideally all source packets shld be 10.4.2.x/30 because the "Servers Destination LAN" only have routing to 10.4.2.x/30 and is not going to change its configuration.

therefore how can i perform NAT source & destination in Router 2?

Which means when a packets goes thru router 2 to router 1, source changes to 10.4.2.2 (for source ANY) and destination changes to 192.168.1.0/24 (for destination matching 172.17.0.x/24)

what should be the config like in Router 2 for NAT source & destination?

Servers Destination LAN Router1 Router2 Workstations LAN
192.168.1.0/24 ==========10.4.2.1/30(LAN)----10.4.2.2/30(WAN)-----172.16.0.x/16
172.16.1.1/32 172.16.0.1/16(LAN)

Deepak Kumar · ‎04-01-2019

Hi,

Here is the configuration as:

access-list 7 permit 192.168.1.0 0.0.0.255

ip nat pool 10_Series 10.1.1.1 10.1.1.0.254 netmask 255.255.255.0
ip nat inside source list 7 pool 10_Series
ip nat outside source list 7 pool 10_Series

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎04-02-2019

Hello

@getaway51 wrote:

Hi,

I am trying to Nat a network 10.1.1.0/24 to another network 192.168.1.0/24. When this happens, the last octets Z should remains (e.g 10.1.1.50 to 192.168.1.50), otherwise packets will be lost. Basically it's a 1-to-1 NAT. May i know whts the steps to do this?

@Deepak Kumar FYI you dont require any static nat statements you can do this dynamically your above post doesn't look as it would match on the last octet of the natted address as OP originally queried

You could however try to utilize the match host feature withing nat to perform this task.

Example

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

ip nat pool match-host 192.168.1.1 192.168.1.254 prefix-length 24 type match-host

ip nat inside source list 100 pool match-host

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Deepak Kumar · ‎04-02-2019

Hi @paul driver

Thanks for correct me. What will happen if my destination network wants to connect to my system?

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎04-02-2019

Hello

@Deepak Kumar wrote:

Hi @paul driver

Thanks for correct me. What will happen if my destination network wants to connect to my system?

This isnt PAT it is basically one-to-one mapping dynamically be it you do require the pool addressing to perform the above so as long as the translation is correct they should be able to connect via its inside global translated address.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Deepak Kumar · ‎04-02-2019

Hi,

Thanks. This is the benefits of a senior and experienced person. I will try in the lab today and come back.

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

getaway51 · ‎04-02-2019

Thanks Paul!

1)So basically yr config below are destination NAT right?

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

ip nat pool match-host 192.168.1.1 192.168.1.254 prefix-length 24 type match-host

ip nat inside source list 100 pool match-host

2)How about source NAT, i also nd the source IP address of traffic (from inside to outside) NAT to outside interface IP. vice versa when the packets from outside to inside as well.

paul driver · ‎04-02-2019

Hello

@getaway51 wrote:

Thanks Paul!

1)So basically yr config below are destination NAT right?

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

ip nat pool match-host 192.168.1.1 192.168.1.254 prefix-length 24 type match-host

ip nat inside source list 100 pool match-host

2)How about source NAT, i also nd the source IP address of traffic (from inside to outside) NAT to outside interface IP. vice versa when the packets from outside to inside as well.

Okay maybe i have confused you here,- the above isn't destination nat, it is basically allowing 121 nat from inside your local network to outside your network matching on the host that initiated that translation, Now with this kind of nat you would be ONLY able to actively ping/access the natted public matched address of the inside host as along a there is an existing translation created from the inside, you WONT be able to initiate a connection from the outside which is what destination nat is?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎04-02-2019

Hi Paul,

I m a little confused here. Tht means the cmd u provided was source NAT?
Can u share with me wht the destination NAT cmd looks like? When someone
accessing x.y.z.150, it will be nat to a.b.c.150. & vice versa for return
traffic.

paul driver · ‎04-02-2019

Hello

@getaway51 wrote:
I m a little confused here. Tht means the cmd u provided was source NAT?
Can u share with me wht the destination NAT cmd looks like? When someone
accessing x.y.z.150, it will be nat to a.b.c.150. & vice versa for return
traffic.

Okay i now understand what you require.

But firstly I would just like to clarify the previous nat configuration if i may?

This WOULD allow return traffic on the nat host (matched on last octet) from the original initiated inside-outside translation (inside 10.1.1.10 <> outside 192.168.1.10 ) , so the following would be allowed
(outside 192.168.1.10 <> inside 10.1.1.10 ) ONLY that is if a translated entry existed in the nat table, once this had timed out no traffic from (outside 192.168.1.10 <> inside 10.1.1.10 ) would NOT be allowed unless another internal translation was created. - does that make sense?

What you require is to be able to initiate an outside connection to the internal host matching on the host last octet EVEN when the dynamic inside -outside entry has timed out

This can be accomplish using the below nat configuration statements however, The caveat is if you every manually clear the nat table or it is cleared say after a reload of the router, you will need to initiate an inside <>outside connection first to populate the nat table once more with a 1to1 entry which will be available after its dynamic relation has timed out, This will again allow you to initiate an outside <>inside connection.

Example:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

route-map lan permit 10
match ip address 100

ip nat pool destnatpool 192..168.1.3 192.168.1.254 netmask 255.255.255.0 type match-host
ip nat inside source route-map lan pool destnatpool reversible

Let me know how you get on?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎04-03-2019

Hi,

How about NAT source IP to outside interface ip when traffic goes inside->outside, and vice versa (for return traffic)?

The command you have provided were all NAT destination right?

paul driver · ‎04-03-2019

Hello

You could say it a mixture of source and destination nat and yes It will works both ways -

As stated the difference between the two nat configuration is the "reversible" feature which will install a 1-2-1 nat entry so when the dynamic entry times out (inside-outside) you will still be allowed to initiate an outside-inside connection.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎04-03-2019

Perhaps let me try to explain the scenario. I am trying to understand which of the command does the work.

Pls help me check the command if anything left out. Much appreciated!!!

1)In " Workstations LAN" 172.16.0.x/16 trying to reach servers in 192.168.1.0/24 & 172.15.1.1/32.

Only 10.4.2.0/30 route is visible from Servers Destination LAN to Router 2. Workstations LAN is hidden(NAT)

Therefore Router 2 needs NAT every source IP from inside to outside as 10.4.2.2. This is source NAT

access-list 100 permit ip 172.16.0.0 0.0.255.255 any

route-map lan permit 10
match ip address 100

ip nat pool destnatpool 192.168.1.1 192.168.1.254 netmask 255.255.255.0 type match-host
ip nat inside source route-map lan pool destnatpool reversible

Servers Destination LAN Router1 Router2 Workstations LAN
192.168.1.0/24 ==========10.4.2.1/30(LAN)----10.4.2.2/30(WAN)-----172.16.0.x/16
172.15.1.1/32 172.16.0.1/16(LAN)

2)Since Workstations LAN cant see 192.168.1.0/24 & 172.15.1.1/32,Router 2 needs to NAT its destination to host 192.168.1.0/24 & 172.15.1.1/32.

For e.g every source in 172.16.0.x/16 who access 172.16.7.0/24, its destination in Router 2 will be NAT to 192.168.1.0/24.-Whole Dest Network NAT

If access 172.16.8.1, Router 2 will NAT the Dest host to 172.15.1.1.- Single Dest Host NAT