Hi,

Only R2 is performing NAT, & it NAT all inside->outside to interface outside IP address & vice versa for return traffic. So i assume this is many-to-one NAT like overload used in Internet connection.This is source IP address NAT.I was wondering which commands i can use for this objective.

Then the second part would be Destination NAT. Sorry i confuse which command tht u provided is for dest or source NAT or both. Can u roughly specified? Like i explained, there are 2 Dest NAT, one is whole Dest network NAT, one is Single host Dest NAT. Can you enlighten me? 

Hello

---

@getaway51 wrote:

Only R2 is performing NAT, & it NAT all inside->outside to interface outside IP address & vice versa for return traffic. So i assume this is many-to-one NAT like overload used in Internet connection.This is source IP address NAT.I was wondering which commands i can use for this objective.

 

---

access-list 100 deny ip host 172.16.8.1 any
access-list 100 permit ip 172.16.0.0 0.0.255.255 any

ip nat inside source list 100 interface <wan> overload

---

Then the second part would be Destination NAT. Sorry i confuse which command tht u provided is for dest or source NAT or both. Can u roughly specified? Like i explained, there are 2 Dest NAT, one is whole Dest network NAT, one is Single host Dest NAT. Can you enlighten me? 

---

The above config in part 1 will accommodate part of this request as for 1-1 address translation to allow outside host initiate connection even when dynamic entry has timedout

access-list 101 permit ip host 172.16.8.1 host 172.15.1.1
route-map 1
description Destination-Nat-static
match ip address 101

ip nat pool LAN 10.4.44.2 10.4.22.2 netmask 255.255.255.252
ip nat inside source route-map 1 pool LAN reversible

HI,

Thanks for providing these cmds. Fyi, NAT destination when packets travels frm inside to outside. e.g. 172.16.7.0/24->192.168.1.0/24 & 172.16.8.1->172.15.1.1 

Since inside to outside.and NAT destination , shouldn't it be ip nat outside source static?

The source NAT cmds are clear enough. But how about dest network NAT of 172.16.7.0/24->192.168.1.0/24 inside to outside? 

Thank you so much for helping!!

Hello

---

@getaway51 wrote:

HI,

 

Thanks for providing these cmds. Fyi, NAT destination when packets travels frm inside to outside. e.g. 172.16.7.0/24->192.168.1.0/24 & 172.16.8.1->172.15.1.1 

ip nat outside source static

Translates the source of the IP packets that travel outside to inside. Translates the destination of the IP packets that travel inside to outside.

 

Since inside to outside.and NAT destination , shouldn't it be ip nat outside source static?

 

---

Has I have stated you only have on "Public" ip to work with so ip nat outside static wouldn't be applicable to use in this case hence i provided an alternative using the nat reversible feature.

---

@getaway51 wrote:

The source NAT cmds are clear enough. But how about dest network NAT of 172.16.7.0/24->192.168.1.0/24 inside to outside? 

---

Not so sure what you meant by this but the dynamic pat statement provided will translate any internal 172.16.0.0/16 (including 172.16.7.0/24) to any outside address, On the other hand if you are wishing to match host to host bit ti (outside/inside or inside/outside) between these subnets than again this isnt applicable in this case as far as I am aware.

Hi ,

I think there might be some confusion here. These are all destination IP not source IP.

172.16.7.0/24->192.168.1.0/24 & 172.16.8.1->172.15.1.1 

172.16.7.0 & 172.16.8.1 are on Workstation LAN

192.168.1.0/24 & 172.15.1.1 are on HQ Servers LAN

When someone tries to access 172.16.7.0/24 & 172.16.8.1/32, R2 will NAT the destination to 192.168.1.0/24 & 172.15.1.1/32. 

Hello

Your NAT rtr is R2 , its internal networks are 172.16.0.0/16 ( including 172.16.7.0/24) this is only where you can nat, you cannot in this case using destination nat (outside-inside) initiating from outside your nat boundary with just one public ip address to many internal addresses..

Hi Paul,

Let me further clarify. The destination nat needed is inside-> outside not destination nat (outside-inside). Source IP NAT is using the overload command you specified earlier(many-to-one) to outside interface source IP.

These are all destination IP not source IP. I wont worried abt source IP NAT for now.

172.16.7.0/24->192.168.1.0/24 & 172.16.8.1->172.15.1.1 

172.16.7.0 & 172.16.8.1 are on Workstation LAN-->destination INSIDE

192.168.1.0/24 & 172.15.1.1 are on HQ Servers LAN--->destination OUTSIDE

When someone tries to access 172.16.7.0/24 & 172.16.8.1/32 frm INSIDE-->OUTSIDE, R2 will NAT the destination to 192.168.1.0/24 & 172.15.1.1/32. 

Hello

---

@getaway51 wrote:

When someone tries to access 172.16.7.0/24 & 172.16.8.1/32 frm INSIDE-->OUTSIDE, R2 will NAT the destination to 192.168.1.0/24 & 172.15.1.1/32. 

---

I think we are going around in circles here, Lets forget about the destination word for a moment and focus on your needs

172.16.7.0/24 and 172.16.8.1 are internal to your  nat router 2
192.168.1.0/24 , 172.15 1.1 are outside of your nat boundary residing behind router 1

if ANY host from internal/within your nat router 2 initiates access 192.168.1.0/24  PAT will be used (inside/outside)

if ANY host from internal/within your router1 trys to initiate access towards 172.16.0.0/16 ( including 172.16.7.0/24)  this cannot be done with the setup you have.

On aside note I have provided a solution in which you could statically initiate an host to host outside/inside connection (< rtr1-trt2 >) using the nat reversible feature.

Apart from the above unless i am mistaken I don't see any other scenario that can be accomplished here.

Hi Paul,

Apologize for the confusion here. As I m trying to understand 100% of whats happening from every angle. 

172.16.7.0/24 and 172.16.8.1 are internal to your  nat router 2---yes you are right
192.168.1.0/24 , 172.15 1.1 are outside of your nat boundary residing behind router 1---yes you are right

if ANY host from internal/within your nat router 2 initiates access 192.168.1.0/24  PAT will be used (inside/outside)
---yes you are right about PAT but they will be accessing 172.16.7.0/24 and 172.16.8.1 from internal not 192.168.1.0/24 & 172.15 1.1. 192.168.1.0/24 & 172.15 1.1 is after R2 NAT inside->outside.

if ANY host from internal/within your router1 trys to initiate access towards 172.16.0.0/16 ( including 172.16.7.0/24)  this cannot be done with the setup you have.--Perhaps let me change something here.LAN became 10.1.1.1/24. When someone tries to access destination 172.16.7.0/24 and 172.16.8.1, R2 NAT destination to 192.168.1.0/24 & 172.15 1.1/32. At the same time source IP NAT to OUTSIDE interface IP due to overload command. Is this not doable? 

Am I correct with these explanations?

Hello

No need to apologies i am glad you trying to understand it , maybe my wording could be better, anyway..

---

@getaway51 wrote:

Hi Paul,

 

Apologize for the confusion here. As I m trying to understand 100% of whats happening from every angle. 

 

172.16.7.0/24 and 172.16.8.1 are internal to your  nat router 2---yes you are right
192.168.1.0/24 , 172.15 1.1 are outside of your nat boundary residing behind router 1---yes you are right

if ANY host from internal/within your nat router 2 initiates access 192.168.1.0/24  PAT will be used (inside/outside)
---yes you are right about PAT but they will be accessing 172.16.7.0/24 and 172.16.8.1 from internal

---

Any internal communication between any host in 172.16.0.0/16 WONT be subject to any network translation ONLY traffic communication that need to traverse your public interface (which has the ip nat outside appended to it) will be subject to nat - Hence (inside-to outside)

---

@getaway51 wrote:

if ANY host from internal/within your router1 trys to initiate access towards 172.16.0.0/16 ( including 172.16.7.0/24)  this cannot be done with the setup you have.--


Perhaps let me change something here.LAN became 10.1.1.1/24. When someone tries to access destination 172.16.7.0/24 and 172.16.8.1, R2 NAT destination to 192.168.1.0/24 & 172.15 1.1/32. At the same time source IP NAT to OUTSIDE interface IP due to overload command. Is this not doable? 

---

I am sorry I dont understand what you are trying to ask-
What do you mean by LAN became 10.1.1.1/24 what LAN -are you on abort transit path between r1 - r2 became /24 subnet ?

Perhaps let me change something here.LAN became 10.1.1.1/24. When someone tries to access destination 172.16.7.0/24 and 172.16.8.1, R2 NAT destination to 192.168.1.0/24 & 172.15 1.1/32. At the same time source IP NAT to OUTSIDE interface IP due to overload command. Is this not doable? 

I am sorry I dont understand what you are trying to ask-
What do you mean by LAN became 10.1.1.1/24 what LAN -are you on abort transit path between r1 - r2 became /24 subnet ?

Let me try explain in diagram the setup.

    Servers LAN HQ-------------R1----------------------R2---------------------------PC

192.168.1.0/24                  10.4.4.1(LAN)                      10.4.4.2(OUTSIDE)                             10.1.1.5

172.15 1.1/32                                                               10.1.1.1/24(INSIDE)

PC telnet to destination 172.16.7.0/24 and 172.16.8.1/32. PC source wil became 10.4.4.2 due to NAT in R2. Assuming tht all routing is done. All traffic travels from PC to Servers LAN & return back to PC. No initiation from Servers LAN to PC. 

Based on this scenario, what would the cmd be? At least I can clearly differentiate each cli based on objective 

Hello

From the looks of it your  pc resides on the same side of the network its trying to connect to is that correct ?

PC telnet to destination 172.16.7.0/24 and 172.16.8.1/32.

if that is the case then as I have already stated NO translation will take place.

Hello 

if a is pc behind behind R2 and it initiates a connection to ANY device internally NO nat is performed 

  if a pc is behind R2 ( private network) and it initiates a connection to ANY device externally then nat is perfromed and the return traffic from that iniciation is allowed back in due to the dynamic nat entry that will exist in the nat table ( this return traffic you can say is a form of destination nat) whenever that nat entry expires the outside host cannot return any traffic or iniciate anyother traffic flow unless another nat entry is created by the iniside host from the private network

Destination nat is when a host externally ( not on the private network like internet) try’s  to a connect to host behind s nat boundary (private network) and the original destination address that this external host uses is translated into a private host address in that private network