Hello

NOTE: your current setup will NOT accommodate these query s but i will try to explain the above, However i would suggest you lookup the basic of NAT from the links below and read the fundamentals of what can be achieved with network translation.

Cisco Nat Basic
Nat definitions

Assumption here is as follows:
10.1.1.5 (internal to nat router)
172.17.8.0/24 ( destination network)
192.168.1.0/24 (destination network)

---

@getaway51 wrote:

1)before NAT :source 10.1.1.5, destination 172.17.8.0/24

after NAT : source 10.1.1.5, destination 192.168.1.0/24

---

Now given the 1st part of your example:
You cannot nat a specific host to a whole subnet  it will need to be a host within that subnet.

Secondarily - the after NAT source will not be seen as host 10.1.1.5 it will be seen as a host from the NAT router public subnet of which host 10.1.1.5 originated internally from.

As for a destination host specified in 172.17.8.x subnet. to be changed into another subnet 192.168.1.x you would need to be performing destination NAT on the receiving rtr so a host in 172.17.8.x subnet can be translated into a host in 192.168.1.x subnet

---

@getaway51 wrote:

2)before NAT :source 10.1.1.5, destination 172.17.9.1/32

after NAT : source 10.1.1.5, destination 192.168.2.1/32

---

This is some what more specific as it does state host to host however for this to work what i have already explained apply s here to- You will need to be performing nat at both ends of the routers to achieve this.

Hi Paul,

I read those links you provided. Very useful! I sees this in a different picture now. 

Servers LAN HQ-------------R1----------------------R2(NAT)------------PC----------Internet,overlapping LAN

192.168.1.0/24                  10.4.4.1(LAN)                      10.4.4.2(OUTSIDE)           10.1.1.5              192.168.1.0/24       

172.15 1.1/32                                                               10.1.1.1/24(INSIDE)                                     172.15 1.1/32 

OUTSIDE->INSIDE (traffic from Servers LAN HQ to R2 inside)

Before NAT: Source:192.168.1.0/24, Destination:10.4.4.2

After NAT:Source 172.17.8.0/24, destination:10.1.1.5

May I know the config looks like or do you have a suggestion to this problem?

This is a real-life setup where R2 is ISP router. only 10.4.4.x is routable in the outside network. PC LAN is trying to reach  

Servers LAN HQ 192.168.1.0/24  & 172.15 1.1/32. However these networks are already connected directly to LAN. Therefore nd to find another LAN like 172.17.8.0/24 which doesn't conflict with internal LAN & NAT destination to 192.168.1.0/24 via R2. Otherwise is PC LAN tries to access 192.168.1.0/24, it will goes to unintended destination.

This is the reason, I nd to perform NAT destination from INSIDE-> OUTSIDE. or so-call NAT source from OUTSIDE-> INSIDE.

Have you any idea?

Hello

Before we proceed can you post a topology of your network, as the previous examples seem to have changed over time in this post and i want to make sure i understand your network as it is at present. 

Hi Paul,

This is the diagram of how it looks like.

Servers LAN HQ---------R1---------------R2(NAT)------------  PC--------Internet,overlapping LAN

192.168.1.0/24             10.4.4.1(LAN)           10.4.4.2(OUTSIDE)       10.1.1.5              192.168.1.0/24     172.15 1.1/32                                                10.1.1.1/24(INSIDE)                                  172.15 1.1/32

R1 is ISP router, R2 is user-router. Internally, PC LAN already has  192.168.1.0/24  &  172.15 1.1/32. Therefore it needs to access a dummy address to reach Servers LAN HQ (192.168.1.0/24  &  172.15 1.1/32)

Servers LAN HQ and R1 config is not going to change. R1 just need to make sure all traffic from inside to outside translated to source of 10.4.4.2. 

I think it need nat outside source list config. But not sure how it would looks like. Would appreciate if you can help out.

Hi Paul,

I attached the diagram. 

Objective: User from Internal must reach 192.168.1.0/24 and 172.15.1.1/32 in HQ Servers LAN

When traffic goes from Inside to outside,
1) All Internal hosts must NAT source to 10.4.4.2/24.
2) Overlapping LAN 192.168.1.0/24 and 172.15.1.1/32 also exist in Internal LAN. Therefore Internal LAN must access dummy addresses routable to R2 (for e.g 10.100.100.0/24 and 10.2.1.1/32) which later NAT dest to 192.168.1.0/24 and 172.15.1.1/32.i.e once R2 received request going to 10.100.100.0/24 and 10.2.1.1/32, it will NAT to 192.168.1.0/24 and 172.15.1.1/32.

Pls can you guide me? 

Hello

So just to confirm,

Internal network use the following subnets:
192.168.1.0/24
172.15.1.1/32 <---what is this host used for any specific application
10.1.1.1.x <-----what is this pc used for - why are the other internal networks show they are residing behind it?

Behind ISP router
use the following subnets:
192.168.1.0/24
172.15.1.1/32 <---- what is this host used for any specif application

Between ISP1 and R2 the transit path has a subnet of 10.4.4.x/24

Hi Paul,

Internal network use the following subnets:
192.168.1.0/24
172.15.1.1/32 <---what is this host used for any specific application. No specific application, could be anything like port 23, 22
10.1.1.1.x <-----what is this pc used for - why are the other internal networks show they are residing behind it?

Internal networks has 192.168.1.0/24, 172.15.1.1/32 & 10.1.1.1.x/24. Therefore 10.1.1.x/24 users cant access HQ servers. Overlapping of networks in internal LAN & HQ servers LAN

Behind ISP router
use the following subnets:
192.168.1.0/24
172.15.1.1/32 <---- what is this host used for any specif application. No specific application, could be anything like port 23, 22

Between ISP1 and R2 the transit path has a subnet of 10.4.4.x/24. yes. Routing from HQ only up to 10.4.4.x/24. Internal LAN is hidden network behind R2. Therefore source & destination needs to NAT. NAT inside & outside is needed.

Hello

Okay one more thing..

Are you wanting the Internal networks has 192.168.1.0/24, 172.15.1.1/32 to be able to communicate to the ISP HQ servers 192.168.1.0/24, 172.15.1.1/32 or its it just 10.1.1.x/24 users?

Is all traffic is to be initiated from your internal network or from either site?

Traffic only initiated from Internal network 10.1.1.0/24. But do let me knw the cmd options if needed traffic to initiate frm the other side.Thanks so much Paul!!

Hello

can you tell me what is between the internal 10.1.1.x/24 and 192.168.1.0/24

 
     Site 1 -ISP                                                             Site 2
192.168.1.0/24  <------ 10.4.4.0/24------->  10.1.1.0/24 <---->192.168.1.0/24
172.15.1.1/32                                                                                   172.15.1.1/32
         

The problem you have is 10.1.1.x/24 cannot route two different ways for the same subnet at two different locations, hence why i am asking the above.  

The only way i can see at least some communication being established is if you initiated traffic towards 10.1.1.x/24 from the ISP side then the config would be something like this:

R2
in x/x
description ISP facing
ip nat outside

in x/x
description LAN facing
ip nat inside

access-list 1 permit 192.168.1.0 0.0.0.255

or

route-map 1 
match ip address 1

ip nat pool ISP 100.100.100.1 100.100.100.254 prefix-length 24 type match-host
ip nat outside source list 1 pool ISP    or   ip nat outside source route-map 1 pool ISP
ip route 100.100.100.0 255.255.255.0 10.4.4.1   < static route for dummy nat pool>

On the ISP router ads a route back towards 10.1.1.0/24
ip route 10.1.1.0 255.255.255.0 10.4.4.2                                                           

Hi Paul,

Wht would be the command for ip nat inside and ip nat outside if the traffic is initiated just from one side which is the internal network 10.1.1.0/24 to HQ servers LAN?

Hello

can you you tell me what is connecting the internal networks of site two

Hello

---

@getaway51 wrote:

Hi Paul,

 

Wht would be the command for ip nat inside and ip nat outside if the traffic is initiated just from one side which is the internal network 10.1.1.0/24 to HQ servers LAN?

---

Cannot see how this can be done at this time as previously stated  unless the isp router performs  nat