12-01-2023 01:32 AM
Hi, we have own private MPLS network, all branches are connected to HQ via mpls. Now one branch has local external line which is connected to client. Now client needs to access the web server which is located in HQ via line. We don't have firewall, will use core switch to do port forwarding to archive this goal. For port forwarding solution on cisco device, need to specify the nat inside interface. as we are using mpls, don't know which interface should be inside interface for natting? Can anyone pls advise? thanks in advance!
client router--->interface g0/1 of our branch core switch (layer3, MPLS PE router), interface g0/0 --> mpls link (lease line to HQ and other branches).
Core switch interface G0/1 is under vrf "Red", we import the routes for vrf "Red" from HQ via MPLS.
some vlans are configured on core switch, they are under vrf "Red".
12-01-2023 01:47 AM
Many to one
If branch have many interface that connect to host and one interface connect to mpls
Then config all interface except mpls interface as inside and config mpls as outside.
You need also to include all host subnet in acl of NAT overload.
MHM
12-01-2023 02:02 AM
Thanks @MHM Cisco World for your advice. mpls is our internal side, the external side is the interface g0/1 which is connected to our local client, but the server is located in HQ, which is connnected via our private mpls. our branch client will access this server via a private line, to
12-01-2023 02:05 AM
Can you draw topolgy
Thanks
MHM
12-01-2023 02:19 AM
12-01-2023 02:24 AM
HQ know the prefix of link connect branch to mpls core it dont know the prefix connect branch to client.
So as I mention you need to make cleint to branch as IN
Branch to mpls core as OUT
MHM
12-01-2023 02:35 AM
HQ knows the client IP, branch advertise client prefix to HQ.. The nat will be like this.
client access one IP 1.1.1.1 (example) with the source iP 192.168.0.1, then branch core switch does destination nat ,forward the traffic to the web server 2.2.2.2 with original source 192.168.0.1
12-01-2023 02:56 AM
If that case and you want to NAT server IP.
You need to NAT usinf ip nat outside and keep as I mention above mpls OUT and client to branch as IN.
MHM
12-01-2023 04:24 AM
sorry, don't understand your solution. Below is an example about inbound access internal server from external. But I don't know how to config if internal is mpls layer 3 vpn network.
How to Configure Port Forwarding on Cisco Router (With Examples) (networkstraining.com)
another question is " can put the command "ip nat outside" under the mpls interface? layer 3 mpls vpn, can nat ip address as normal interface?
12-01-2023 11:10 AM
Friend
You have client have ip 192.168.0.x need to access server 1.1.1.1 but we need to nat server ip to 2.2.2.2
The traffic source will be 192.168.0.x and destiantion is 1.1.1.1
Ip nat inside source NATing source
Ip nat outside source NATing destiantion
Here you ip nat inside is interface connect your branch to client
And ip nat outside is interface connect your branch to mpls.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html
Can mpls interface config with NAT?
Sure Yes
MHM
12-01-2023 06:41 PM
Thanks @MHM Cisco World . however, i am tring to config destination nat, not source nat. I already figured out a solution. thanks again for your advice.
12-02-2023 01:33 AM
You are so welcome
Have a nice weekend
MHM
12-02-2023 04:14 AM
Hello
@Herman2018 wrote:
We don't have firewall, will use core switch to do port forwarding to archive this goal
Does your core switch even support NAT, Also is it DNAT you really require here?
Based on your OP and if the switch does indeed support nat then interface g0/1 will be your nat outside domain, and your nat inside domain interface should be g0/0.
ip nat outside static <outside global ip > <outside local ip>
Example destination static nat
Outside global=100.100.100.1 (public scr ip)
Outside-local-ip =11.1.11.101 (natted ip)
Inside local ip 10.1.12.101 ( local server)
ip nat outside static 100.100.100.1 11.1.11.101
interface g0/1
ip nat outside
interface g0/0
ip nat inside
ping -S 100.100.100.1 10.1.12.101
*Mar 1 00:16:43.099: NAT: s=100.100.100.1->11.1.11.101, d=10.1.12.101
*Mar 1 00:16:43.103: NAT: s=10.1.12.101, d=11.1.11.101->100.100.100.1
In the above, The client traffic ingress into your own network with a source ip of 100.100.100.1 will be translated by the NAT rtr/switch to an 11.1.11.101, Which means this ip will be accessible locally within your own network.
Any inside host replying to the 11.1.11.101 will be translated to the 100.100.100.1
Is this what your are looking for, or is it as @MHM Cisco World suggested a basic 1-to-1 static nat you require.
ip nat inside source 10.1.12.101 11.1.11.101
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide