We currently have a 2901 router (ipbasek9 license, firmware 15.0(1r) M16).
It is configured to connect the LAN to the WAN (both internal networks) using NAT.
This is done in a many-to-1 way: we have about 50 devices on the LAN and we use 1x WAN address in the router for the translating.
Connections WAN-to-LAN happen by port forwarding on this 1x WAN IP address.
Connections LAN-to-WAN are going through the NAT on this single WAN address.
Now we want to switch this environment to a 1-1 NAT configuration.
So instead of just having 1 WAN IP address in the router, we want 50 WAN Ip addresses available in the router, and map each directly with a single device in the LAN. This way we can also have WAN-to-LAN connections without the need of port forwarding. Routing without NAT is not an option because of the "company network" will not allow local 192.168.x.x networks to be routed, NAT is required.
The current config looks a bit like this:
ip address 172.16.0.19 255.255.0.0
ip nat inside
ip address 18.104.22.168 255.255.0.0
ip nat outside
ip access-list standard NAT_THESE_ADDRESSES
ip nat inside source list NAT_THESE_ADDRESSES interface GigabitEthernet0/1 overload
We wonder if we can use this device to add 50 WAN ip addresses on the WAN interface GigabithEthernet0/1 ?
Or can you just link 1 address to 1 interface?
If this is not possible, we might need to buy new routers specifically designed for 1-1 NAT translations?
Solved! Go to Solution.
You don't need to add the IPs to the physical interface. You just setup your static NAT statements and as long as traffic for those IPs is sent to the router it should all work.
Thank you but I don't understand "as long as traffic for those IPs is sent to the router...". This router is not the "default gateway" for the upper network. So no traffic initiated at WAN for those WAN IP addresses will end up at this router. Where do I need to add my 22.214.171.124-32-33-34-... addresses and mappings to 172.16.0.31-32-33-34-... in the script above?
To be clear, I need this router to be configured in a way so that if, from within WAN, I ping "126.96.36.199" it ends up at 172.16.0.31.
Same for 32, 33, 34 ... without having a default gateway configured at WAN.
My device in WAN is
GW not configured, no routes configured
I want to ping/connect to 188.8.131.52 which will end up at 172.16.0.31 on the LAN network. So my 184.108.40.206 address on the WAN network must be "as if" it is the 172.16.0.31 device on the LAN. By doing 1-1 NAT on the router. This for about 50 devices. Question is: is this possible with this router. We know there are special 1-1NAT routers (with web GUI's), but we don't know the existing router can. The 172.16.0.31 device has it's default gateway configured to be the router.
Thanks a lot Jon you helped me out previously as wel.
We don't have to fear for a limitation on the maximum amount of NAT statements in the router? We couldn't find any statement about this.
Just in order to understand this from a technical point of view: how will the arp-table on the WAN computer be able to populate its IP/MAC relation for this 220.127.116.11 address? It will send arp broadcast requests for ip "18.104.22.168" into it's own network. But how will the router then detect this broadcast message and respond? Will it forward the request to the 172.16.0.31 device and translate it's response and send it back to the WAN device? Which MAC address will end up in the WAN device? Will all broadcast messages on the WAN end up at all translated LAN devices?
I doubt you will hit any limits with only 50 devices so you should be fine. It is the memory that is used so worth keeping an eye on but like I say I would be surprised if the router couldn't handle it.
How it works is that once you have configured a NAT statement the router then takes ownership of that IP address. So the arp is broadcast onto the subnet and the router receives this, sees it is for an IP it has a NAT statement for, and so responds with the mac address of the interface in that subnet ie. gi0/1 from your posted configuration.
So your client receives that mac address thinking it is the mac of the actual host and sends the traffic to the router which then translates the NAT IP to the real IP and forwards on to the 172.16.0.x client.