Configure NAT from outside to outside in router, possible?

eltote1982 · ‎12-05-2012

Hi all,

I have configured 4 interfaces in my router:

Fa0/0 --> LAN (inside)

Fa0/1 --> Internet (outside)

Fa0/2 --> Supplier1 (outside)

Fa0/3 --> Supplier2 (outside)

I have several NAT rules from LAN to "outside" interfaces and from outside to LAN working fine.

The problem is that Suppplier1 needs to connect to Supplier2 and the connection will be through my router, so I need to configure a NAT rule to make this connection possible. The NAT IP to use for Supplier1 will not be a LAN IP, but one similar (if not the same one) we use to connect to Supplier2.

In summary, this is what I aim to configure:

Supplier1 MY ROUTER Supplier2

Source 1.1.1.1 translate Receive 2.2.2.2 as source

I've been searching a solution for several weeks with no luck, so I think probably this kind of configurations is not possible with cisco routers and we will need to get an ASA (one day...).

Does someone know if this kind of NAT configuration (outside,outside) is possible with routers? If yes; could you please give me a hint about how to configure it?

In case of being not possible this question doesn have sense but; would be possible to change both source and destination IPs? This question is just a pesonal question, but I don need it to do.

Thanks in advance,

Jose

Gurpreet Puri · ‎12-10-2012

Hi Jose,

Could you please tell me the router seriers you are using?

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

eltote1982 · ‎12-11-2012

Hi Gurpreet,

My routers are C3640-JS-M Version 12.2(1), but I´m going to replace them for 3925 soon (in about two months time), so I would prefer a solution for the newer ones if I have to choose.

To be honest, I find quite difficult to configure NAT in Cisco routers and for some rules I use a linux server (it just do the NAT and send the packets back to the router), but I´m sure I don´t really need it and I can remove it with the correct configuration in the routers.

Regards,

Jose

eltote1982 · ‎12-17-2012

Hi,

I´ve been investigating and I found the following link --> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

Does anyone has tried this?

Is there any other way to do this with newer routers?

Thanks,

Jose

Mert OZKUL · ‎12-17-2012

Hi Jose,

I think its possible.

In your case, Fa0/2 and Fa0/3 are configured like ip nat outside, right?

If so, you can write the static nat rules regarding what you are trying to reach.

In advance, sorry for the worst topology drawing i`ve ever done.

(Supplier1)Router A (Supplier 2)

192.168.3.x/30 192.168.4.x/30

RouterB RouterC

- -

192.168.1.x/30 192.168.2.x/30

- -

RouterD RouterE

(1.1.1.1/24) (2.2.2.2/24)

Router A

ip nat inside source static 192.168.3.2 1.1.1.1

ip nat inside source static 192.168.4.2 2.2.2.2

Router B

ip route 2.2.2.2 255.255.255.0 RouterA

Router D

interface loopback100

ip address 1.1.1.1 255.255.255.0

!

ip route 2.2.2.2 255.255.255.0 RouterC

Router E

interface loopback 100

ip address 2.2.2.2 255.255.255.0

!

ip route 1.1.1.1 255.255.255.0 RouterC

Router C

ip route 1.1.1.1 255.255.255.0 RouterA

I tested like that and its working, you can test in GNS3 as well.

If 1.1.1.1 want to reach 2.2.2.2, it can ping and you can see the translation happen in the RouterA

If you need anything, please feel free to get in touch.

Best Regards,

-Mert

eltote1982 · ‎12-26-2012

Hi Mert,

Sorry for not replying before, I had a few days off.

I didn't have time to test this in GNS3 but I think it won work for me, I cannot use static nat since both suppliers also connect to our lan servers, anyway, I wil test it and let you know.

Regards and merry Christmas,

Jose

eltote1982 · ‎01-28-2013

Hi Mert,

I've been trying to test in GNS3 but in my environment it doesn't work.

I think it is not possible and to do nat, the packet needs to flow from an inside to an outside interfacer or viceversa.

I've been trying to use NVI too, but I am having some strange results... I will investigate in depth.

Anyway, could you please copy your configuration? Just in case I did something wrong.

Regards,

Jose

Peter Paluch · ‎01-28-2013

Jose,

In the past, I've been able to do this with the NVI style of NAT configuration but I strongly recommend using the no ip redirects on the interface configured with the ip nat enable command. Read more here:

https://supportforums.cisco.com/message/827990#827990

Jump deeper into the thread to see the comments about no ip redirects.

Best regards,

Peter

eltote1982 · ‎01-28-2013

Hi Peter,

I added "no ip redirects" to all interfaces in the scenario but still the same issue. For some reason I see some packets from the router that is doing nat.

This is the topology I configured in GNS3:

172.22.26.100 [R2] 192.168.100.2 <--> 192.168.100.1 [R1] 192.168.200.1 <-->192.168.200.2 [R3] 10.0.0.5

I want to change 172.22.26.100 to 192.168.25.100 when it tries to connect to 10.0.0.5 and I configured this on R1

interface F0/0

ip address 192.168.100.1 255.255.255.0

no ip redirects

ip nat enable

ip virtual-reassembly

interface F0/1

ip address 192.168.200.1 255.255.255.0

no ip redirects

ip nat enable

ip virtual reassembly

ip route 10.0.0.0 255.255.255.0 192.168.200.2

ip route 172.22.26.0 255.255.255.0 192.168.100.2

ip nat pool NAT_POOL 192.168.25.100 192.168.25.100 prefix-length 24

ip nat source list NAT pool NAT_POOL

ip access-list extended NAT

permit ip host 172.22.26.100 host 10.0.0.5

Here is the log I see for command "ping 10.0.0.5 source 172.22.26.100 repeat 1"

Router1
NAT*: s=172.22.26.100->192.168.25.100, d=10.0.0.5 [125]
IP: s=10.0.0.5 (FastEthernet0/1), d=192.168.25.100, len 100, unroutable
IP: tableid=0, s=192.168.200.1 (local), d=10.0.0.5 (FastEthernet0/1), routed via FIB
IP: s=192.168.200.1 (local), d=10.0.0.5 (FastEthernet0/1), len 56, sending

Router3
IP: tableid=0, s=192.168.25.100 (FastEthernet0/0), d=10.0.0.5 (Loopback100), routed via RIB
IP: s=192.168.25.100 (FastEthernet0/0), d=10.0.0.5, len 100, rcvd 4
IP: tableid=0, s=10.0.0.5 (local), d=192.168.25.100 (FastEthernet0/0), routed via FIB
IP: s=10.0.0.5 (local), d=192.168.25.100 (fastEthernet0/0), len 100, sending

And the ping is lost...

Any idea?

Thanks in advance,

Jose

eltote1982 · ‎01-29-2013

Hi,

I'm doing many many tests but I think it is not possible to solve this with Cisco routers (probably with other devices would be possible...).

- With ip nat inside/outside, the translation only occurs when the traffic flows from inside to outside and viceversa, not when they flow from inside to inside nor from outside to outside. I cannot change the nat domain on any interface since there are some nat rules from LAN<-> suppliers.

- NVI does not fullfill my requirements since I also need to translate destination addresses.

- I also tried to configure somethin like "nat on a stick" but seems to work only if you use only one interface. My idea was to try to route traffic from supplier1 interface (out) --> loopback(in) --> supplier2 int (out); but looks like is to odd to work :$

I don know if someone have any idea to configure NAT in a different way, but I'm quite surprissed with all these restrictions... I still think that must be possible somehow since this is quite easy to do on a linux server.

Any idea is welcome...

If there is no solution, thank you everyone for your efforts.

Jose

eltote1982 · ‎01-29-2013

Hello everyone,

I think I did it!!!! Source and destination translation from outside to outside (not exactly but at the end it's that)

I will copy below the configuration on the "middle" router; it translates an initial packet 172.22.26.100 --> 192.168.25.25 to 192.168.50.50 --> 10.0.0.5

Here the configuration (I removed non-interesting config):

interface Loopback100

ip address 192.168.250.253 255.255.255.252

no ip redirects

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0

description ATOS

ip address 192.168.100.1 255.255.255.0

no ip redirects

ip nat outside

ip virtual-reassembly

ip policy route-map toNat

!

interface FastEthernet0/1

ip address 192.168.200.1 255.255.255.0

no ip redirects

ip nat outside

ip virtual-reassembly

!

ip route 10.0.0.0 255.255.255.0 192.168.200.2

ip route 172.22.26.0 255.255.255.0 192.168.100.2

!

ip nat pool NAT_Source 192.168.50.50 192.168.50.50 prefix-length 24

ip nat inside source list NAT pool NAT_Source overload

ip nat inside source static 10.0.0.5 192.168.25.25

!

ip access-list extended NAT

permit ip host 172.22.26.100 any

!

route-map toNat permit 10

match ip address NAT

set ip next-hop 192.168.250.254

!

And here there is some debug info:

Supplier1#ping 192.168.25.25 source 172.22.26.100 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 192.168.25.25, timeout is 2 seconds:

Packet sent with a source address of 172.22.26.100

!

Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms

---------------------------------------------------------------------------------------------------------------------------

MyRouter#

*Mar 1 06:48:32.074: NAT*: s=172.22.26.100, d=192.168.25.25->10.0.0.5 [106]

*Mar 1 06:48:32.074: IP: tableid=0, s=172.22.26.100 (FastEthernet0/0), d=10.0.0.5 (FastEthernet0/1), routed via FIB

*Mar 1 06:48:32.078: IP: s=172.22.26.100 (FastEthernet0/0), d=10.0.0.5 (Loopback100), g=192.168.250.254, len 100, forward

*Mar 1 06:48:32.082: IP: tableid=0, s=172.22.26.100 (Loopback100), d=10.0.0.5 (FastEthernet0/1), routed via RIB

*Mar 1 06:48:32.082: NAT: s=172.22.26.100->192.168.50.50, d=10.0.0.5 [106]

*Mar 1 06:48:32.086: IP: s=192.168.50.50 (Loopback100), d=10.0.0.5 (FastEthernet0/1), g=192.168.200.2, len 100, forward

*Mar 1 06:48:32.098: NAT*: s=10.0.0.5, d=192.168.50.50->172.22.26.100 [106]

MyRouter#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 192.168.25.25:91 10.0.0.5:91 172.22.26.100:91 172.22.26.100:91

--- 192.168.25.25 10.0.0.5 --- ---

icmp 192.168.50.50:91 172.22.26.100:91 10.0.0.5:91 10.0.0.5:91

---------------------------------------------------------------------------------------------------------------------------

Supplier2>

*Mar 2 01:37:55.533: IP: tableid=0, s=192.168.50.50 (FastEthernet0/0), d=10.0.0.5 (Loopback100), routed via RIB

*Mar 2 01:37:55.533: IP: s=192.168.50.50 (FastEthernet0/0), d=10.0.0.5, len 100, rcvd 4

*Mar 2 01:37:55.533: IP: tableid=0, s=10.0.0.5 (local), d=192.168.50.50 (FastEthernet0/0), routed via FIB

*Mar 2 01:37:55.533: IP: s=10.0.0.5 (local), d=192.168.50.50 (FastEthernet0/0), len 100, sending

I'm really happy to have been wrong in the previous message, but please let me know if someone knows a different way to do this since I suppose this is kind of configurations must consume many memory and processor and makes crazy the one who has to maintain this if he/she doesn't configured it at the begining.

Many thanks everyone for your help and patience!!!

Jose

Ludovic Kuty · ‎11-21-2013

I don't understand how it works when the gateway address 192.168.250.254 is something on the loopback network but it is not the IP of the router (192.168.250.253).

For me, the lines below look like magic

*Mar 1 06:48:32.078: IP: s=172.22.26.100 (FastEthernet0/0), d=10.0.0.5 (Loopback100), g=192.168.250.254, len 100, forward

*Mar 1 06:48:32.082: IP: tableid=0, s=172.22.26.100 (Loopback100), d=10.0.0.5 (FastEthernet0/1), routed via RIB

Could someone clarify it ?

LokeshAgrawal · ‎12-06-2023

It is possible, I have done this on IOS-XE router.

You need to create a loopback interface on the router, make it ip nat inside.. then using PBR redirect the traffic of outside interface to loopback and then from loopback redirect the traffic using PBR to another outside interface.