cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1392
Views
4
Helpful
10
Replies

Creating a NAT translation on a Cisco router for only one translation instance

Kevin Melton
Level 2
Level 2

Forum

I have a client whom has a need to perform a static NAT translation on a 3825 router.  Here is the situation:  WHEN and only when a source address of 192.168.103.59 attempts to send data to destination address 206.223.104.X and 206.223.105.X, we need for the router to translate the source addess of 192.168.103.59 to source address 172.28.6.136.  The source address of 192.168.103.59 resides on our G0/0 interface (which we can call inside).  The destination address 206.223.104.X resides off of the serial (multilink) interface (which we can call outside).

The rest of the time, there should be absolutely no translation occuring on this router.

PJMrouterNAT.JPG

Thanks for any help here

Kevin

1 Accepted Solution

Accepted Solutions

k-melton wrote:

Jon

We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.

Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?

Thanks

Kevin

Kevin

Can you be more specific in exactly what stopped working ?

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

k-melton wrote:

Forum

I have a client whom has a need to perform a static NAT translation on a 3825 router.  Here is the situation:  WHEN and only when a source address of 192.168.103.59 attempts to send data to destination address 206.223.104.X and 206.223.105.X, we need for the router to translate the source addess of 192.168.103.59 to source address 172.28.6.136.  The source address of 192.168.103.59 resides on our G0/0 interface (which we can call inside).  The destination address 206.223.104.X resides off of the serial (multilink) interface (which we can call outside).

The rest of the time, there should be absolutely no translation occuring on this router.


Thanks for any help here

Kevin

Kevin

access-list 101 permit ip host 192.168.103.59 206.223.104.0 0.0.0.255

access-list 101 permit ip host 192.168.103.59 206.223.105.0 0.0.0.255

route-map NAT permit 10

match ip address 101

ip nat inside source static 192.168.103.59 172.28.6.136 route-map NAT

+ you need "ip nat inside" and "ip nat outside" under the relevant interfaces.

Jon

Jon

We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.

Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?

Thanks

Kevin

k-melton wrote:

Jon

We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.

Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?

Thanks

Kevin

Kevin

Can you be more specific in exactly what stopped working ?

Jon

Jon

All other traffic in and out of the interface stopped working.  SCADA activity on that link stopped working.  We have SCADA servers (192.168.103.59) on what is effectively the inside interface in the NAT statement on the 3825 router.  We lost some connectivity to other networks on the inside interface as well.

I am including a picture for you that is an excerpt of the customers network diagram.  I have circled the router to perform the NAT on for the workstation 192.168.103.59 and then labeled (as best I could in Paint) the inside and outside with respect to the NAT functionality.

The report i have is that all systems that we talk to (on the INSIDE) became unreachable when we implemented the changes.

Thanks Jon

Kevin

Kevin

No problem. Can you post picture ?

Also it would help if you could give some idea of what IPs stopped working and in what direction in relation to the inside and outside interfaces of the router.

Can you also post the exact config that was added. I tested this before posting and it worked perfeclty but there may be something else on your production router that is causing the problem.

Jon

Yes I am attaching the photo.

Also it would help if you could give some idea of what IPs stopped working and in what direction in relation to the inside and outside interfaces of the router.

The best I can do is tell you what I know.  We could not communicate to 192.168.103.59 from our Networks at our Headquarters sight.  We also lost the ability to communicate to our Core Switch at the DR site (shown in pic).  The core sw we could not connect to 172.16.32.1.

Here is what we implemented:

access-list 101 permit ip host 192.168.103.59 206.223.104.0 0.0.0.255

access-list 101 permit ip host 192.168.103.59 206.223.105.0 0.0.0.255


route-map NAT permit 10

match ip address 101


ip nat inside source static 192.168.103.59 172.28.6.136 route-map NAT


we then put "ip nat inside" on the G0/0 interface, and "ip nat outside" on the Multilink Interface.

Kevin

If possible could you also post the config of the router in question.

Jon

Sure thing. It is attached.

Kevin

From the config -

ip nat source static 192.168.103.59 172.28.6.133
ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.136 route-map PJMNAT

The first line is natting 192.168.103.59 to 172.28.6.133 for all traffic, do you know what this is for because i thought you only wanted to NAT 192.168.103.59 for some traffic.

Can you post the output of "sh ip nat translations" from this router ?

Jon

Good catch.  I should have seen that myself.

ip nat source static 192.168.103.59 172.28.6.133
ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.136 route-map PJMNAT

the "ip nat source static 192.168.103.59 172.28.6.133" should not be there.  I wrote that earlier in the week as I was trying to write what we needed before requesting help.


I have removed it from the config.

Here is the post (once that was removed) for the ip nat translations.

lo-mpls3825#sho ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
--- 172.28.6.133          192.168.103.59        ---                   ---
lo-mpls3825#

I had to change the translsated address from 172.28.6.136 to 133.  I had it incorrect.

Here is the NAt config on the box now:

ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.133 route-map PJMNAT

I dont think I need the first two statements at all, do I?   I do not even have route maps for those two...

Review Cisco Networking for a $25 gift card