Hi Jon

Sorry for late response., late night post.....

There is not nating configured yet on site B. (Site A also has no nating configurations yet)...

Are you saying you want any traffic from site A with a source IP of 204.1.1.x going to 198.1.1.1 to be sent to 198.1.1.2 instead ? 
If so on the site B CE router which interface is designated as ip nat outside and which interface is designated as ip nat inside.

What you understood is right.........traffic from site A with source 204.1.1.x going to 198.1.1.1 to be sent to 198.1.1.2

They asked me to implement it on CE router of Site A.

Fa0/0 - Lan port - where we get traffic from 204.1.1.x/24

Se0/0.101 - WAN port 1 to 1st PE

Se0/0.102 - WAN port 2 to 2nd PE.

Would like to say again here that on CE router of Site A, i dont have route to 198.1.1.1/32, and i have route learnt from BGP to 198.1.1.2/32. This 198.1.1.2/32 is  advertised to this CE router by the PE router.

looking for help/suggestions again.....

Apologies, i should have got back to you. I am labbing it up but it is quite difficult to get working so don't feel too bad about not being able to do it

Unlike pix/ASA firewalls where this is a trivial thing to do IOS is not particularly easy when it comes to destination NAT, or at least for me !

When i get some more time i'll lab it up again. I dropped a message to Marwan who has a lot of experience with NAT configs so hopefully he will respond as well.

Jon

Thanks Jon to let me know about this and i wish  i can help

Hi Manjunath wish we can help you to fix your issue

ok  i think the main problem here is that you do not have a route to the actual destination IP and with inside nating the router will try to look into the routing table before translating the IP

so what suggest to do is

remove all your NAT config for this part and do the following :

access-list 108 permit IP 204.1.1.0 0.0.255 host 198.1.1.1

ip route 198.1.1.1 255.255.255.255 [next hop IP of the PE ]

route-map map1 permit 10
match ip address 108 

ip nat inside source static 198.1.1.1 198.1.1.2 route-map map1

fa0/0

ip nat inside

s0/0

ip nat outside

s0/0.1

ip nat ouside

s0/0.2

ip nat outside

make sure the next hop PE is ude over one of the above subinterface and that subinterface has the nat outside command as above  where you learn the 198.1.1.2 from

then try and let us know

good luck

Hi Manju,

Marwan solution should work as long as you have the rechability to B end server ip address 198.1.1.1 with nated ip from location A (198.1.1.2.) before configuring the same create a loopback interface with ip address of 198.1.1.2 on site A and try to reach site B server ip by sourcing the traffic from loopback.

Rgds

Rama

even if you dont not have the reachability, the router first need to know where to route the traffic for 198.1.1.1 but after that the router will send the traffic to 198.1.1.2 using the routing table where you have 198.1.1.2 known thorugh routing/PE becuase 198.1.1.1 at the routing/forwarding out stage will be already NATed to 198.1.1.2

anyway once you try it let us know

HTH

Hey Jon, many heartly thanks to you for bringing Marwan

Marwan, thank you, i will try that and will post here soon...........

I am sorry for late, due to heavy work at office i didnt find time to come here..........

can you update us if you have tried it yet and if did work or not with you ?

edited

Marwan

I don't think this will work. You have used an "ip nat inside source static" command but your are not natting the source IPs, you are natting the destination IP.

The best i could come up with in the lab was to flip the interfaces ie. fa0/0 interface was "ip nat outside" and the serial interfaces were ip nat inside.

It did do the translation but unfortunately the policy NAT did not kick in ie. i could ping 198.1.1.1 from any address and not just 204.1.1.x

Thoughts ?

Edit - why does destination NAT on IOS have to be so difficult

Jon

The problem is that route-maps are not supported with the "ip nat outside source static ..." command or at least not on my IOS (12.4(21a).

I'm sure Marwan will come up with a NAT config but a workaround is -

int fa0/0

ip nat inside

ip access-group 101 in    <-- see below for explanation

int s0/0  <-- assuming this connects to PE

ip nat outside

ip nat outside source static 198.1.1.2 198.1.1.1 add-route

the above NAT would translate the destination IP of 198.1.1.1 to 198.1.1.2 but from any source IP address ie. not just 204.1.1.x

So to restrict it to just 204.1.1.x source IPs you can apply an acl on the fa0/0 interface ie.

access-list 101 permit ip 204.1.1.0 0.0.0.255 host 198.1.1.1

access-list 101 deny ip any host 198.1.1.1

access-list 101 permit ip any any

The above works but it is admittedly a bit of a mess. A pure NAT solution would be much better and hopefully there is a way that i am missing !

*** Edit - i did try flipping the interfaces ie. fa0/0 becomes "ip nat outside" and s0/0 etc. "ip nat inside". However even though the translation worked for some reason the policy NAT bit didn't so i could still ping 198.1.1.1 from any IP address. The other problem with flipping the interfaces is that if at some time later further NAT is needed chances are they will then be the wrong way round.

Jon