Solved: Help configuring NAT

eltote1982 · ‎08-03-2012

Hello all,

First of all, excuse any language mistake, I am not an English native speaker but I will try to do my best

I´ve been trying to configure a connection which requires NAT translation but my devices are too old and seems that the configurations I tried doesn´t work or I don´t know how to implement it properly.

Firstly, I will introduce my router to you, it is a Cisco C3640-JS-M Version 12.2(1), so I found many ways to solve my problem, but none of them are supported by it.

To continue,the connection I am trying to configure is the following one:

10.1.1.0/24(My LAN) --- (My ROUTER) --- 192.168.9.1/25 <-----> 192.168.9.126/25 --- (OTHER ROUTER) --- 172.22.1.0/24 (Their LAN)

So one host from 172.22.1.0/24 needs to connect to a server in my LAN (10.1.1.20) but they can´t use the real IP and we need to configure a NAT rule to translate traffic from them to 192.168.6.10 to 10.1.1.20, but only for this connection (there are other "WAN" interfaces.

These are my failed attemps:

1)

interface FastEthernet0/0.302

ip nat outside

ip nat inside source static 10.1.1.20 192.168.9.10

PROBLEM: Works for this connection, but other connections are affected and no one can reach 10.1.1.20 apart from LAN and incoming traffic to F0/0.302

2) This attemp is quite hilarious... I´m desperate

ip nat pool NAT_OUT_POOL 192.168.9.10 192.168.9.10 prefix-length 1

ip nat pool NAT_IN_POOL 10.1.1.20 10.1.1.20 prefix-length 1

ip access-list standard ACL_NAT_GLOBAL

permit host 192.168.9.10

permit host 10.1.1.20

ip access-list standard NAT_OUT_LIST

permit host 10.1.1.20

permit host 192.168.9.10

route-map NAT_OUT_RM permit 10

match ip address NAT_OUT_LIST

match interface FastEthernet0/0.302

ip nat inside destination list ACL_NAT_GLOBAL pool NAT_IN_POOL

ip nat outside source route-map NAT_OUT_RM pool NAT_OUT_POOL

I have tried many examples from these links:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

https://supportforums.cisco.com/docs/DOC-5061

But as I said before, some configurations are not supported by my device.

I´m suspecting that it is not possible but I would like to think it is just my lack of knoledge XD

Many thanks in advance,

Jose

John Blakley · ‎08-03-2012

Glad to hear! Please mark this question as resolved.

Thanks!

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎08-03-2012

Your english is great!

ip nat pool Server 192.168.9.10 192.168.9.10 prefix 25 <--- you'll want a free ip address from your block

ip nat inside source list 101 pool Server

ip nat outside source list 102 pool Server

access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50

HTH,

John

HTH, John *** Please rate all useful posts ***

eltote1982 · ‎08-03-2012

Thank you very much John, it is working perfectly, I just did a small change in the ACLs, here is the final configuration I included:

ip nat pool Server 192.168.9.10 192.168.9.10 prefix 25

ip nat inside source list 102 pool Server

ip nat outside source list 101 pool Server

access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50

Anyway, I did tests when I generated the traffic, I still need the other entity to try to reach my host, but looks really good.

Many many thanks again,

Jose

John Blakley · ‎08-03-2012

Glad to hear! Please mark this question as resolved.

Thanks!

John

HTH, John *** Please rate all useful posts ***

eltote1982 · ‎08-27-2012

Hi,

After implementing this configuration, I have found an issue, the nat translation is applied for all traffic from 10.1.1.20 and not only for connections to 172.22.1.50 if previously there is a connection to 172.22.1.50, so I cannot have multiple connections from 10.1.1.20 if I want to connect to 172.22.1.50.

I have mitigated the issue configuring the following nat timeouts (not sure if I used sensible amounts of time):

ip nat translation timeout 30

ip nat translation udp-timeout 10

ip nat translation tcp-timeout 60

ip nat translation finrst-timeout 10

Is there any other way to fix this?

Thanks!

Jose

John Blakley · ‎08-28-2012

Seems odd considering you have an acl that's specifically ties those 2 hosts together. Can you post your configuration and "sh ip nat translation?" Just to refresh my memory, you were needing all traffic from the 10.x.x.x host to nat going to the single 172.x.x.x host and same thing in reverse, correct?

HTH, John *** Please rate all useful posts ***

eltote1982 · ‎08-28-2012

Hi,

Yes it is strange... other issue that I have seen is that the nat translation is not working for traffic from 172.x.x.x, so I need to send some traffic to make the nat translation to be in memory and then 172.x.x.x can reach 10.x.x.x using the 192.x.x.x IP. I suppose this is because I configured the interface with "ip nat outside" but if I don´t include that the other configuration doesn´t work.

Here is the configuration

interface FastEthernet0/0.302

ip address 192.168.9.1 255.255.255.128

ip nat outside

ip route 172.22.1.50 255.255.255.255 192.168.9.126

ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25

access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50

ip nat outside source list 101 pool FTP_IN

ip nat inside source list 102 pool FTP_IN

Martr-002#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 192.168.9.10 10.1.1.20 --- ---

John Blakley · ‎08-28-2012

I'll lab this up and get back with you..

HTH, John *** Please rate all useful posts ***

John Blakley · ‎08-28-2012

Okay, I was able to lab this up and able to recreate what you're seeing. The "ip nat inside source list 102" line is using nat translation to everything (much like you're seeing). It does seem like it ignores the acl that's applied even if you have only the 2 hosts listed. So, the way I was able to get around this is to enable pat on the inside line:

ip nat inside source list 102 pool FTP_IN overload

This will allow you to nat only to the destination that you're needing and not nat everywhere else. When you do this, you'll see a different result in your translation table:

R1(config)#do sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 192.168.9.1:17 192.168.57.7:17 10.46.0.6:17 10.46.0.6:17

Without the overload keyword, I had a 1-1 nat:

R1#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 192.168.9.1 192.168.57.7 --- ---

R1#

HTH,

John

HTH, John *** Please rate all useful posts ***

eltote1982 · ‎08-29-2012

Many thanks John,

Looks better now but it works when I generate traffic and not when 172.22.1.50 tries to iniciate the connection.

I have done a test and include an static translation:

ip nat inside source static tcp 10.1.1.20 80 192.168.9.10 80

It works, but other connections are affected since it is static, so I cannot use this configuration.

Here is the configuration I´m using. For sure there must be something wrong but I can´t find it.

interface FastEthernet0/0.62

description *** LAN ***

encapsulation dot1Q 62

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.302

description *** Connection to WND ***

encapsulation dot1Q 302

ip address 192.168.9.1 255.255.255.128

no ip redirects

ip nat outside

ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25

access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50

ip nat outside source list 101 pool FTP_IN

ip nat inside source list 102 pool FTP_IN overload

ip route 172.22.1.50 255.255.255.255 192.168.9.126

John Blakley · ‎08-29-2012

Okay...let's try this:

Remove the "ip nat outside source list 101 pool FTP_IN" line and the "ip nat inside source list 102 pool FTP_IN overload" line.

For this, use the 102 acl assuming that the 10.1.1.20 is on the inside interface.

Create a route-map called something, Nat for instance:

route-map Nat permit 20

match ip address 102

Then create your inside static mapping:

ip nat inside source static 10.1.1.20 192.168.9.10 route-map Nat reversible

This seems to work in both directions, but I'd be very interested to hear with what you come up with....

HTH,

John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

eltote1982 · ‎08-29-2012

John, I think the problem is that my router is too old, I tried to follow your instructions but when I was going to create the inside static mapping there was an invalid input error from the route-map... It doesn´t allow me to use the reversible option either...

It is on my agenda to change this device soon (months), so I will use the previous configuration (without the overload), configure nat timeouts and coordinate with my partner the FTP connections when no other connection is affected in the meantime.

Thank you very much for your efforts, but seems that it is not possible to make it working in the way I wanted but probably I will update this thread with the configuration for a newer device

Anyway, thanks again, I have learnt many things about NAT, so you helped a lot.

Finally, here is the configuration I will implement:

interface FastEthernet0/0.62

description *** LAN ***

encapsulation dot1Q 62

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.302

description *** Connection to WND ***

encapsulation dot1Q 302

ip address 192.168.9.1 255.255.255.128

no ip redirects

ip nat outside

!

ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25

!

access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50

!

ip nat outside source list 101 pool FTP_IN

ip nat inside source list 102 pool FTP_IN

!

ip route 172.22.1.50 255.255.255.255 192.168.9.126

!

ip nat translation timeout 30

ip nat translation udp-timeout 10

ip nat translation tcp-timeout 60

ip nat translation finrst-timeout 10