08-03-2012 03:31 AM - edited 03-07-2019 08:08 AM
Hello all,
First of all, excuse any language mistake, I am not an English native speaker but I will try to do my best
I´ve been trying to configure a connection which requires NAT translation but my devices are too old and seems that the configurations I tried doesn´t work or I don´t know how to implement it properly.
Firstly, I will introduce my router to you, it is a Cisco C3640-JS-M Version 12.2(1), so I found many ways to solve my problem, but none of them are supported by it.
To continue,the connection I am trying to configure is the following one:
10.1.1.0/24(My LAN) --- (My ROUTER) --- 192.168.9.1/25 <-----> 192.168.9.126/25 --- (OTHER ROUTER) --- 172.22.1.0/24 (Their LAN)
So one host from 172.22.1.0/24 needs to connect to a server in my LAN (10.1.1.20) but they can´t use the real IP and we need to configure a NAT rule to translate traffic from them to 192.168.6.10 to 10.1.1.20, but only for this connection (there are other "WAN" interfaces.
These are my failed attemps:
1)
interface FastEthernet0/0.302
ip nat outside
ip nat inside source static 10.1.1.20 192.168.9.10
PROBLEM: Works for this connection, but other connections are affected and no one can reach 10.1.1.20 apart from LAN and incoming traffic to F0/0.302
2) This attemp is quite hilarious... I´m desperate
ip nat pool NAT_OUT_POOL 192.168.9.10 192.168.9.10 prefix-length 1
ip nat pool NAT_IN_POOL 10.1.1.20 10.1.1.20 prefix-length 1
ip access-list standard ACL_NAT_GLOBAL
permit host 192.168.9.10
permit host 10.1.1.20
ip access-list standard NAT_OUT_LIST
permit host 10.1.1.20
permit host 192.168.9.10
route-map NAT_OUT_RM permit 10
match ip address NAT_OUT_LIST
match interface FastEthernet0/0.302
ip nat inside destination list ACL_NAT_GLOBAL pool NAT_IN_POOL
ip nat outside source route-map NAT_OUT_RM pool NAT_OUT_POOL
I have tried many examples from these links:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
https://supportforums.cisco.com/docs/DOC-5061
But as I said before, some configurations are not supported by my device.
I´m suspecting that it is not possible but I would like to think it is just my lack of knoledge XD
Many thanks in advance,
Jose
Solved! Go to Solution.
08-03-2012 08:46 AM
Glad to hear! Please mark this question as resolved.
Thanks!
John
08-03-2012 04:34 AM
Your english is great!
ip nat pool Server 192.168.9.10 192.168.9.10 prefix 25 <--- you'll want a free ip address from your block
ip nat inside source list 101 pool Server
ip nat outside source list 102 pool Server
access-list 101 permit ip host 172.22.1.50 host 10.1.1.20
access-list 102 permit ip host 10.1.1.20 host 172.22.1.50
HTH,
John
08-03-2012 08:38 AM
Thank you very much John, it is working perfectly, I just did a small change in the ACLs, here is the final configuration I included:
ip nat pool Server 192.168.9.10 192.168.9.10 prefix 25
ip nat inside source list 102 pool Server
ip nat outside source list 101 pool Server
access-list 101 permit ip host 172.22.1.50 host 10.1.1.20
access-list 102 permit ip host 10.1.1.20 host 172.22.1.50
Anyway, I did tests when I generated the traffic, I still need the other entity to try to reach my host, but looks really good.
Many many thanks again,
Jose
08-03-2012 08:46 AM
Glad to hear! Please mark this question as resolved.
Thanks!
John
08-27-2012 02:25 AM
Hi,
After implementing this configuration, I have found an issue, the nat translation is applied for all traffic from 10.1.1.20 and not only for connections to 172.22.1.50 if previously there is a connection to 172.22.1.50, so I cannot have multiple connections from 10.1.1.20 if I want to connect to 172.22.1.50.
I have mitigated the issue configuring the following nat timeouts (not sure if I used sensible amounts of time):
ip nat translation timeout 30
ip nat translation udp-timeout 10
ip nat translation tcp-timeout 60
ip nat translation finrst-timeout 10
Is there any other way to fix this?
Thanks!
Jose
08-28-2012 03:43 AM
Seems odd considering you have an acl that's specifically ties those 2 hosts together. Can you post your configuration and "sh ip nat translation?" Just to refresh my memory, you were needing all traffic from the 10.x.x.x host to nat going to the single 172.x.x.x host and same thing in reverse, correct?
08-28-2012 07:29 AM
Hi,
Yes it is strange... other issue that I have seen is that the nat translation is not working for traffic from 172.x.x.x, so I need to send some traffic to make the nat translation to be in memory and then 172.x.x.x can reach 10.x.x.x using the 192.x.x.x IP. I suppose this is because I configured the interface with "ip nat outside" but if I don´t include that the other configuration doesn´t work.
Here is the configuration
interface FastEthernet0/0.302
ip address 192.168.9.1 255.255.255.128
ip nat outside
ip route 172.22.1.50 255.255.255.255 192.168.9.126
ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25
access-list 101 permit ip host 172.22.1.50 host 10.1.1.20
access-list 102 permit ip host 10.1.1.20 host 172.22.1.50
ip nat outside source list 101 pool FTP_IN
ip nat inside source list 102 pool FTP_IN
Martr-002#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.9.10 10.1.1.20 --- ---
08-28-2012 08:37 AM
I'll lab this up and get back with you..
08-28-2012 04:39 PM
Okay, I was able to lab this up and able to recreate what you're seeing. The "ip nat inside source list 102" line is using nat translation to everything (much like you're seeing). It does seem like it ignores the acl that's applied even if you have only the 2 hosts listed. So, the way I was able to get around this is to enable pat on the inside line:
ip nat inside source list 102 pool FTP_IN overload
This will allow you to nat only to the destination that you're needing and not nat everywhere else. When you do this, you'll see a different result in your translation table:
R1(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 192.168.9.1:17 192.168.57.7:17 10.46.0.6:17 10.46.0.6:17
Without the overload keyword, I had a 1-1 nat:
R1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 192.168.9.1 192.168.57.7 --- ---
R1#
HTH,
John
08-29-2012 02:22 AM
Many thanks John,
Looks better now but it works when I generate traffic and not when 172.22.1.50 tries to iniciate the connection.
I have done a test and include an static translation:
ip nat inside source static tcp 10.1.1.20 80 192.168.9.10 80
It works, but other connections are affected since it is static, so I cannot use this configuration.
Here is the configuration I´m using. For sure there must be something wrong but I can´t find it.
interface FastEthernet0/0.62
description *** LAN ***
encapsulation dot1Q 62
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.302
description *** Connection to WND ***
encapsulation dot1Q 302
ip address 192.168.9.1 255.255.255.128
no ip redirects
ip nat outside
ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25
access-list 101 permit ip host 172.22.1.50 host 10.1.1.20
access-list 102 permit ip host 10.1.1.20 host 172.22.1.50
ip nat outside source list 101 pool FTP_IN
ip nat inside source list 102 pool FTP_IN overload
ip route 172.22.1.50 255.255.255.255 192.168.9.126
08-29-2012 04:49 AM
Okay...let's try this:
Remove the "ip nat outside source list 101 pool FTP_IN" line and the "ip nat inside source list 102 pool FTP_IN overload" line.
For this, use the 102 acl assuming that the 10.1.1.20 is on the inside interface.
Create a route-map called something, Nat for instance:
route-map Nat permit 20
match ip address 102
Then create your inside static mapping:
ip nat inside source static 10.1.1.20 192.168.9.10 route-map Nat reversible
This seems to work in both directions, but I'd be very interested to hear with what you come up with....
HTH,
John
*** Please rate all useful posts ***
08-29-2012 07:32 AM
John, I think the problem is that my router is too old, I tried to follow your instructions but when I was going to create the inside static mapping there was an invalid input error from the route-map... It doesn´t allow me to use the reversible option either...
It is on my agenda to change this device soon (months), so I will use the previous configuration (without the overload), configure nat timeouts and coordinate with my partner the FTP connections when no other connection is affected in the meantime.
Thank you very much for your efforts, but seems that it is not possible to make it working in the way I wanted but probably I will update this thread with the configuration for a newer device
Anyway, thanks again, I have learnt many things about NAT, so you helped a lot.
Finally, here is the configuration I will implement:
interface FastEthernet0/0.62
description *** LAN ***
encapsulation dot1Q 62
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.302
description *** Connection to WND ***
encapsulation dot1Q 302
ip address 192.168.9.1 255.255.255.128
no ip redirects
ip nat outside
!
ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25
!
access-list 101 permit ip host 172.22.1.50 host 10.1.1.20
access-list 102 permit ip host 10.1.1.20 host 172.22.1.50
!
ip nat outside source list 101 pool FTP_IN
ip nat inside source list 102 pool FTP_IN
!
ip route 172.22.1.50 255.255.255.255 192.168.9.126
!
ip nat translation timeout 30
ip nat translation udp-timeout 10
ip nat translation tcp-timeout 60
ip nat translation finrst-timeout 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide