Re: IP NAT outside. - Page 3

johnleeee · ‎11-29-2007

Hi all,

Id like to ask someone for help with a NAT

configuration. Id like to publish source

PC in a reverse manner but I dont know how. Reverse manner means next:

source-->router1--->(ip nat outside)router2(ip nat inside)--->router3--->destination

--> means some IP range

Communication should flow from source to destination.

What I want to see is a communication from source translated to IP range of router R2 on inside.

Is over there any solution? Pls. could someone send me a functional configuration?

Any idea?

jl

Edison Ortiz · ‎12-01-2007

Can you share that trick ? It will benefit this community...

insccisco · ‎12-04-2007

Certainly... my apologies for the delay though as I quickly engaged into more cisco headaches :)

Here is the rundown.. I remember few cisco engineers mentioning something about a limitation on the router to accomplish this; others mentioned a bug.

The solution didn't seduce me at first, because it is not very scalable, especially if you have a network bigger than a /24 one, but it worked :) We were already close to buying a pix or a router to put behind the 1841 just for the purpose of doing this "NAT faking" as one cisco tac had suggested.

Let me know if this config can perhaps get any better..

here is the code

crypto map outsidemap1 10 ipsec-isakmp

match address insc_acl1

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload

ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

ip nat inside source static 192.168.1.1 10.12.0.1 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.3 10.12.0.3 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.49 10.12.0.49 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.50 10.12.0.50 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.51 10.12.0.51 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.52 10.12.0.52 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.53 10.12.0.53 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.54 10.12.0.54 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.55 10.12.0.55 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.56 10.12.0.56 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.57 10.12.0.57 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.58 10.12.0.58 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.59 10.12.0.59 route-map 192_168_to_10_21 reversible

ip nat inside source static 192.168.1.60 10.12.0.60 route-map 192_168_to_10_21 reversible

ip nat inside source static tcp 192.168.1.223 20 66.11.203.210 20 extendable

ip nat inside source static tcp 192.168.1.3 25 66.11.203.210 25 route-map ISP1 extendable

ip nat inside source static tcp 192.168.1.3 80 66.11.203.210 80 route-map ISP1 extendable

ip nat inside source static tcp 192.168.1.3 110 66.11.203.210 110 route-map ISP1 extendable

ip nat inside source static tcp 192.168.1.3 443 66.11.203.210 443 route-map ISP1 extendable

ip nat inside source static tcp 192.168.1.3 3389 66.11.203.210 3389 route-map ISP2 extendable

ip nat inside source static tcp 192.168.1.223 20 68.195.222.42 20 extendable

ip nat inside source static tcp 192.168.1.3 25 68.195.222.42 25 route-map ISP2 extendable

ip nat inside source static tcp 192.168.1.3 80 68.195.222.42 80 route-map ISP2 extendable

ip nat inside source static tcp 192.168.1.3 110 68.195.222.42 110 route-map ISP2 extendable

ip nat inside source static tcp 192.168.1.3 443 68.195.222.42 443 route-map ISP2 extendable

ip nat inside source static tcp 192.168.1.3 3389 68.195.222.42 3389 route-map ISP2 extendable

access-list 125 permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255

route-map 192_168_to_10_21 permit 10

match ip address 125

route-map USE_ISP2 permit 10

match ip address 125

set ip next-hop 68.195.222.41

So, to Tunnel the entire 254 hosts, we'll need to code the rest of the lines... dirty like the last engineer said, but it works smoothly both ways (meaning tunnel can be initiated at any end of the Tunnel)