I am working in a Building (let’s keep this as simple as possible) that is part of an Enterprise / Campus IT network. In the past (before I was hired) “non-IT” people setup islands of equipment using private networks like 192.168.20.0 or 192.168.40.0. They worked autonomously, never planning to communicate outside their stand-alone world. In other buildings in the campus other people were also setting up more of these stand-alone networks. In many, many cases they used the same Class C networks that were used in other buildings (they got copies of the same list and started from the top), there are more than a 100 of these little networks spread through 15 buildings. Re-addressing the islands built BM (Before Me, not the other meaning) is not going to happen, we are talking about 1000’s of devices (yes, it’s messy).

I have been given the task to first, interconnect some of the Islands so they can pass data to and from the neighboring stand-alone networks, never to touch the Campus IT network, which I have done using routers in each of the buildings; thank God they didn’t duplicate networks inside each of the buildings.

Now my task is to electronically gather data from a few of the personal computers located inside the now-routed 192.168.0.0 networks. I have been given small blocks of 10.0.0.0 addresses for each of the buildings by the central IT group (yes they were forced to cooperate but will not participate) so I can use them to “one-to-one” NAT from the Campus IT network to devices inside the newly interconnected 192.168.0.0 networks. Only static communications will be allowed because, for obvious reasons, the 192.168.0.0 networks are not allowed on or to be known of on the Campus IT infrastructure.

Crazy but true. Can it be done? Your suggestions will be coveted and tried.

Thomas

Okay, that makes more sense. I don't envy you

Okay some questions to clarify.

1) Which direction is the traffic initiated from ie. can the actual connection be initiated from either side or will one side always be making the actual connection. Don't worry about the return traffic at the moment, it is more about who starts the connection.

2) the router being used. Do you have any NAT statements on it already. The reason i ask is dependant on the answer to 1). IOS NAT is not as flexible as ASA NAT in terms of some things you may want to do so it may help if you haven't already got "ip nat inside" and "ip nat outside" statements on the interfaces. If you have i need to know how that is setup

Jon

Communication will be initiated in both directions; backups and other data will be pushed from the Personal Computer in the 192.168.20.0 network to the 10.0.0.0 network and folks in the 10.0.0.0 environment will remote into the PCs from their offices. I also see some telnet and http communications once this gets going.

Cisco 1941/K9 IOSIP Base 15.3. I have been tinkering; I’ve got a router, a switch, and 4 Laptops on my desk to test with. Have a look at the section of my test config in my first post.

Thomas

If communication can be both ways then you need to NAT both IPs ie.

H1  (192.168.30.10) connects to H2 (192.168.30.10)  so -

1) translate H1 to a new address eg. 10.199.110.10 so the packets can be returned

2) translate H2 to a new address eg. 10.200.110.10  <-- you need this because H1 cannot route to H2's real IP because it is in the same subnet.

So you need to decide on what addresses to use for each side.

3) setup static translations on the router. We will need both "ip nat inside source static ...." and "ip nat outside source static.." commands.

4) sort out routing. This applies both to routing on other devices and also on the NAT router. The order of routing/NAT is different based on whether it is going from inside to outside or outside to inside.

As for other routers, when you connected up these islands they can't be on the same router because you couldn't have 2 interfaces using the same IP subnet. So i'm aassuming there must be routers in between. If so they will need to know about the NAT subnets in use.

Does all the above make sense or have i misunderstood anything.

Finally i don't have a router or emulator to test with so there may be a bit of trial and error.

Jon

Thomas

Just reread your first post. For each router are we just looking at NAT one way because the NAT statements the other way will be done on another router ie. have you connected two routers together and the 192.168.x.x networks sit behind those routers ?

Perhaps a quick diagram would help ?

Jon

Thanks Jon,

I put together a drawing of what we are trying to do. Let me know what you think.

Thomas

From your visio i am back to my original question. I can see that you want to setup NAT for the 192.168.x.x addresses on the NAT router and the nat statments i gave in my last post will do that.

But i thought the issue was that the source IP you were coming from to get to a 192.168.x.x address was also a 192.168.x.x address. But from your diagram that doesn't seem to be the case.

I think i might be missing something here ?

Jon

Hi Jon,

Only three devices (Personal Computers) will ever communicate through the PCN Router’s fa 0/0 port:

One PC from Vlan 20 (192.168.20.30), one PC from Vlan 40 (192.168.40.30), and the remaining PC from Vlan 60 (192.168.60.30).

No other devices in the 192.168.x.x networks will be communicating in or out of the PCN Router’s fa 0/0 port.

I would like PC 192.168.20.30 to be translated to address 10.199.110.91 through the PCN Router Bi-directionally. PC 192.168.40.30 translated to address 10.199.110.92 and finally 192.168.60.30 translated bi-directionally with address 10.199.110.93.

I don’t want any of the 192.168.x.x networks to be advertised anywhere on the 10.x.x.x networks.

For example, if I want to remote-desktop from my desk computer which is 10.200.110.94 to the PC 192.168.20.30, I would type in the address 10.199.110.91 to get there.

Conversely, if I want to request a file from a FTP Server  10.198.110.10 while sitting at PC 192.168.60.30 the FTP server will think it’s transferring the file to 10.199.110.93 but the address will be translated through the PCN Router and will be received on PC 192.168.60.30.

I appreciate your willingness to work through this with me.

Tom

Tom

No problem, glad to help. Those three static commands should do the trick then. They work bi-directionally so you should be able to connect from the 192.168.x.x PCs to the rest of the network or from the rest of the network to those PCs.

Jon

Hi Jon,

We got the problem fixed:

!

interface FastEthernet0/0

ip address 10.199.110.90 255.255.255.0

ip access-group 101 in

ip access-group 102 out

ip nat outside

duplex full

speed auto

no mop enabled

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 192.168.20.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.40

encapsulation dot1Q 40

ip address 192.168.40.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.60

encapsulation dot1Q 60

ip address 192.168.60.254 255.255.255.0

ip nat inside

!

ip classless

!

ip http server

no ip http secure-server

!

ip nat inside source static 192.168.20.30 10.199.110.91

ip nat inside source static 192.168.40.30 10.199.110.92

ip nat inside source static 192.168.60.30 10.199.110.93

!

ip nat outside source static 10.199.110.91 10.199.110.91

ip nat outside source static 10.199.110.92 10.199.110.92

ip nat outside source static 10.199.110.93 10.199.110.93

!

!

access-list 101 permit ip 10.0.0.0 0.255.255.255 host 10.199.110.91

access-list 101 permit ip 10.0.0.0 0.255.255.255 host 10.199.110.92

access-list 101 permit ip 10.0.0.0 0.255.255.255 host 10.199.110.93

!

access-list 102 permit ip host 10.199.110.93 10.0.0.0 0.255.255.255

access-list 102 permit ip host 10.199.110.91 10.0.0.0 0.255.255.255

access-list 102 permit ip host 10.199.110.92 10.0.0.0 0.255.255.255

!

dialer-list 1 protocol ip permit

!

!

Thanks again

Tom

Thomas

You don't have to close discussions as such although it is appreciated if people do that. You can either allocate points to any response or choose the response that solved your problem and click on the "Correct Answer" box and this will mark the thread as resolved.

I'm not sure i resolved your problem though as you used the statics i provided but also added some outside static commands which i'm not entirely sure why they are needed ?

So if you are not comfortable marking it as correct or allocating points just leave it as it, people will still be able to read the post and see that you came up with a solution.

Jon