cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5009
Views
0
Helpful
12
Replies

NAT based on source address ?

ZbigniewJ
Level 1
Level 1

When i configure NAT like this:

ip access-list extended acl_NAT_OTHERS

permit ip host 10.0.0.34 host 192.168.1.1

ip access-list extended acl_NAT_CUSTA

permit ip host 10.0.0.35 host 192.168.2.1

!

route-map rmap_NAT_CUSTA permit 10

match ip address acl_NAT_CUSTA

route-map rmap_NAT_OTHERS permit 10

match ip address acl_NAT_OTHERS

cisco# ip nat inside source static 10.0.0.34 172.16.0.34 route-map rmap_NAT_OTHERS

cisco# ip nat inside source static 10.0.0.35 172.16.0.34 route-map rmap_NAT_CUSTA

after last line i get:

% 10.0.0.35 already mapped (10.0.0.34 -> 172.16.0.34)

i tried extendable option too. I still get this error.

What i try to achieve is:

When i connect fom 192.168.1.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.34 and

when  i connect fom 192.168.2.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.35

Please please please help!

2 Accepted Solutions

Accepted Solutions

Good morning ZbigniewJ

Thanks for using our forum

I recommend to you to use NAT overload instead of static NAT, with this commands

ip access-list extended acl_NAT_OTHERS

permit ip host 10.0.0.34 host 192.168.1.1

ip access-list extended acl_NAT_CUSTA

permit ip host 10.0.0.35 host 192.168.2.1 

ip nat inside source list [ACL-name-1] interface [interface] overload

ip nat inside source list [ACL-name-2] interface [interface] overload

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Greetings,

Johnnatan Rodriguez Miranda

View solution in original post

What i try to achieve is:

When i connect fom 192.168.1.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.34 and

when i connect fom 192.168.2.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.35

You have your acls and NAT wrong, change it to this and retry -

ip access-list extended acl_NAT_OTHERS

permit ip host 192.168.1.1 host 172.16.0.34

ip access-list extended acl_NAT_CUSTA

permit ip host 192.168.2.1 host 172.16.0.34

!

route-map rmap_NAT_CUSTA permit 10

match ip address acl_NAT_CUSTA

route-map rmap_NAT_OTHERS permit 10

match ip address acl_NAT_OTHERS

ip nat inside source static 192.168.1.1 10.0.0.34 route-map rmap_NAT_OTHERS

ip nat inside source static 192.168.2.1 10.0.0.35 route-map rmap_NAT_CUSTA

Jon

View solution in original post

12 Replies 12

Good morning ZbigniewJ

Thanks for using our forum

I recommend to you to use NAT overload instead of static NAT, with this commands

ip access-list extended acl_NAT_OTHERS

permit ip host 10.0.0.34 host 192.168.1.1

ip access-list extended acl_NAT_CUSTA

permit ip host 10.0.0.35 host 192.168.2.1 

ip nat inside source list [ACL-name-1] interface [interface] overload

ip nat inside source list [ACL-name-2] interface [interface] overload

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Greetings,

Johnnatan Rodriguez Miranda

Dammm, i accidentally clicked "answered' where in fact it doesn't solve my problem.

I cant use overload cause traffic can be initiated from both sides.

What i'm trying to do is some kind of load balacing. Client connect to the same IP but depending on source address they are redirected to server assigned to them.

I even tried to to this using SLB, but then i cant permamently assign phisical server to customer.

edit: can someone mark it unanswered?

What i try to achieve is:

When i connect fom 192.168.1.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.34 and

when i connect fom 192.168.2.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.35

You have your acls and NAT wrong, change it to this and retry -

ip access-list extended acl_NAT_OTHERS

permit ip host 192.168.1.1 host 172.16.0.34

ip access-list extended acl_NAT_CUSTA

permit ip host 192.168.2.1 host 172.16.0.34

!

route-map rmap_NAT_CUSTA permit 10

match ip address acl_NAT_CUSTA

route-map rmap_NAT_OTHERS permit 10

match ip address acl_NAT_OTHERS

ip nat inside source static 192.168.1.1 10.0.0.34 route-map rmap_NAT_OTHERS

ip nat inside source static 192.168.2.1 10.0.0.35 route-map rmap_NAT_CUSTA

Jon

Ghrrrrr! This UI is not well-designed I clicked "correct anwer" insdead of "reply" again! (or rather its just me )

Jon, are you sure of what you sayin?

ip nat inside source static 192.168.1.1 10.0.0.34 changes source address 192.168.1.1 to 10.0.0.34 while going from inside to outside,

192.168.1.1 is outside global address - the IP of some host in customer network.

my inside local addresses ale 10.0.0.34 and .35 and it is them i want to translate to 172.16.0.34 and tanslate the testination address of packet going from outside to inside at the same time.

Please see the att in the original post. left is the inside, right is the outside.

Sorry, i missed the destination natted bit.

Could you clarify exactly what you want in terms of a traffic flow and where the connection is initiated from ?

Jon

Traffic flow can be initiated from both sides. Clients (right hand side) allways connect to 172.16.0.34 but then destination address must be translated to 10.0.0.34 if traffic is initiated from 192.168.1.1, or to 10.0.0.35 if initiated from 192.168.2.1

In other words each client has a dedicated server, but each of them is visible under one "public" ip

If any server (10.0.0.34 or .35) connects to any client it shout allways translate the source ip to 172.16.0.34 (that one is easy, simply overload)

So i other words in result i would like my NAT table look similar to this:

inside local     inside global     outside global     outside local

10.0.0.34        172.16.0.34      192.168.1.1         192.168.1.1

10.0.0.35        172.16.0.34      192.168.2.1         192.168.2.1

I'm assuming that "ip nat inside" and "ip nat outside" cannot be switched around ie. the inside faces the clients and the outside your 10.0.0.x servers ?

I hate IOS NAT, it is so much simpler on an ASA/Pix

Jon

No they can not.

I agree - IOS NAT can be pain in the neck. This relativly simple example shows it.

It would be fantastic if there were a possibility to manually set a NAT table entry

It's the fact that you are doing it outside to inside that is causing the problem because IOS is limited in it's options. I did have a laptop with GNS3 on it but that crashed so i can't test out any scenarios at present but i do remember trying to do something similiar before and getting tied up in knots with.

I do have a spare 2600 router knocking about so if i get the chance i'll set it up and do some testing but it could be a while.

I'll also have a look at some of the docs on NAT, it may turn something up.

Apologies for not being able to sort it immediately.

Jon

This is my third atempt to solve this issue and probably I'll fail again

If i swapped inside and outside it wouldt work too cause then i couldnt do overload in outside->inside direction.

With best regards

Zbigniew

Just a quick check, is the port the same port number for both 10.0.0.x servers ?

I suspect it is but just wanted to check.

Jon

Yes, of course I would do a simple port forward otherwise

Review Cisco Networking for a $25 gift card