11-15-2007 06:28 PM - edited 03-05-2019 07:27 PM
Hi All
I would like to check whether my NAT config is going to work good.Also I'm not not sure if this config is Source NAT (or) Destination NAT.
If someone can shed some light on this that will be appreciated.Hope my explanation below will be good enough to understand the network topology
Here's the scenario:
The actual server IP range is 10.84.81.0/24
Customer is trying to access 2 web servers(10.84.81.68,10.84.81.69)from network-192.168.156.0/24
Snapshot of the config is given below:
Router has 2 FE interfaces:
interface FastEthernet0/0
ip address 10.84.54.148 255.255.255.240
ip nat inside
!
interface FastEthernet0/1
ip address 192.168.156.252 255.255.255.0
ip nat outside
ip nat inside source static 10.84.81.68 192.168.156.248
ip nat inside source static 10.84.81.69 192.168.156.249
Thanks
11-15-2007 07:23 PM
Hi Beno ,
you have 10.84.54.0 as your " ip nat inside interface " meaning a segment in your inside network where your local servers reside for 10.84.54.0 network (not 10.84.68.0 ), and 192.168.156.0 as " ip nat outside " meaning outside interface where custumer will be comming through for inbound connections to get to web servers on 10.84.81.68 and 69, will not work, what interface is routing 10.84.81.0 network where your servers 10.84.81.68 & 69 are? if you have an interface routing 10.84.81.0 place " ip nat inside " statement in that interface and your current static nat will work along with an access list to permit inbound traffic.
e.g.
access-list 101 permit ip host Custumer_IP 192.168.156.248 0.0.0.255 log
access-list 101 permit ip host Custumer_IP 192.168.156.249 0.0.0.255 log
apply acl to interface for 10.84.81.0
interface fe0/2
ip access-group 101 in
HTH
Jorge
11-15-2007 07:52 PM
Hi Jorge,
Thanks for your comments.
My config is working fine.But I should have explained a bit more of the network topology.
ROUTER--->FIREWALL
Router doing NAT is connected to a firewall which has 2 ports for these networks and in separate Vlans:
10.84.81.0(Actual servers range)
10.84.54.0
Both these networks can talk to each other.
Firewall has got a static route(192.168.156.0/24) pointing to Router's Fastethernet 0/0 [10.84.54.148]
Ofcourse the Router has got a default route pointing to the VIP of 10.84.54.0/24 network
Anyway thanks very much for your help
Beno
11-15-2007 09:19 PM
Sorry Beno, I should have read your initial question carefully an/or asked about your topology thinking you were dealing with a single device.. thats what happens when reading fast.
ON your initial question your configuration is conisder a source NAT.
I quote from a link
"Destination-based NATing uses route maps to determine which IP address each IP session is translated to based on routing reachability of the destination IP host. The dynamic translation command can now specify a route map to be processed instead of an access list. A route map allows the user to match any combination of access list, next-hop IP address, and output interface to determine which pool to use "
Example of destination NAT
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#intro
NAT Q&A
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#intro
Also, even though my previous post is useless because I was thinking that was a single device I am abligated to correct something in the statement " ip access-group 101 in " should be applied on interface with "ip nat oustide".
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide