Re: NAT Concept

bjacob1976 · ‎11-15-2007

Hi All

I would like to check whether my NAT config is going to work good.Also I'm not not sure if this config is Source NAT (or) Destination NAT.

If someone can shed some light on this that will be appreciated.Hope my explanation below will be good enough to understand the network topology

Here's the scenario:

The actual server IP range is 10.84.81.0/24

Customer is trying to access 2 web servers(10.84.81.68,10.84.81.69)from network-192.168.156.0/24

Snapshot of the config is given below:

Router has 2 FE interfaces:

interface FastEthernet0/0

ip address 10.84.54.148 255.255.255.240

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.156.252 255.255.255.0

ip nat outside

ip nat inside source static 10.84.81.68 192.168.156.248

ip nat inside source static 10.84.81.69 192.168.156.249

Thanks

JORGE RODRIGUEZ · ‎11-15-2007

Hi Beno ,

you have 10.84.54.0 as your " ip nat inside interface " meaning a segment in your inside network where your local servers reside for 10.84.54.0 network (not 10.84.68.0 ), and 192.168.156.0 as " ip nat outside " meaning outside interface where custumer will be comming through for inbound connections to get to web servers on 10.84.81.68 and 69, will not work, what interface is routing 10.84.81.0 network where your servers 10.84.81.68 & 69 are? if you have an interface routing 10.84.81.0 place " ip nat inside " statement in that interface and your current static nat will work along with an access list to permit inbound traffic.

e.g.

access-list 101 permit ip host Custumer_IP 192.168.156.248 0.0.0.255 log

access-list 101 permit ip host Custumer_IP 192.168.156.249 0.0.0.255 log

apply acl to interface for 10.84.81.0

interface fe0/2

ip access-group 101 in

HTH

Jorge

Jorge Rodriguez

bjacob1976 · ‎11-15-2007

Hi Jorge,

Thanks for your comments.

My config is working fine.But I should have explained a bit more of the network topology.

ROUTER--->FIREWALL

Router doing NAT is connected to a firewall which has 2 ports for these networks and in separate Vlans:

10.84.81.0(Actual servers range)

10.84.54.0

Both these networks can talk to each other.

Firewall has got a static route(192.168.156.0/24) pointing to Router's Fastethernet 0/0 [10.84.54.148]

Ofcourse the Router has got a default route pointing to the VIP of 10.84.54.0/24 network

Anyway thanks very much for your help

Beno

JORGE RODRIGUEZ · ‎11-15-2007

Sorry Beno, I should have read your initial question carefully an/or asked about your topology thinking you were dealing with a single device.. thats what happens when reading fast.

ON your initial question your configuration is conisder a source NAT.

I quote from a link

"Destination-based NATing uses route maps to determine which IP address each IP session is translated to based on routing reachability of the destination IP host. The dynamic translation command can now specify a route map to be processed instead of an access list. A route map allows the user to match any combination of access list, next-hop IP address, and output interface to determine which pool to use "

Example of destination NAT

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#intro

NAT Q&A

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#intro

Also, even though my previous post is useless because I was thinking that was a single device I am abligated to correct something in the statement " ip access-group 101 in " should be applied on interface with "ip nat oustide".

Rgds

Jorge

Jorge Rodriguez