NAT overload question

jamesgonzo · ‎04-16-2009

Hello,

I have Cisco 1841 that is providing NAT overload (PAT) for a LAN.

I have 2 LAN's using the same IP range. Basically one LAN has the servers and many users and the other LAN has just users.

What I have is the router doing NAT overload at this remote site, so all IP's are seen at one address and they can access servers etc successfully.

Problem I have now is we need to connect to some of these PC's that are remote, but we only see them as one IP, what options do I have?

Thanks

hsw_networking · ‎04-16-2009

Hi there,

You have a couple of options, some more secure than others.

If it is a secure method you are using to connect, (e.g. https / SSH / PPTP) then you can simply create a Static PAT (AKA Port Forwarding)

e.g. You can forward port 222 on the outside to port 22 on an internal server.

Like this:

ip nat inside source list 1 interface ATM1 overload

ip nat inside source static tcp 192.168.0.5 22 99.88.77.66 222

Now if you ssh to the external IP on port 222, you will get access to the internal server 192.168.0.5 on port 22.

See here for more details:

http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml

Make sure that your access-lists lock access to the port down - you don't want the script-kiddies attacking your server.

If you aren't using secure methods, then I would strongly recommend using a VPN instead.

Please rate this post if you found it useful.

Nick

lamav · ‎04-16-2009

Nick:

I really liked your post. It was very informative and thoughtful.

Rated it...

Victor

hsw_networking · ‎04-16-2009

Thanks Victor ;-)

Collin Clark · ‎04-16-2009

You can set specific remote PC's with a specific NAT address. It should be in the same network as your PAT, just not that same address.

ip nat inside source list 2 interface serial0/0 overload

ip nat inside source static 10.10.10.99 172.16.30.25 extendable

Hope that helps.

jamesgonzo · ‎04-16-2009

Couple of things, I have about 50-80 PC's would I need to create a static IP for each PC? Also what is the "extentable" command I have not used this before.

You mention these commands should be added on the side of the PAT, looking at my config would this be on the FE0/1:

C1841#sh run

Building configuration...

Current configuration : 1752 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname C1841

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 informational

!

no aaa new-model

ip cef

!

no ip dhcp use vrf connected

!

ip dhcp pool scope

network 10.20.20.0 255.255.255.0

dns-server 192.168.21.111

default-router 10.20.20.1

lease 0 2

!

ip domain name gb.vo.local

!

interface FastEthernet0/0

description WAN Link to Servers Port

ip address 192.168.60.245 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Port

ip address 10.20.20.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.60.244

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool Mypool 192.168.60.220 192.168.60.221 netmask 255.255.255.0

ip nat inside source list 100 pool Mypool overload

!

logging history informational

logging trap notifications

logging source-interface FastEthernet0/1

C1841#

Collin Clark · ‎04-16-2009

Your NAT pool is 192.168.60.220-221 so we'll use an address in the same IP scheme, but one that is not in the pool.

Example-

ip nat inside source static 10.20.20.75 192.168.60.100

jamesgonzo · ‎04-16-2009

So I just make the PC's have static IP's on the remote network like 10.20.20.75 and statically NAT this to say 192.168.60.100, 101, 102 etc and any PC not requiring a static IP will just use the pool?

So if the server side need to get to 192.168.60.100 they will via 10.20.20.75.

This is alot of work as there are a lot of PC's, but long term I guess changing there whole scope is the next step via DHCP maybe.

Collin Clark · ‎04-16-2009

Yup, you got it. It's not very elegant, but it works. It probably makes more sense to put the work in and change the IP scheme.

hsw_networking · ‎04-17-2009

Hi There,

I had assumed in my previous solution that you only had 1 Public IP address with which to work.

If you have more IPs, then there's a much simpler method of doing this than setting up 50-80 Static NAT translations.

First, you need a DNS server on the inside of this network, that has entries for every device that you want to connect to.(If these are windows servers then it's highly likely you already have this)

Then you set up a Dynamic NAT pool (NOT overloaded)

Configure a Static NAT translation for your DNS server, so that you can perform DNS lookups against it from outside.

And that's it! All you have to do now is Connect to your devices by their FQDN. The DNS response will be automatically NATed and you will be able to connect.

e.g.

LAN:

DNS Server - 10.20.20.2

(DNS Entries)

- A - servera.mysite.domain.com = 10.20.20.100

- A - serverb.mysite.domain.com = 10.20.20.101

ServerA - 10.20.20.100

ServerB - 10.20.20.101

Router Config:

ip nat pool Mypool 192.168.60.10 192.168.60.100 netmask 255.255.255.0

ip nat inside source list 100 pool Mypool

ip nat inside source static 10.20.20.2 192.168.60.2

ip nat translation timeout 32400

Now when you connect to servera.mysite.domain.com:

1) A DNS lookup runs against 192.168.60.2

2) The DNS Query hits the NAT router, and the destination IP is changed to 10.20.20.2

3) The DNS query hits your DNS server and a DNS response saying "servera.mysite.domain.com = 10.20.20.100" is sent back.

4) The DNS response hits the NAT router, and:

4a) The Source IP is changed to 192.168.60.2

4b) The DNS Response is changed from "servera.mysite.domain.com = 10.20.20.100" => "servera.mysite.domain.com = 192.168.60.11" (Where the 192 address has been chosen from the NAT pool)

5) The DNS response gets back to your PC, and your Client software then connects to servera by its NATed address of 192.168.60.11

The NAT translation will remain active until there has not been used for 9 Hours, then it will clear.

Nick