03-01-2008 07:16 PM - edited 03-05-2019 09:29 PM
I'm trying to verify that this NAT configuration will work...any help would be greatly appreciated. Here is the
problem (simplified for clarity):
1. Single router with two physical interfaces:
- 10.1.1.1/24 (inside network)
- 192.168.1.1/24 (outside/transit network)
2. When a host on the 10.1.1.0 network communicates across the router to a host on the 192.168.1.0 network, the
source IP must be NAT'ed to a single public IP address of, say, 2.2.2.2. That is, it is not a straightforward
overloaded NAT like in every configuration example, because the NAT doesn't assume the address of the router's
"outside" interface.
My proposed router config:
!
interface Fastethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Fastethernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
ip nat pool NAT-POOL 2.2.2.2 2.2.2.2 netmask 255.255.255.0
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 1 pool NAT-POOL overload
!
If I ping a host on the 192.168.1.0 network from the 10.1.1.0 network, will the echo-replies be able to find their
way back, since they will appear to originate from 2.2.2.2? My suspicion is that this won't work, because there is
no route to 2.2.2.2 from the 192.168.1.0 network. Is there a configuration example that I overlooked? Do I have to
add a secondary ip on the Fa0/1 interface on the 2.2.2.0 network? Or would I have to use a loopback interface for
traffic to flow from 2.2.2.2 back to 10.1.1.1?
Thanks for the help.
03-01-2008 07:34 PM
Do I have to add a secondary ip on the Fa0/1 interface on the 2.2.2.0 network?
That's the easiest way.
Or would I have to use a loopback interface for traffic to flow from 2.2.2.2 back to 10.1.1.1?
You can do this too but it requires a PBR so traffic can be source from the loopback. It can be quite messy. Go with the secondary IP approach and you also need to advertise that interface to remote devices for the return traffic.
HTH,
__
Edison.
03-02-2008 12:58 PM
Thank you for the reply, this was very helpful. But I'm having problems getting it to work. I tried these steps, and tested by pinging from 10.1.1.0 network to 192.168.1.0 network:
1. Added 2.2.2.2 as a secondary address on Fa0/1, kept dynamic NAT pool as is.
- could not ping 192.168.1.0 network
2. Made 2.2.2.2 the primary address, with 192.168.1.1 the secondary address on Fa0/1, kept dynamic NAT pool as is.
- could not ping 192.168.1.0 network, got warning of duplicate ip
3. Added 2.2.2.2 as a secondary address on Fa0/1, changed nat statement to an overload:
ip nat inside source list 11 interface Fa0/1 overload
- now I can ping the 192.168.1.0 network, but my address is translated to the ip address of Fa0/1 (192.168.1.1)
4. Tried #3 above, but swapped the primary and secondary ip's.
- could not ping 192.168.1.0 network
Thanks again for the help.
03-02-2008 01:16 PM
""4. Tried #3 above, but swapped the primary and secondary ip's.
- could not ping 192.168.1.0 network""
I assume you must have been using the NAT pool overload configuration when the primary address of f0/1 was set to 2.2.2.2.
If it's then remove the 2 NAT pool commands that you had in your original configuration and use the command 'ip nat inside source list 11 interface Fa0/1 overload'.
When configuring overload (PAT) using an interface you should use the interface overload option rather than the NAT pool overload configuration.
HTH
Sundar
03-03-2008 06:11 AM
You are focusing your troubleshooting on pinging from 10.1.1.0/24 network to 192.168.1.0/24 network.
Let's take the 2.2.2.2 out of the picture, were you able to ping from 10.1.1.0/24 to 192.168.1.0/24 before adding the secondary IP address ?
You can't use the interface overload option while having multiple address on the NATed interface, you need to use the 'ip address' option.
Can you please repost the config with any changes you've made?
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide