Natting help is appreciated

Yasser A. Sayed · ‎10-07-2018

hi everyone

it would be much appreciated if someone would help or even advise /give some tips

In this Network the following scenario is needed to be accomplished:

Both Networks (192.168.10.0/24 & 192.168.20.0/24) to reach some applications on Server 1 (port 80) & server 2 (port 8080)

Restrictions:

Network 10.10.10.0 is required NOT to be published outside company router, so remote users can only reach 20.20.20.251 (routing is configured and tested)
Both Servers do not have any default gateway configured. So they can only reply to requests from 10.10.10.251

From my basic understanding, this could be done by configuring natting on company router to do the following:

Change destination address of the incoming request from 20.20.20.251 to 10.10.10.1 or 10.10.10.2 based on TCP port (80 or 8080)
Change the source address from both networks 192.168.10.0 & 192.168.20.0 to 10.10.10.251

I made the following configuration- testing only remote user1 (192.168.10.1) to server1 (10.10.10.1) but it didn’t work

I can see dual step natting in “debug ip nat detailed” but I can’t reach server 1 from remote user1

interface FastEthernet0/0

ip address 20.20.20.251 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.251 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ip nat inside source static 10.10.10.1 20.20.20.251 extendable

ip nat outside source static 192.168.10.1 10.10.10.251 extendable

help would be much appreciated

thanx

Georg Pauwen · ‎10-07-2018

Hello,

at first glance I would say you need the two entries below:

ip nat inside source static tcp 10.10.10.1 80 20.20.20.251 80 extendable
ip nat inside source static tcp 10.10.10.2 8080 20.20.20.251 8080 extendable

Yasser A. Sayed · ‎10-07-2018

hi Georg

as i said i was just trying to start it simple and build up

that is why i took one remote user (10.10.10.1) as a sample . cause what goes for this remote user will go for the other one

so i didn't miss this line :
ip nat inside source static tcp 10.10.10.2 8080 20.20.20.251 8080 extendable

As for not specifying port 80...

and writing :

ip nat inside source static 10.10.10.1 20.20.20.251 extendable

instead of :

ip nat inside source static tcp 10.10.10.1 80 20.20.20.251 80 extendable

this was also to port forward any port (again to make it simple for this step)

but it didn't work

anyway..i will try it

thanks anyway

Georg Pauwen · ‎10-07-2018

Hello,

--> that is why i took one remote user (10.10.10.1) as a sample

I am not sure I understand what you are saying. 10.10.10.1 is the server, right ? You don't need to specify any remote user in your NAT statements. Any user that can reach your outside address can reach the servers...

Yasser A. Sayed · ‎10-07-2018

---> 10.10.10.1 is the server, right ?

-yes, it is one of the servers

---> You don't need to specify any remote user in your NAT statements. Any user that can reach your outside address can reach the servers...

-Once more yes it would reach the server (one way communications). But it would reach the server with source address (192.168.10.1) which the server can not reply to ( cause no default gateway is configured on the server) . so any remote user request would reach the server but the server will not be able to send the reply as the server can not communicate with outer network

that is why i am trying to change the source ip of the remote user request to be the the router interface facing the servers

I hope i made it more clear

Georg Pauwen · ‎10-07-2018

Hello,

is NAT a requirement for this ? I am not sure you can achieve your goal with NAT. A tunnel between both networks might work.

Or is it a hard condition to use NAT ?

Yasser A. Sayed · ‎10-08-2018

no it is not a must to use natting

any means that would accomplish the requirements is okall i could think of was natting

about tunneling ...the way i see it will involve routing which is not an option

cause once again the servers do not have default gw

and the servers network (10.10.10.0/24) is not routed to the remote users network (192.168.10.0/24 or 192.168.20.0/24)

paul driver · ‎10-08-2018

Hello

@Yasser A. Sayed wrote:

no it is not a must to use natting

any means that would accomplish the requirements is okall i could think of was natting

about tunneling ...the way i see it will involve routing which is not an option

cause once again the servers do not have default gw

and the servers network (10.10.10.0/24) is not routed to the remote users network (192.168.10.0/24 or 192.168.20.0/24)

If the server network isnt routed to the users network then you will HAVE to use NAT so the users network can access the server via a global inside address of the servers wan facing rtr.

Than also apply the acl i previously posted on the users wan facing rtr so to negate traffic being initiated from the server network accessing the users network

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎10-08-2018

Hello

Does your company router have routes to 192.168.10.0/x and 192.168.20.0/x networks

Now if you only wish for a host from the remote users network to be able to access a server on the company network but not have the company network communicate to the host then you can apply an access list to do this on the remote user rtr for just to allow established traffic back in

remote user rtr
access-list 101 permit tcp any host 192.168.10.1 established
access-list 101 deny ip any host 192.168.10.1
access-list 101 permit ip any any

int x/x
Description WAN interface
ip access-group 101 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Yasser A. Sayed · ‎10-08-2018

---> Does your company router have routes to 192.168.10.0/x and 192.168.20.0/x networks

* * Yes it does...but only the router can reach 192.168.10.0/x and 192.168.20.0/x . The servers can not . As again they don't have the company router as their default gateway

----> Now if you only wish for a host from the remote users network to be able to access a server on the company network but not have the company network communicate to the host then you can apply an access list to do this on the remote user rtr for just to allow established traffic back in

** No it's not that scenario. Actually it's almost the opposite. The requirement is not to allow the servers to be accessed from external network...so the incoming traffic at int fa0/0 (The comapny router) i need to change the source ip of the remote user (192.168.10.1) to a new source (10.10.10.251) and at the same time change the destination IP from (20.20.20.251) to (10.10.10.1)...with the end result to be seen as 10.10.10.251 connecting to 10.10.10.1

and of course the reverse for the reply

and at the same time change destination