Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
6
Replies

Static NAT question for Routers

zyang
Level 1
Level 1

‎02-11-2014 10:17 AM - edited ‎03-07-2019 06:08 PM

Been searching over but haven't found a solution.

Basically, I want to do a static nat only over a VPN site to site tunnel.

So our lan is 10.0.0.0/22 and it will be static nat'ed to 172.16.0.0/22 when going over the vpn.  I want a one to one static nat, because it needs a two way communication.

normally it would be for a pc (10.0.0.1)

..<left out vpn config>

ip access-list extended nat

permit ip 10.0.0.0 0.0.3.255 192.168.0.0 0.0.0.255 <vpn destination>

route-map vpnNAT

match address nat

ip nat inside source static 10.0.0.1 172.16.0.1 route-map vpnNAT

But this only works for 10.0.0.1 ..  Is there a way I can do it so I can have the 10.0.0.0/22 go to 172.16.0.0/22 without typing a static nat statement for each IP?  There has to be some way to do it ... I hope.

Labels:
0 Helpful
6 Replies 6

sdavids5670
Level 2
Level 2

‎02-11-2014 11:01 AM

Create a NAT pool for 172.16.0.0/22 and use the "type match-host" option.  The router will make sure that the host portion of the NAT'd address matches the host portion of the inside address.  Therefore, 10.0.0.1 becomes 172.16.0.1, 10.0.0.2 becomes 172.16.0.2, etc.

0 Helpful

zyang
Level 1
Level 1
In response to sdavids5670

‎02-11-2014 11:32 AM

That only works after I started a communication from me to them.  If I dont, there's no nat translation yet.  And if the other side tries to reach me first, it would fail, unless I initiate first.  Which is something I want to avoid. 

0 Helpful

sdavids5670
Level 2
Level 2
In response to zyang

‎02-11-2014 12:21 PM

I see what you're saying now.  I'd love to have an answer for you but I don't.

0 Helpful

sdavids5670
Level 2
Level 2
In response to sdavids5670

‎02-11-2014 11:36 AM

In the "ip nat inside..." command use the "reversible" option to allow the traffic to come inbound.  Try that and let me know.  I'm going to try and lab this up.

0 Helpful

zyang
Level 1
Level 1
In response to sdavids5670

‎02-11-2014 12:23 PM

Yea at this point I think I have to add like 1028 static nat entries ... 4 x 255 ...

0 Helpful

sdavids5670
Level 2
Level 2
In response to zyang

‎02-11-2014 12:38 PM

Well, here's an option you might consider if you can't get a better answer.  You could setup ip sla on a device and use it to generate interesting traffic across the tunnel so that all of the active IP addresses in the range are in the NAT table.  Just tune it so that the frequency of the ip sla is just under the threshold of the other timers.  I tested it in my lab.  Works OK for three IP address.  Don't know about 1022!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card