cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
6
Replies

Static NAT question for Routers

zyang
Level 1
Level 1

Been searching over but haven't found a solution.

Basically, I want to do a static nat only over a VPN site to site tunnel.

So our lan is 10.0.0.0/22 and it will be static nat'ed to 172.16.0.0/22 when going over the vpn.  I want a one to one static nat, because it needs a two way communication.

normally it would be for a pc (10.0.0.1)

..<left out vpn config>

ip access-list extended nat

permit ip 10.0.0.0 0.0.3.255 192.168.0.0 0.0.0.255 <vpn destination>

route-map vpnNAT

match address nat

ip nat inside source static 10.0.0.1 172.16.0.1 route-map vpnNAT

But this only works for 10.0.0.1 ..  Is there a way I can do it so I can have the 10.0.0.0/22 go to 172.16.0.0/22 without typing a static nat statement for each IP?  There has to be some way to do it ... I hope.

6 Replies 6

sdavids5670
Level 2
Level 2

Create a NAT pool for 172.16.0.0/22 and use the "type match-host" option.  The router will make sure that the host portion of the NAT'd address matches the host portion of the inside address.  Therefore, 10.0.0.1 becomes 172.16.0.1, 10.0.0.2 becomes 172.16.0.2, etc.

That only works after I started a communication from me to them.  If I dont, there's no nat translation yet.  And if the other side tries to reach me first, it would fail, unless I initiate first.  Which is something I want to avoid. 

I see what you're saying now.  I'd love to have an answer for you but I don't.

In the "ip nat inside..." command use the "reversible" option to allow the traffic to come inbound.  Try that and let me know.  I'm going to try and lab this up.

Yea at this point I think I have to add like 1028 static nat entries ... 4 x 255 ...

Well, here's an option you might consider if you can't get a better answer.  You could setup ip sla on a device and use it to generate interesting traffic across the tunnel so that all of the active IP addresses in the range are in the NAT table.  Just tune it so that the frequency of the ip sla is just under the threshold of the other timers.  I tested it in my lab.  Works OK for three IP address.  Don't know about 1022!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card