cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2031
Views
0
Helpful
5
Replies

Using NAT to access device without gateway

seanwaite
Beginner
Beginner

I have a situation whereby a device has no default gateway assigned, but now does need to communicate outside its subnet as shown below

My first thought was to add a NAT for the remote source to local host address on the same subnet.

I added the 2 NAT statements, did a packet capture on the device and confirmed that it saw communication coming from 192.168.100.3 and not 192.168.1.2. So far so good, except the device is not responding. My best guess at this point is either A.) it can't be done or B.) I just am not doing this right. Any tips would be appreciated.

5 Replies 5

Philip D'Ath
Advisor
Advisor

To make this work make sure proxy arp is enabled on the 10.1.1.2 device.  You only need NAT if you want to hide the IP addresses - otherwise remove NAT from the configuration.

Any way this can be done with NAT or any other solution besides proxy arp? In my situation the device has a 24 bit mask to which can not be changed (if it could, then we could also assign a gw). In a test with a laptop (which I could make some changes), proxy arp only worked by changing to a larger mask. 

Why can't 192.168.100.2 have it's default gateway set to 192.168.100.1?  Even with a tiny /30 mask these would be in the same subnet.

Yes, it could be done with a hellishly complicated NAT configuration.

You could NAT the 192.168.1.2 server into the 10.1.1.0/24 space, and then NAT this again into the 192.168.100.0/24 space, and the two hosts would talk to each other using 192.168.100.0/24 addresses.

The question came up recently because we do encounter older industrial PLCs that were placed on site by previous businesses. As such we do not have the ability to make changes ourselves to the PLC, only that the data can be read from it. In order to do so remotely across a VPN, we have to be able find someway to work around the missing gateway. In our current situation this is resolved by placing another controller that polls the older unit directly, with the new unit able to fully communicate across VPN.

On the 10.1.1.2 router you need to NAT all traffic so that the source always appears to be 192.168.100.x/24.

If you make the 192.168.100.1 interface the "ip nat outside" interface, and 10.1.1.2 the "ip nat inside" interface, you can do something like the below.  This will allow 192.168.1.2 to access 192.168.100.2

ip nat inside source list 105 interface <outside interface> overload
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers