2-way NAT? Is it possible?

Unanswered Question

I'm in a situation where I need the following:

1. I need the IP address for a remote system to appear to me as an address range I assign (doing it today, no problems). This allows me to connect to multiple overlapping address ranges (i.e. 5 customers, each with 192.168.1.0/24 networks)

2. At the same time, I need for the remote system to see my IP Address as part of its local subnet. The goal here is to remove the need to place routes on the remote system in order to get back to my subnet.

I don't think it's possible to make these two solutions work at the same time, but wanted to ask.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bwilmoth Tue, 02/20/2007 - 07:02

When a packet is traversing inside to outside, a NAT router checks its routing table for a route to the outside address before it continues to translate the packet. Therefore, it is important that the NAT router has a valid route for the outside network. The route to the destination network must be known through an interface that is defined as NAT outside in the router configuration. It is also important to note that the return packets are translated before they are routed. Therefore, the NAT router must also have a valid route for the Inside local address in its routing table.

http://www.cisco.com/warp/public/556/5.html

Thanks. I actually have some output to help explain my problem now.

In this example:

1. 10.1.1.8 is my local host

2. 192.168.1.3 is the remote host I need to reach

3. 172.18.7.2 is the NAT'd address of the remote host (as it appears to me)

4. 192.168.1.2 is an address I'm using to NAT my local host to the remote network.

and here we go:

*Mar 9 12:52:58.889: NAT*: s=10.1.1.8->192.168.1.2, d=172.18.7.2 [7086]

*Mar 9 12:52:58.889: NAT*: s=192.168.1.2, d=172.18.7.2->192.168.1.3 [7086]

*Mar 9 12:52:58.893: ICMP: echo reply rcvd, src 192.168.1.3, dst 192.168.1.2

So my local host is being NAT'd to 192.168.1.2, as it should. Then my destination IP is NAT'd to from 172.18.7.2 to 192.168.1.3, as it should. We can see the reply from 192.168.1.3 to 192.168.1.2. Great! Ok, where's my NAT to get the traffic back to 10.1.1.8?

I know the NAT order of operations is probably killing this (TAC even said that was the likely culprit), so I tried to get around that by putting a policy route on the remote router's LAN interface so it would set the next-hop of all traffic destined for 192.168.1.2 to a loopback IP. The loopback is an "outside" NAT interface. I was hoping that it would route to the loopback, NAT, and then send it on its way, but alas I was mistaken.

Hope I haven't muddied the waters too much.

Thanks

Actions

This Discussion