NAT Configuration Question

efairbanks · ‎07-12-2007

I have a NAT configuration issue which I can't seem to easily (more specifically cleanly) solve. I need to implement NAT at several customer locations due to IP overlap with other customer sites (we have no control over their IP space). Please consult the attached diagram. Hosts at customer sites A and B should be able to communicate with one another using their native (Local) IP addresses and NOT be NATed. When communicating with the server farm, they should be NATed according to the diagram. Is there a way to implement static nat on a /24 subnet in conjunction with an access list to determine whether NAT is performed or not? If not, is there another way I can implement this? IP addresses need to be consistent; i.e. the first and third IPs in the subnet must ALWAYS be the first and third IPs in the subnet. A global pool that dynamically assigns IPs won?t work. Right now all packets are being NATed upon egressing the router. Thanks in advance.

p.s. I am not atually using the cheeseball IPs depicted in the diagram. I used them in the drawing for you to easily identify Local from Global IPs (saving a little face here :)

JORGE RODRIGUEZ · ‎07-13-2007

you should be able to provide a one to one nat with /24 as long RouterX interfaces facing RouterA and RouterB are also /24.

Since you have RouterA comming on one interface in RouterX and RouterB to RouterX respectivaly your global translation from RouterB should be different from that of RouterA.

For RouterA allocate global NAT as 10.2.2.0

For RouterB allocate global NAT as 10.2.3.0 ( NOT 10.2.2.0 )

From RouterX to RouterA use static NAT as indicated in your post using 10.2.2.0

RouterX interface facing RouterA

Provide one to one static NAT for your servers RouterX facing RouterA and hosts comming from routerA to the servers.

Working with customer RouterA

Example:

RouterX interface connection facing RouterA NAT specifications

Server1 IP 3.3.3.4 NATed to 10.2.2.1

Server2 IP 3.3.3.5 Nated to 10.2.2.2

Server3 IP 3.3.3.6 Nated to 10.2.2.3

Server4 IP 3.3.3.7 NATed to 10.2.2.4

ip nat inside source static 3.3.3.4 10.2.2.1

ip nat inside source static 3.3.3.5 10.2.2.2

ip nat inside source static 3.3.3.6 10.2.2.3

ip nat inside source static 3.3.3.7 10.2.2.4

Define inbound/outbound extended access list and apply to interface RrouterX under Custermer_A interface connection.

Note: using names in extended access-list is case sensitive, with names you can indentify your customers

based on named access list.

ip access-list extended Customer_A_IN

permit tcp host 1.1.1.1 host 10.2.2.1 log

permit tcp host 1.1.1.2 host 10.2.2.2 log

permit tcp host 1.1.1.3 host 10.2.2.3 log

permit tcp host 1.1.1.3 host 10.2.2.4 log

ip access-list extended Customer_A_OUT

permit ip any any log

permit tcp any any log

RouterX

Interface #

Description Connection to Custumer_A_1.1.1.0/24

ip nat outside

ip access-group Customer_A_IN

ip access-group Customer_A_OUT

Interface #

Description Server Segment_3.3.3.1/24

ip nat inside

/////////////////

Iterate the above process using 10.2.3.0 global NAT and create inboond/outbound extended access-list

for customer_B ( RouterB )

////////////////////

show ip nat statistics ( shows one to one static nats )

show ip nat translations ( shows nated address )

show access-list Customer_A_IN ( shows hosts matches based on current traffic )

HTH

Please rate if this helps

Jorge

Jorge Rodriguez

efairbanks · ‎07-13-2007

Thanks for the reply Jorge.

I actually figured out a better way to do it. I am going to implement DMVPN tunnels between the customer sites. The tunnel interfaces will not have NAT applied. The physical interfaces, used to pass traffic between the customer sites and the server farm, will have NAT applied. I will then apply distribute-lists to the BGP processes to filter out undesirable routes from the routing tables.

Thanks.

JORGE RODRIGUEZ · ‎07-13-2007

sounds like a good plan/solution .

Jorge Rodriguez