Can a 1811 NAT as 2 networks have same IP range

Unanswered Question
Aug 3rd, 2007

Hi,

Our office in the US connects to us in the UK via Cisco 1811. One of our networks that needs to connect to them is 192.168.99.0/24 however they have this range on one of their networks too. The Cisco 1811's IP is 192.168.17.1/24. Can we somehow make all our traffic from 192.168.99.0/24 and other subnets NAT to 192.168.17.0/24 so the US only see all our traffic from that range?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 08/03/2007 - 12:17

Hi

access-list 101 permit 192.168.99.0 255.255.255.0 "uk office net" "subnet mask"

ip nat pool UKpool 192.168.17.1 192.168.17.254

ip nat inside source list 101 pool UKpool

Note that this will work for all subnets you access in the UK other than 192.168.99.0/24.

If you need to access that subnet there is quite a bit more configuration.

HTH

Jon

whiteford Fri, 08/03/2007 - 12:30

What subnet do you mean? Basically anything on our network in th UK, for example we are on 192.168.99.0/24, 192.168.77.0/24, 192.168.66.0/27 etc we go through Fast Ethernet 1 port on the 1811 for just need to connect to their 170.28.10.0/24 range. They would like to just see out traffic from 192.168.17.0/24 (NAT) if possible. That way none of our networks will be on similar subnet IP ranges just 192.168.17.0/24 which we both don't have.

Jon Marshall Fri, 08/03/2007 - 13:01

Hi

access-list 101 permit any 170.28.10.0 255.255.255.0

ip nat pool UKpool 192.168.17.1 192.168.17.254

ip nat inside source list 101 pool UKpool

You will need to add to the 1811 inside interface

ip nat inside

and to the 1811 outside interface ie. the one that leads to the US office

ip nat outside

HTH

Jon

whiteford Fri, 08/03/2007 - 22:31

Let me get this straight in my head - sort of new to me.

1.) Anything we route to 192.168.17.1 will NAT to a pool of IP's between 192.168.17.1 and 192.168.17.254?

2.) That way they will only need to add roules for the 192.168.17.0/24 range and not the 100's of subnets we use? Is this because the FE1 inside port doesn't care what ranges are being sent to it?

3.) Can we permit more ranges to get to in the US rather than just 170.28.10.0 255.255.255.0?

3.) They need to add the IP NAT inside and IP NAT outside, how do we do this, they have 2 firewalls connected for redundancy to ports FE2 and FE3?

I hope you can answer these questions, I will then talk to our US team. The only other idea I had was put our own firewall like a pix 515 or router between our LAN and their 1811 so we have some control.

Jon Marshall Fri, 08/03/2007 - 23:45

Hi

1) No. What the config i supplied does is to NAT your source IP addresses (whatever they are) to a pool of addresses 192.168.17.1 -> 254 when those source addresses want to connect to 170.28.10.0/24 in the US.

I though this is what you wanted. Let me know if i have misunderstood.

2) You only need to route to 192.168.17.x from the US. They will not see any of your other subnets.

3) Yes, just add them into the access-list.

4) Okay not sure.

I think it would help if you could explain the exact topology between the UK office and the US office.

I though the issue was

You have a number of subnets in the UK. You want to connect to the 170.28.10.0/24 network in the US. You want to hide all your IP addresses behind a NAT pool. You want to take care of all the NAT at your end ie. the UK.

Please correct me if i have misunderstood.

Jon

whiteford Sat, 08/04/2007 - 03:52

Sorry my explainations are not so good.

Basically the US what to make things simple on the 18110 as networks either side use the same range. They would like to see everything come from 192.168.17.0/24 which is the range or VLAN on the 1811.

The inside port is fast ethernet 1 which is our LAN, then 2 ports which are fast ethernet 2 and 3 plug into 2 firewall which have network cards with 2 ports, one for the inside which plugs into the 1811 and the other ports go onto the internet with public addresses, hope this helps

whiteford Sat, 08/04/2007 - 06:50

If the US team don't want to change anything on their router, could I use my spare 1841 router? One port could be the inside and our LAN and the outside could be their 1811. Our 1841 would be 192.168.9.1. Could we then NAT all traffic on the LAN port to be on an IP pool age 192.168.9.0/24 and route to 192.168.17.1? Then all the US will see is traffic from 192.168.9.1-254? If so would would my config be?

Actions

This Discussion