PAT with outside source NAT?

iuszh · ‎10-05-2007

By using the "overload" clause, PAT is possible for inside source NATs. I'm looking for a possibility to do a n-to-1 mapping for outside source NAT too in oder to save IP addresses.

Does anyone have an idea? Interchanging roles of inside and outside interfaces isn't possible in my case.

Thanks Hermann

paolo bevilacqua · ‎10-05-2007

Sorry, I fail to understand the use of such a configuration. Would you make an example an how it would save addresses and what problem it would solve.

iuszh · ‎10-06-2007

Hello P.,

the problem is as follows.

customers from a widely scattered remote (foreign) network, partially using non RFC 1918 adresses, need access to some of our servers.

Conversely, several of our customers need access to a server in that remote network; they have to be natted too. Our (inside source) adresses can be patted (overloaded) into a single address both sides agreed upon.

It would be nice to overload the foreign client addresses (outside source relative to us) into a single IP address too.

Lacking the overload feature for outside source NAT, instead I have to use a (quite large) pool of NAT adresses for them.

As this NAT network has to be visible in my network (for routing back to the NAT router), I loose a more or less large network for other (real) purposes - although with PAT a single address had been sufficient to "address" the whole remote network!

Thanks Hermann

Mohamed Sobair · ‎10-06-2007

Hi,

The best practise is to use Static-Nat with PAT for Server's remote access, this is more

scalable interms of managment and thus you could permit only specific local & remote ports for server access.

Another option, you can use GRE tunnel over your SP connection to reach specific remote network & leave the natted traffic for normal internet access.

Regards,

Mohamed Sobair

iuszh · ‎10-06-2007

Hello Mohamed,

thanks for your response.

As to the servers I also use static NAT. The issue are the client addresses. Addresses out of my network have to be translated before reaching the remote net and the ones from remote have to be hidden from my net (as quite a lot of them are non RFC 1918).

I do this by economically overloading all of my (inside source) addresses into a single one fitting into the remote networks.

But for the clients from remote I have to provide a quite large pool of NAT addresses instead of a single (PAT-) one because there is no overlaod feature for "ip nat outside source pool ... list ...".

The propagation of (backward) routes for this NAT pool into my network blocks a large network otherwise usable for real addressing.

Regards

Hermann

Edison Ortiz · ‎10-06-2007

Any reason why the remote location won't do NAT towards your network ?

iuszh · ‎10-07-2007

Hello Edison,

the other network is a big service network our customers depend on. So the partners may dictate conditions and kindly leave all the necessary NAT-doing to us.

They just provide a range of adresses for our clients to access their networks - and a static route for this network towards us. It's up to us to get along with that range.

So we patted our client addresses into one address of this range provided.

It's our affair too to Nat the incoming client addresses - for which an overload (63 k possible concurrent accesses) would be sufficient but isn?t configurable.

Regards,

Hermann

Edison Ortiz · ‎10-08-2007

It should be configurable but I can't tell you the exact configuration at the moment. I'll have to lab it up. It may take some time until I get some gear and free time.

iuszh · ‎10-08-2007

Hello Edison,

to save your time: according to the Config References incl. IOS 12.4 the overload clause for "ip nat outside source" isn't provided.

If you configure it anyhow, the CLI of IOS 12.3.23 for instance, doesn't complain. However, in the config file the "overload" has disappeared.

Regards and Thanks,

Hermann