NAT Question

Unanswered Question
Jan 2nd, 2008

I am trying to have users outside the network print to my internal printers. They can get to 10.234.8.x addresses on my end. I want to make 4 of those 10.234.8.x addresses hit 192.168.4.x addresses on my lan. I have added this command. Will this work?

ip nat inside source static 192.168.4.253 10.234.8.103

ip nat inside source static 192.168.4.246 10.234.8.102

ip nat inside source static 192.168.4.252 10.234.8.101

ip nat inside source static 192.168.4.251 10.234.8.100

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (4 ratings)
Loading.
Jon Marshall Wed, 01/02/2008 - 09:50

Hi

yes that should work provided you have applied

ip nat inside

&

ip nat outside

to the relevant interfaces.

Jon

vanguard1 Thu, 01/03/2008 - 08:57

I have the following on the interfaces. e0/1 connects to outside router. Let me know if that looks right.

interface Ethernet0/0

ip address 10.234.8.1 255.255.255.0 secondary

ip address 192.168.15.248 255.255.255.0 secondary

ip address 204.154.17.20 255.255.255.0 secondary

ip address 192.168.4.145 255.255.0.0

no ip directed-broadcast

ip nat inside

interface Ethernet0/1

ip address 10.78.25.9 255.255.255.0

no ip directed-broadcast

ip nat outside

waleed_amer Sat, 01/05/2008 - 12:49

hi Vanduard,

according to your requirement u need users from subnet to use resources from different subnet and tow subnets at the same Ethernet interface u have to move one of both to the other interface and use ip nat outside with interface that has resources subnet.

Regards,

W.Amer

chschroe Sat, 01/05/2008 - 12:58

Yeah, it cannot be done that way. You want to NAT two devices that are connected to the same broadcast domain, and it can't be done. I'd honestly be surprised if it didn't just work fine with proxy-arp (which is evil, don't use it).

A couple of subinterfaces and some VLANs would fix you right up.

NS

vanguard1 Sun, 01/06/2008 - 10:59

e0/0 and e0/1 have differnet ip addresses and connect to differnet switches. One to my lan, one to another network via dedicated circuit. Even though the ip addresses are different and they connect to different switches, they are still in the same broadcast domain? Trying to think of a way to make this work. The only router I can configure in this scenario is the one listed. e0/0 and e0/1

ohassairi Sun, 01/06/2008 - 21:38

vanguard

if you want to make nat between computers that have the same physical gateway but in different subnets, configure 802.1q trunk between your switch and the physical interface of the router.

here is the example:

for the router : http://www.hassairi.50megs.com/#trunkport

for the switch: http://www.hassairi.50megs.com/sw.html#trunk

but you will need to:

-have router supporting for 802.1q

-configure vlans in your switch

then apply ip nat inside/outside under the subinterfaces.

chschroe Mon, 01/07/2008 - 18:51

I understand a little bit better what you want to do, but I need to see your whole config.

You can't do static destination NAT, which is the translation of the destination address moving from outside to inside. You would have to configure several nat pools on the outside, and you would need that ip address to live on the outside of the device, not on the inside. Somewhat complicated.

It can't do just passthrough NAT - it needs the packets to actually be destined to an address on the NAT box, and that address has to be on the outside. Does that make sense?

NS

vanguard1 Tue, 01/08/2008 - 11:42

Here is the config. e0/1 connects to another router going offsite via dedicated circuit. That router has an address of 10.78.25.9, hence all the static routes pointing there. Remote sites recognize us as using the 10.234.8.x addresses. I want to allow them to hit a 10 address, but have that 10 address point to a 192.168.x.x ip on my local lan. What do you think?

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname test

!

!

ip subnet-zero

clock timezone est 6

!

!

!

interface Ethernet0/0

ip address 204.x.x.20 255.255.255.0 secondary

ip address 192.168.4.145 255.255.255.0 secondary

ip address 10.234.8.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

ip address 10.78.25.9 255.255.255.0

no ip directed-broadcast

ip nat outside

!

router igrp 1

redistribute connected

network 10.0.0.0

network 192.168.4.0

network 204.x.17.0

!

ip nat inside source static 192.168.4.253 10.234.8.103

ip nat inside source static 192.168.4.246 10.234.8.102

ip nat inside source static 192.168.4.252 10.234.8.101

ip nat inside source static 192.168.4.251 10.234.8.100

ip classless

ip route 10.1.204.49 255.255.255.255 10.78.25.1

ip route 10.5.2.2 255.255.255.255 10.78.25.1

ip route 10.9.2.12 255.255.255.255 10.78.25.1

ip route 10.16.2.0 255.255.255.0 10.78.25.1

ip route 10.16.23.0 255.255.255.0 10.78.25.1

ip route 10.16.101.46 255.255.255.255 10.78.25.1

ip route 10.16.101.60 255.255.255.255 10.78.25.1

ip route 10.16.101.64 255.255.255.255 10.78.25.1

ip route 10.74.0.0 255.255.0.0 10.78.25.1

ip route 10.74.2.2 255.255.255.255 10.78.25.1

ip route 10.74.2.14 255.255.255.255 10.78.25.1

ip route 10.74.2.30 255.255.255.255 10.78.25.1

ip route 200.200.200.65 255.255.255.255 10.78.25.1

ip http server

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

ohassairi Sat, 01/12/2008 - 23:13

ok, now i understand the question. it should works, i tried it in my lab and it works!

Actions

This Discussion