cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
0
Helpful
6
Replies

Problem with Bi-directional natting

alex.perez
Level 1
Level 1

Hi, I'm attempting to perform a double translation but so far have not had much luck.

I have a host directly connected to interface 0/0 on a Cisco 2600 that needs to send translated packets out on interface 1/0 and also be able to receive them back the same way.

The setup we currently have is:

Host(192.168.0.1) <->[NAT_INSIDE:192.168.0.2]

|| [NAT_OUTSIDE:172.16.0.5] <-> (server) 172.16.0.30

The intention is to preform a translation on all packets arriving to 192.168.0.2 and send them out as 172.16.0.30, with a source of 172.16.0.5 so in effect, the server would see

them as if they were sent from the 2600.

On the return, the same scenario

Packets arriving on 172.16.0.5 should be translated to 192.168.0.1 with a source address of 192.168.0.2, so the host sees them as if sent from the 2600

In effect, a simple 2 way forward translation.

The current config we have for the 2600 is:

interface FastEthernet 0/0

ip address 192.168.0.2 255.255.255.252

ip nat inside

!

interface Ethernet 1/0

ip address 172.16.0.5 255.255.255.0

ip nat outside

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.1

ip nat inside source static 192.168.0.1 172.16.0.30

When packets arrive on the outside interface (.5) they are sent to the inside interface as requested, and I can see them in the host, but the reverse is not happening, ie, packets

arriving from 192.168.0.1 on 192.168.0.2 are not being forwarded to 172.16.0.30.

I do get a ping back from the 2600 in this situation (probably due to routing happening before natting).

Could anyone shed some light as to see if this can be done?

Many thanks in advance.

Alex

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Alex

Could yhou clarify as to exactly waht you want to happen with the source and destination IP addresses in both directions becaise it is not clear from your description.

"ip nat inside source static 192.168.0.1 172.16.0.30"

this statement would not make packets arriving at the server seem as though they are coming from the router interface 172.16.0.5.

So Host 192.168.0.1 sends packet to 172.16.0.30. First question

1) Does 192.168.0.1 send a packet to 172.16.0.30 or does it send it to another address that you then want to NAT on the 2600.

After that what do you want to happen to the IP addresses in the packet when they go through the 2600.

Jon

Hi Jon, thanks very much for your prompt reply.

Packets from 192.168.0.1 are sent to 192.168.0.2.

What we need to do is send out on the outside interface the packets received in 192.168.0.2 out to 172.16.0.30 with a source of 172.16.0.5

Then, packets received on 172.16.0.5 from 172.16.0.30 need to be translated and sent out to 192.168.0.1 with a source IP of 192.168.0.2

Many thanks again.

Alex

Alex

I don't have a router handy at the moment so there may be a bit of trial and error here.

This statement will NAT your source IP address (192.168.0.1) to 172.16.0.5

ip nat inside source static 192.168.0.1 172.16.0.5

This next statement is the one we may have to work on :-)

ip nat outside source static 172.16.0.30 192.168.0.2

Can you try them both and let me know what happens.

Jon

Ron hi.

I have run a few tests with the config you mention.

If I ping 172.16.0.5 from 172.16.0.30, I can see the ICMP's on 192.168.0.1, where I can also see the responses sent back.

On 172.16.0.30 however, I'm getting request timeouts

When I ping 192.168.0.2 from 192.168.0.1 I get the responses back very quickly (i assume from the router) but no trace of the packages reaching 172.16.0.30.

I don't think that they are being sent back at all :(

Cheers

Alex

Alex

I should have spotted that one ie. pinging 192.168.0.2 from 192.168.0.1, obviously the router interface will just respond. Does it have to be this address ie. 192.168.0.2 or could it be another ?

As for the other ping not working, can you remove the second NAT statement in my original post and see if it works ?

I know i have a 2600 router lying around somewhere in my garage, i may have to dig it out :-)

Jon

Hi Jon.

Unfortunately we are fixed to the two addresses on 192.168.0.1 and 2. It's a private cct that is delivered straight to the 2600.

I've removed the 2nd NAT rule and got request time out on the .30 box.

The thing that gets me, is that it is a really simple concept, I was sure it could be done with a cisco box.

Thanks very much for your pointers, if we end up figuring that out it would be superb :).

Best reagards

Alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: