NATing 2 IP Addresses

Unanswered Question
Aug 7th, 2008
User Badges:

Hello -

I have a private network behind a Cisco 2611XM router that I want to limit access to only 2 specific IP addreses. Currently I have ACLs setup to do this but I would now like to NAT to those two IPs.


I would like to do this:


outside IP: 10.1.1.2 to Inside IP: 172.0.16.1

Outside IP: 10.1.1.3 to Inside IP: 172.0.16.2


When I try to enable NAT, I lose connectivity completely.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gabrielshorn Thu, 08/07/2008 - 07:40
User Badges:

Do you want these two private devices to be able to reach other networks, or do you want devices on other networks to be able to reach these two devices?

cacmk5 Thu, 08/07/2008 - 07:42
User Badges:

I would like these systems to be reached by outside networks.

gabrielshorn Thu, 08/07/2008 - 07:49
User Badges:

Assuming you want the two private devices to reach outside networks, do the following. I'll assume outside interface is serial0 and inside interface is ethernet0, that you've assigned appropriate IPs to those interfaces, and that the interfaces are administratively enabled.


==============

In global configuration mode:


ip nat inside source static 172.0.16.1 10.1.1.2

ip nat inside source static 172.0.16.2 10.1.1.3


In interface config mode for outside interface serial 0:


ip nat outside


In interface config mode for inside interface ethernet 0:


ip nat inside


===========



cacmk5 Thu, 08/07/2008 - 07:53
User Badges:

Yes the interfaces are administratively enabled. My question how do i set an outside IP to match to the inside IP?


I commands you submitted will work, but how do I assign an external IP to NAT to one of the internal IPs?

gabrielshorn Fri, 08/08/2008 - 09:04
User Badges:

Actually, after I thought about it, I realized that the method I gave you maps the addresses in both directions when you use static address translation. So, the config I described will do exactly what you need.

cacmk5 Tue, 08/12/2008 - 10:58
User Badges:

I am still having problems getting the NAT to work. Below is my router config for NAT / ACL:


interface FastEthernet0/0

description Connection to XXXXXX Corporate Network

ip address 195.85.24.4 255.255.255.0

ip access-group 101 in

ip accounting output-packets

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address dhcp

shutdown

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description Do Not Use - Security Risk

no ip address

shutdown

!

interface Vlan13

description Fermenter network

ip address 10.13.1.1 255.255.0.0

ip accounting output-packets

ip nat outside

!

ip nat inside source list CRFementerNAT interface Vlan13 overload

ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389 extendable

ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389 extendable

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 195.85.24.1

!

!

!

ip access-list extended CRFementerNAT

deny ip 10.13.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

remark allow new XXXXX / ZZZZZZ IP range

permit ip 195.85.0.0 0.0.255.255 any

access-list 101 permit 23 any any

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

no cdp run


tdrais Tue, 08/12/2008 - 11:27
User Badges:
  • Blue, 1500 points or more

First I would try to remove access list 101 to see if you have a nat issue or a access list issue.


You may have a larger issue if the access list is implying that you wish to have internal machines access these 2 servers via their outside address.


the deny statement for 198.85.0.0 will in effect block all traffic going out the vlan interface since it must be 10.13.0.0/16.


A key point to remember when using nat and access lists is that the access list is done before any nat is done.



cacmk5 Tue, 08/12/2008 - 11:45
User Badges:

Hello -

I only want users on the 195.85.24.x net to access the 2 server 10.13.2.3 and 10.13.10.5 via port 3389. The only other traffic I am (want) to allow is telnet to int fa0/0. I am ACL 101 to block all traffic except for telnet and RDP. What would be the best config to accomplish this? I have removed ACL 101 and still cannot NAT through the 195.85.24.9 / .10 IP to the outside IPs.

dhananjoy chowdhury Tue, 08/12/2008 - 11:32
User Badges:
  • Silver, 250 points or more

Hi,

If the int f0/0 is connecting the Outside/Internet , then you should put "ip nat outside" under int f0/0

and "ip nat inside" on the VLAN 13 interface.


=================================

Here is an example of what you need.

Suppose,

Outside s0/0: IP 100.0.0.1 /24

inside - f0/0: IP 10.0.0.1 /24

You have internal mail server IP: 10.0.0.2


Now u need to redirect port 25 requests on outside 100.0.0.2 towards inside IP 10.0.0.2

int S0/0

ip address 100.0.0.1 255.255.255.0

ip nat outside


int f0/0

ip address 10.0.0.1 255.255.255.0

ip nat inside


R1(config)# ip nat inside source static tcp 100.0.0.2 25 20.0.0.2 25

cacmk5 Tue, 08/12/2008 - 11:59
User Badges:

Hello - When I make the switch with the IP nat inside / outside commands on the int, I get locked out from the 195.x net. I can telnet into the 10.x net, but it still does not fix the nat issue

tdrais Tue, 08/12/2008 - 12:10
User Badges:
  • Blue, 1500 points or more

Not sure exactly where to start here. You may have the nat backwards but if you run real networks "195.85.24.0/24" in your corp network and 10.13.x.x in some lab or something it is correct. I run this way but the normal internet has the private on the inside and the public on the outside.


What you have configured deos if I ignore the access list.


Traffic comes from the 195.85.24.9 will get translated to 10.13.2.3 as it passes out into the 10.13.0.0/16 network.


This means that first 10.13.2.3 must be somehow routed 10.13.1.1 from the outside.


You really can't have a machine say 195.85.24.111 talk to 198.85.24.9 using the 10.12.2.3 address.


The access list again depends on which way the traffic is going but to allow telent traffic you use permit tcp any any 23. Wasn't sure why you were permitting protocol 23



cacmk5 Tue, 08/12/2008 - 12:23
User Badges:

I have inherited the router. It had been sitting for 3 years untouched. I was asked to work with in and allow access from the 195.85.x to those two IPs. Then was asked to NAT the two 195.85.x IPs to the those two IPs. I want to block all traffic expect for RDP (3389) to those 2 IPs and telnet to the router 195.85.24.4 IP. I know the router isn't setup correctly, but I am not on site where the router and have to get it working until I can go out and re-configure it correctly.

tdrais Tue, 08/12/2008 - 13:29
User Badges:
  • Blue, 1500 points or more

So it works without the nat going from the 195.85 net to the 10.13 net but now they do not want to use the 10.13 addresses anymore.


So you now want thee 195.85 net to use 195.85.24.9 as a example.


... hmm had a big post here and then remembered you cannot do port translation on a destination address. There is also a issue that the address you want to translate to is not actually sent to the router.


Have a pressing issue but will look again tomorrow unless someone else solves this.

tdrais Wed, 08/13/2008 - 04:35
User Badges:
  • Blue, 1500 points or more

Maybe this will work. When you look at it from the viewpoint of the inside interface. You want to change the destination addresses which is done with a outside source command. The limitations are that you cannot do port translations on a outside source.


Lucky we are not tring to map it to the inside interface. So a one to one outside nat should work but you now allow more traffic than just 3389 to be natted and reach you inside network, To prevent this I used a inbound access list on the outside interface that only allows traffic on port 3389. If you know your real inside addresses it is best to change ANY to match. Note you should be able to telnet to the router from the inside network. If yo need to telnet to the router from the outside network to the inside interface another rule will need to be added.


The next issue is the routing. To make the nat work we must somehow assume the packet gets to the router. Then I put in a static route to vlan13. This is because NAT will attempt to do the routing before the nat. Without the static it will send it out the ethernet prot both because it is in that subnet and the default route points that way.


There is a second routing issue that this may not solve. Somehow these 2 addresses must get the data to the router. If you are lucky proxy arp will solve this. When any device in

195.85.24.0/24 arps one of these 2 address this router will respond since it has a route. So in theory when 195.85.24.1 arps for this address it should send the traffic to this router. It would be best if you put static /32 routes in for these 2 addresses on 195.85.24.1 pointing to 195.85.24.4. You may still have issues with other devices on the 195.85.24.0 network.


If this does not work these is a newer nat configuration in 12.4 that doesn't use the concept of inside and outside we can try. This is still kinda new so I have not used it a lot.



interface FastEthernet0/0

description Connection to XXXXXX Corporate Network

ip address 195.85.24.4 255.255.255.0

ip nat inside



interface Vlan13

description Fermenter network

ip address 10.13.1.1 255.255.0.0

ip acccess-group 102

ip nat outside

!


ip nat outside source static 10.13.2.3 195.85.24.9

ip nat outside source static 10.13.10.5 195.85.24.10

!

ip route 195.85.24.9 255.255.255.255. vlan13

ip route 195.85.24.10 255.255.255.255. vlan13

ip route 0.0.0.0 0.0.0.0 195.85.24.1

!

access-list 102 permit tcp host 10.13.2.3 eq 3389 any eq 3389

access-list 102 permit tcp host 10.13.10.5 eq 3389 any eq 3389

!

cacmk5 Wed, 08/13/2008 - 05:30
User Badges:

Thanks. I will get back and let you know if this works.

cacmk5 Thu, 08/14/2008 - 06:22
User Badges:

Hello -


I have tried the suggestions you mentioned but no suck luck. When I add Access-list 102 to the vlan13 int, it lost all connectiviy to the systems. Below is my latest config:


interface FastEthernet0/0

description Connection to Cedar Rapids Corporate Network

ip address 195.85.24.4 255.255.255.0

ip access-group 101 in

ip accounting output-packets

ip nat inside

duplex auto

speed auto

no cdp enable


interface Vlan13

description Fermenter network

ip address 10.13.1.1 255.255.0.0

ip accounting output-packets

ip nat outside

!

ip nat inside source list CRFementerNAT interface Vlan13 overload

ip nat inside source static tcp 10.13.2.3 3389 195.85.24.9 3389 extendable

ip nat inside source static tcp 10.13.10.5 3389 195.85.24.10 3389 extendable

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 195.85.24.1

ip route 195.85.24.9 255.255.255.255 Vlan13

ip route 195.85.24.10 255.255.255.255 Vlan13

!

!

!

ip access-list extended CRFementerNAT

deny ip 10.13.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

remark allow new Genencor / Danisco IP range

permit ip 195.85.0.0 0.0.255.255 any

access-list 101 permit 25 any any

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 102 permit tcp host 10.13.2.3 eq 3389 any eq 3389

access-list 102 permit tcp host 10.13.10.5 eq 3389 any eq 3389

no cdp run


gabrielshorn Thu, 08/14/2008 - 07:13
User Badges:

I have a very similar setup where I have static mapped NAT with mapped ports to a specific service behind my firewall. The only difference that I see between your setup and mine, besides the completely different access lists, is that your static NAT entries are backwards. I know it seems like they should be the way they are, but they shouldn't. For hosts on outside networks to reach your 195.85.24 network, you want to do:


ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389

ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389


You shouldn't use the "extendable" keyword. The way I understand it, that's only used if you were going to have multiple global addresses all translate to a single local address or vise versa--to allow arbitrary resolution to multiple hosts.


Also, just to differentiate between issues with NAT and ACLs, remove your access-group statements temporarily and just get the NAT and PAT working.



cacmk5 Thu, 08/14/2008 - 07:26
User Badges:

Well -


I have tried the suggestions but when I take out the ACL and add your statements, I am unable to access the 2 IPs from the 195.x net or the 10.x net.

gabrielshorn Thu, 08/14/2008 - 07:19
User Badges:

I have a very similar setup where I have static mapped NAT with mapped ports to a specific service behind my firewall. The only difference that I see between your setup and mine, besides the completely different access lists, is that your static NAT entries are backwards. I know it seems like they should be the way they are, but they shouldn't. For hosts on outside networks to reach your 195.85.24 network, you want to do:


ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389

ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389


You shouldn't use the "extendable" keyword. The way I understand it, that's only used if you were going to have multiple global addresses all translate to a single local address or vise versa--to allow arbitrary resolution to multiple hosts.


Also, just to differentiate between issues with NAT and ACLs, remove your access-group statements temporarily and just get the NAT and PAT working.



mlund Fri, 08/15/2008 - 00:07
User Badges:
  • Silver, 250 points or more

Hi


I maybe misunderstood something, and are a little confused about what you mean. You say in your first post “I want to limit access to only 2 specific IP addreses.” Does this means these two adresses belongs to two servers, if so, you can't at the same time NAT to these adresses. Then you got a ip conflict. You have to NAT to adresses that is not used.


The access-list should be changed to this one which permits ip to 2 hosts,

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any


or to this that's permitting tcp 3389 to two hosts

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any


/Mikael

cacmk5 Fri, 08/15/2008 - 04:11
User Badges:

Hello Mikael -

With the ACLs, I have been able to limit access to the two servers. I was hoping to use two outside IPs to access the two inside servers, but this is not the case with static NAT. I do appreciate all the help on this.

tdrais Fri, 08/15/2008 - 05:45
User Badges:
  • Blue, 1500 points or more

Maybe a less configuration based question may be best.



My impression reading this and from the partial configurations are




User say at 195.85.?.100 needs to get to server 10.13.2.3 using port 3389.



From the 195.85 net you cannot route the 10.13 net so you need to have the 10.13.2.3 address represented by 195.85.24.9.

From the 10.13.2.3 machine it cannot see the 195.85 network so you want all traffic to appear to come from 10.13.1.1



So when the user send the packet it looks like



source 195.85.?.100 3389 dest 195.85.24.9 3389


When the server receive the packet you want


source 10.13.1.1 3389 dest 10.13.2.3 3389



If this is what you want your issue with the nat is you are translating both the source and destination addresses.


The nat pool you currently have will work correctly to do the 195.85.?.? to 10.13.1.1 but to modify the desination you must use a ip nat outside command



Or am I reading this all wrong?

cacmk5 Fri, 08/15/2008 - 05:55
User Badges:

No I am trying to do what you are saying. I want users in the 195.x to connect via 195.85.24.9 to 10.13.2.3 address and 195.85.24.10 to 10.13.10.5. Right now I have the ACL in place to restrict access to only the two 10.x IPs. So access right now works when you use the 10.x IPs.

mlund Fri, 08/15/2008 - 05:54
User Badges:
  • Silver, 250 points or more

Hi


I think there is something unclear here. The access-list is permitting traffic from 195.85.24.0/24 to host 10.13.2.3 and 10.13.10.5 That must be wrong, because that is the addresses that is used for nat. It should be as this.


access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp host 195.85.24.9 10.13.2.3 0.0.255.255 eq 3389

access-list 101 permit tcp host 195.85.24.10 10.13.10.5 0.0.255.255 eq 3389

access-list 101 permit tcp host 195.85.24.9 eq 3389 10.13.2.3 0.0.255.255

access-list 101 permit tcp host 195.85.24.10 eq 3389 10.13.10.5 0.0.255.255

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

ip nat inside source static 195.85.24.9 10.13.2.3

ip nat inside source static 195.85.24.10 10.13.10.5


this way, if a source from outside , for example 10.13.1.100 connects to 10.13.2.3

it will show up on outside as source 10.13.1.100 destination 10.13.2.3,

on inside it will be source 10.13.1.100 destination 195.85.24.9

the return traffic on inside will be, source 195.85.24.9 destination 10.13.1.100

and on outside, source 10.13.2.3 destination 10.13.1.100


/Mikael


Forget this post. I was too slow on typing, Tim was quicker

tdrais Fri, 08/15/2008 - 08:52
User Badges:
  • Blue, 1500 points or more

I set this up in my lab and these are the configurations I used. R4 is used to simulate you local machine and I use a source of 195.85.100.100


R5 represents the nat router


r6 is used as a target.


I use telnet here rather than 3389 since I don't have pc's in the lab.



R4


interface Loopback0

ip address 195.85.100.100 255.255.255.255

!

interface FastEthernet0/0

ip address 195.85.24.1 255.255.255.0


R5

!

interface FastEthernet0/0

ip address 195.85.24.4 255.255.255.0

ip nat inside


interface FastEthernet0/1

ip address 10.13.1.1 255.255.0.0

ip nat outside



ip route 0.0.0.0 0.0.0.0 195.85.24.1

ip route 195.85.24.9 255.255.255.255 FastEthernet0/1


ip nat inside source list CRF interface FastEthernet0/1 overload

ip nat outside source static tcp 10.13.2.3 23 195.85.24.9 23 extendable


ip access-list extended CRF

permit ip 195.85.0.0 0.0.255.255 any



R6


interface FastEthernet0/1

ip address 10.13.2.3 255.255.0.0

duplex auto



+++++++++++++++



r4#telnet 195.85.24.9 /source-interface lo0

Trying 195.85.24.9 ... Open



Password required, but none set


[Connection to 195.85.24.9 closed by foreign host]

r4#


r5#sh ip nat translations

Pro Inside global'''''''Inside local'''''''Outside local''''''Outside global

tcp --- --- 195.85.24.9:23 10.13.2.3:23

tcp 10.13.1.1:11179''''195.85.100.100:11179''''195.85.24.9:23'''10.13.2.3:23


+++++++++++++++



So after all this it works sorta. You will notice the source port is 11179 but lets assume I could force this to be 3389.

Now the global and local only match because noone else was using 11179. If the port is in use it will make up a new port for the inside glonal.


I can't see how you are going to heep the ports for all the different session at 3389 when you use overload.

Only one session can use 3389 at a time. You will need to have a pool of addresses for the outside port.

Actions

This Discussion