cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
0
Helpful
25
Replies

NATing 2 IP Addresses

cacmk5
Level 1
Level 1

Hello -

I have a private network behind a Cisco 2611XM router that I want to limit access to only 2 specific IP addreses. Currently I have ACLs setup to do this but I would now like to NAT to those two IPs.

I would like to do this:

outside IP: 10.1.1.2 to Inside IP: 172.0.16.1

Outside IP: 10.1.1.3 to Inside IP: 172.0.16.2

When I try to enable NAT, I lose connectivity completely.

25 Replies 25

gabrielshorn
Level 1
Level 1

Do you want these two private devices to be able to reach other networks, or do you want devices on other networks to be able to reach these two devices?

I would like these systems to be reached by outside networks.

gabrielshorn
Level 1
Level 1

Assuming you want the two private devices to reach outside networks, do the following. I'll assume outside interface is serial0 and inside interface is ethernet0, that you've assigned appropriate IPs to those interfaces, and that the interfaces are administratively enabled.

==============

In global configuration mode:

ip nat inside source static 172.0.16.1 10.1.1.2

ip nat inside source static 172.0.16.2 10.1.1.3

In interface config mode for outside interface serial 0:

ip nat outside

In interface config mode for inside interface ethernet 0:

ip nat inside

===========

Yes the interfaces are administratively enabled. My question how do i set an outside IP to match to the inside IP?

I commands you submitted will work, but how do I assign an external IP to NAT to one of the internal IPs?

Actually, after I thought about it, I realized that the method I gave you maps the addresses in both directions when you use static address translation. So, the config I described will do exactly what you need.

I am still having problems getting the NAT to work. Below is my router config for NAT / ACL:

interface FastEthernet0/0

description Connection to XXXXXX Corporate Network

ip address 195.85.24.4 255.255.255.0

ip access-group 101 in

ip accounting output-packets

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address dhcp

shutdown

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description Do Not Use - Security Risk

no ip address

shutdown

!

interface Vlan13

description Fermenter network

ip address 10.13.1.1 255.255.0.0

ip accounting output-packets

ip nat outside

!

ip nat inside source list CRFementerNAT interface Vlan13 overload

ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389 extendable

ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389 extendable

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 195.85.24.1

!

!

!

ip access-list extended CRFementerNAT

deny ip 10.13.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

remark allow new XXXXX / ZZZZZZ IP range

permit ip 195.85.0.0 0.0.255.255 any

access-list 101 permit 23 any any

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

no cdp run

First I would try to remove access list 101 to see if you have a nat issue or a access list issue.

You may have a larger issue if the access list is implying that you wish to have internal machines access these 2 servers via their outside address.

the deny statement for 198.85.0.0 will in effect block all traffic going out the vlan interface since it must be 10.13.0.0/16.

A key point to remember when using nat and access lists is that the access list is done before any nat is done.

Hello -

I only want users on the 195.85.24.x net to access the 2 server 10.13.2.3 and 10.13.10.5 via port 3389. The only other traffic I am (want) to allow is telnet to int fa0/0. I am ACL 101 to block all traffic except for telnet and RDP. What would be the best config to accomplish this? I have removed ACL 101 and still cannot NAT through the 195.85.24.9 / .10 IP to the outside IPs.

Hi,

If the int f0/0 is connecting the Outside/Internet , then you should put "ip nat outside" under int f0/0

and "ip nat inside" on the VLAN 13 interface.

=================================

Here is an example of what you need.

Suppose,

Outside s0/0: IP 100.0.0.1 /24

inside - f0/0: IP 10.0.0.1 /24

You have internal mail server IP: 10.0.0.2

Now u need to redirect port 25 requests on outside 100.0.0.2 towards inside IP 10.0.0.2

int S0/0

ip address 100.0.0.1 255.255.255.0

ip nat outside

int f0/0

ip address 10.0.0.1 255.255.255.0

ip nat inside

R1(config)# ip nat inside source static tcp 100.0.0.2 25 20.0.0.2 25

Hello - When I make the switch with the IP nat inside / outside commands on the int, I get locked out from the 195.x net. I can telnet into the 10.x net, but it still does not fix the nat issue

Not sure exactly where to start here. You may have the nat backwards but if you run real networks "195.85.24.0/24" in your corp network and 10.13.x.x in some lab or something it is correct. I run this way but the normal internet has the private on the inside and the public on the outside.

What you have configured deos if I ignore the access list.

Traffic comes from the 195.85.24.9 will get translated to 10.13.2.3 as it passes out into the 10.13.0.0/16 network.

This means that first 10.13.2.3 must be somehow routed 10.13.1.1 from the outside.

You really can't have a machine say 195.85.24.111 talk to 198.85.24.9 using the 10.12.2.3 address.

The access list again depends on which way the traffic is going but to allow telent traffic you use permit tcp any any 23. Wasn't sure why you were permitting protocol 23

I have inherited the router. It had been sitting for 3 years untouched. I was asked to work with in and allow access from the 195.85.x to those two IPs. Then was asked to NAT the two 195.85.x IPs to the those two IPs. I want to block all traffic expect for RDP (3389) to those 2 IPs and telnet to the router 195.85.24.4 IP. I know the router isn't setup correctly, but I am not on site where the router and have to get it working until I can go out and re-configure it correctly.

So it works without the nat going from the 195.85 net to the 10.13 net but now they do not want to use the 10.13 addresses anymore.

So you now want thee 195.85 net to use 195.85.24.9 as a example.

... hmm had a big post here and then remembered you cannot do port translation on a destination address. There is also a issue that the address you want to translate to is not actually sent to the router.

Have a pressing issue but will look again tomorrow unless someone else solves this.

Maybe this will work. When you look at it from the viewpoint of the inside interface. You want to change the destination addresses which is done with a outside source command. The limitations are that you cannot do port translations on a outside source.

Lucky we are not tring to map it to the inside interface. So a one to one outside nat should work but you now allow more traffic than just 3389 to be natted and reach you inside network, To prevent this I used a inbound access list on the outside interface that only allows traffic on port 3389. If you know your real inside addresses it is best to change ANY to match. Note you should be able to telnet to the router from the inside network. If yo need to telnet to the router from the outside network to the inside interface another rule will need to be added.

The next issue is the routing. To make the nat work we must somehow assume the packet gets to the router. Then I put in a static route to vlan13. This is because NAT will attempt to do the routing before the nat. Without the static it will send it out the ethernet prot both because it is in that subnet and the default route points that way.

There is a second routing issue that this may not solve. Somehow these 2 addresses must get the data to the router. If you are lucky proxy arp will solve this. When any device in

195.85.24.0/24 arps one of these 2 address this router will respond since it has a route. So in theory when 195.85.24.1 arps for this address it should send the traffic to this router. It would be best if you put static /32 routes in for these 2 addresses on 195.85.24.1 pointing to 195.85.24.4. You may still have issues with other devices on the 195.85.24.0 network.

If this does not work these is a newer nat configuration in 12.4 that doesn't use the concept of inside and outside we can try. This is still kinda new so I have not used it a lot.

interface FastEthernet0/0

description Connection to XXXXXX Corporate Network

ip address 195.85.24.4 255.255.255.0

ip nat inside

interface Vlan13

description Fermenter network

ip address 10.13.1.1 255.255.0.0

ip acccess-group 102

ip nat outside

!

ip nat outside source static 10.13.2.3 195.85.24.9

ip nat outside source static 10.13.10.5 195.85.24.10

!

ip route 195.85.24.9 255.255.255.255. vlan13

ip route 195.85.24.10 255.255.255.255. vlan13

ip route 0.0.0.0 0.0.0.0 195.85.24.1

!

access-list 102 permit tcp host 10.13.2.3 eq 3389 any eq 3389

access-list 102 permit tcp host 10.13.10.5 eq 3389 any eq 3389

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: