Outside --> Inside NAT question

Unanswered Question
Nov 12th, 2008

All,

I have 3 public subnets. I have a situation that is going to require me to NAT 2 public subnets, and not NAT 1.

Of these 2 that will need to be natted, I need to statically NAT a complete subnet to inside addresses.

Int fa0/0

ip address 1.1.1.1 255.255.255.0

ip address 2.2.2.1 255.255.255.0 sec

ip address 3.3.3.1 255.255.255.0 sec

I've NEVER set up complete pools to be translated before, but I've done one-to-one before. The interesting thing with this is that this router will have a public address on the inside interface because it connects to a public facing switch. It has to nat to the 1.1.1.0 subnet if it's coming from 2.2.2.0 or 3.3.3.0 because the router only knows of the 1.1.1.0 subnet on it's inside interface.

What lines do I need to get this to work? Do I need a NAT pool, or do those only affect outbound traffic?

Would:

ip nat outside source static 3.3.3.5 1.1.1.5

ip nat outside source static 2.2.2.6 1.1.1.6

work?

Thanks!

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 11/12/2008 - 09:59

John

NAT is bi-directional so

ip nat inside source static 1.1.1.5 3.3.3.5

would mean that traffic coming from 3.3.3.5 inbound would translate to 1.1.1.5 and traffic going out from 1.1.1.5 would translate to 3.3.3.5.

Jon

John Blakley Wed, 11/12/2008 - 10:03

So, I wouldn't need to create a pool for the subnets that I own for this to work? This is part of what we were talking about yesterday.

In the statement:

ip nat outside source static 3.3.3.5 1.1.1.5

isn't the first host the source, and the second the destination really?

John

Jon Marshall Wed, 11/12/2008 - 10:10

ip nat outside ... is used when you want to present an outside address as an inside address. Inside/outside in this context are purely to do with which interfaces you designate as inside/outside.

But that's not really what you are trying to do. You just want to make sure that inside address of 1.1.1.x are translated to addresses of 3.3.3.x.

What we do need to sort out is you keep mentioning pools but the examples you are giving are one-to-one mappings.

Jon

John Blakley Wed, 11/12/2008 - 10:17

We have 3 public blocks of IPs from 3 different ISPs. I need to provide a way for people from outside to get to our web servers, mail servers, etc.

The addresses that are on the public interface are routable addresses. The reason that I keep going back to "ip nat outside" is because I'd be expecting traffic coming from the public interface in.

I have one to one mappings because I looked in the fatpipe today, and I noticed that we're doing one-to-one from the other two subnets to the "private" subnet. (It's not a private IP, just on the inside interface.)

So, all translations need to be done from 2.2.2.0 and 3.3.3.0 to an public address on the 1.1.1.0 subnet.

Thanks Jon!

John

Jon Marshall Wed, 11/12/2008 - 10:23

John

I admit NAT is a bit confusing in terms of inside/outside. If you have the time some day we can through it in details. But suffice to say if you want to present an internal address to the outside then "ip nat inside source static is the way to go.

Jon

Actions

This Discussion