04-04-2009 12:52 AM - edited 03-06-2019 04:59 AM
Hi,
I need to setup a lab to practise NAT, the reason I ask it looks like our LAN which is using 192.168.1.x/24 and 192.168.2.x/24 will be connecting to another LAN using the same IP ranges as us (different company and neither can change the LAN IP ranges). I'm not sure if the other will be done via a VPN or lease line.
I want to be able to "hide" our LAN IP ranges with some other IP ranges.
What I have done so far is connect 2 Cisco 2620's together with their serial ports and can ping each WAN port from either router. I was then thinking of using loopback address each side that where the same and then try NAT, but now I get confused and I think I will need to use NAT pool and overload.
Can you think of a way I can practise NAT?
Thanks
Solved! Go to Solution.
04-04-2009 06:24 AM
this is a common issue and NAT can resolve it
but you need to follow the following
do the following:
router 1
s0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source static network 192.168.1.0 20.1.1.0 /24
ip route 30.1.1.0 255.255.255.0 10.1.1.2
on router 2:
s0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source static network 192.168.1.0 30.1.1.0 /24
ip route 20.1.1.0 255.255.255.0 10.1.1.1
now you can ping the same device ip address
i mean if you you ping 192.168.1.1 from router 1 to tow will automaticly be sent to 30.1.1.1 and in router 2 will be translated to 192.168.1.1
and so on
this is copy of a debug icmp from r1 to r2 on R2
r0#ping 30.1.1.1 source loopback 0
ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1
ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1
the repley sent to 20.1.1.1
dont forget source the ping from the lo0 to make nating working
and on R1 u see bellow the reply recieved as from 30.1.1.1
ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1
ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1
NOTE: you can do the same on one side router useing the commands bellow:
ip nat inside source static network 192.168.1.0 20.1.1.0 /24
ip nat outside source static network 192.168.1.0 30.1.1.0 /24
notice the inside and outisde in the commands!! use this way if you wana do the nating only in your side and they need to have route for example a static route to your nated IPs in our example should be 20.1.1.0/24
and thier network will aprear to your network as 30.1.1.0
good luck
if helpful Rate
04-04-2009 06:24 AM
this is a common issue and NAT can resolve it
but you need to follow the following
do the following:
router 1
s0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source static network 192.168.1.0 20.1.1.0 /24
ip route 30.1.1.0 255.255.255.0 10.1.1.2
on router 2:
s0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source static network 192.168.1.0 30.1.1.0 /24
ip route 20.1.1.0 255.255.255.0 10.1.1.1
now you can ping the same device ip address
i mean if you you ping 192.168.1.1 from router 1 to tow will automaticly be sent to 30.1.1.1 and in router 2 will be translated to 192.168.1.1
and so on
this is copy of a debug icmp from r1 to r2 on R2
r0#ping 30.1.1.1 source loopback 0
ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1
ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1
the repley sent to 20.1.1.1
dont forget source the ping from the lo0 to make nating working
and on R1 u see bellow the reply recieved as from 30.1.1.1
ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1
ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1
NOTE: you can do the same on one side router useing the commands bellow:
ip nat inside source static network 192.168.1.0 20.1.1.0 /24
ip nat outside source static network 192.168.1.0 30.1.1.0 /24
notice the inside and outisde in the commands!! use this way if you wana do the nating only in your side and they need to have route for example a static route to your nated IPs in our example should be 20.1.1.0/24
and thier network will aprear to your network as 30.1.1.0
good luck
if helpful Rate
04-04-2009 06:53 AM
What a great reply!
Thanks for taking your time up to answer.
How did you set this all up so quick do you have the equipment or do you use virtual equipment, I'd love to know.
Thanks
04-04-2009 08:41 AM
useing gns3
which use ios imag
wish will help you
if helpful Rate
04-04-2009 10:00 AM
Hi,
Not sure what I have done wrong, but I have installed GNS3 and copied your configs onto each router and I can ping the WAN IP's but the ping from R0 to R1's IP fails, but it looks like R1 receives something as the debug shows this:
R0#ping 30.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
R0#
R1#
*Mar 1 02:53:55.727: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:53:55.731: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:53:57.682: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:53:57.682: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:53:59.757: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:53:59.761: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:54:01.724: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:54:01.724: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:54:03.724: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1
*Mar 1 02:54:03.728: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1
R1#
04-04-2009 06:09 PM
this looks like the nat not working
can you post your config here
i know you copied but maybe somthing missing
also ping and do debug ip nat detail and post it as well
good luck
04-05-2009 01:46 AM
I started again, how does this look:
R0#ping 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/81/148 ms
R0#
*Mar 1 00:03:04.610: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:04.742: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:04.822: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:04.839: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:04.871: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1
R1#
*Mar 1 00:03:01.994: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [0]
*Mar 1 00:03:02.002: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:02.170: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [1]
*Mar 1 00:03:02.174: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:02.262: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [2]
*Mar 1 00:03:02.262: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:02.278: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [3]
*Mar 1 00:03:02.278: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:03:02.298: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [4]
*Mar 1 00:03:02.298: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1
*Mar 1 00:04:02.485: NAT: expiring 30.1.1.1 (192.168.1.1) icmp 0 (0)
I will add more loopbacks to practise.
You mentioned I can add this just to one route, would it be possible to have that example, the reason I ask I think the other LAN I will connect have the knowledge, so I can controll it from my side?
04-05-2009 03:53 AM
sounds good it working now :)
the other config i have put ti for u in my first post under the note in the end
u need tow lines
inside and outside
inside will trnalsate you r traffic from 192 to 20 for example
and the outside will trnaslate the coming source 192 to ur network to apear as 30 for example
make sure you have a route such as static route point to the new internal outside address i mean the address that your inter nall network will see it
like here in the above nating you did your network in R1 see the traffic as it comfig from 10.1.1.1
good luck
if helps Rate
04-05-2009 10:59 AM
Couple of questions.
1.) To NAT one side I guess I will remove all NAT commands from one side? Then just add the routes only.
2.) I would like to try a PAT (NAT overload) lab too, could NAT overload be for this scenario to simplify things, woudl be nice to try, am I right in thinking I could get subnets 192.168.1.x/24 and 192.168.2.x/24 seens as one IP address? Making routes & ACL's just for this IP (or pool)?
Thanks let me know if it is best to open a new post so I can rate as a separate post.
04-05-2009 03:19 AM
I will give it a go, here is 5+ points.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: