cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
5
Helpful
9
Replies

NAT help

whiteford
Level 1
Level 1

Hi,

I need to setup a lab to practise NAT, the reason I ask it looks like our LAN which is using 192.168.1.x/24 and 192.168.2.x/24 will be connecting to another LAN using the same IP ranges as us (different company and neither can change the LAN IP ranges). I'm not sure if the other will be done via a VPN or lease line.

I want to be able to "hide" our LAN IP ranges with some other IP ranges.

What I have done so far is connect 2 Cisco 2620's together with their serial ports and can ping each WAN port from either router. I was then thinking of using loopback address each side that where the same and then try NAT, but now I get confused and I think I will need to use NAT pool and overload.

Can you think of a way I can practise NAT?

Thanks

1 Accepted Solution

Accepted Solutions

Marwan ALshawi
VIP Alumni
VIP Alumni

this is a common issue and NAT can resolve it

but you need to follow the following

do the following:

router 1

s0/0

ip address 10.1.1.1 255.255.255.0

ip nat outside

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip nat inside source static network 192.168.1.0 20.1.1.0 /24

ip route 30.1.1.0 255.255.255.0 10.1.1.2

on router 2:

s0/0

ip address 10.1.1.2 255.255.255.0

ip nat outside

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip nat inside source static network 192.168.1.0 30.1.1.0 /24

ip route 20.1.1.0 255.255.255.0 10.1.1.1

now you can ping the same device ip address

i mean if you you ping 192.168.1.1 from router 1 to tow will automaticly be sent to 30.1.1.1 and in router 2 will be translated to 192.168.1.1

and so on

this is copy of a debug icmp from r1 to r2 on R2

r0#ping 30.1.1.1 source loopback 0

ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1

ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1

the repley sent to 20.1.1.1

dont forget source the ping from the lo0 to make nating working

and on R1 u see bellow the reply recieved as from 30.1.1.1

ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1

ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1

NOTE: you can do the same on one side router useing the commands bellow:

ip nat inside source static network 192.168.1.0 20.1.1.0 /24

ip nat outside source static network 192.168.1.0 30.1.1.0 /24

notice the inside and outisde in the commands!! use this way if you wana do the nating only in your side and they need to have route for example a static route to your nated IPs in our example should be 20.1.1.0/24

and thier network will aprear to your network as 30.1.1.0

good luck

if helpful Rate

View solution in original post

9 Replies 9

Marwan ALshawi
VIP Alumni
VIP Alumni

this is a common issue and NAT can resolve it

but you need to follow the following

do the following:

router 1

s0/0

ip address 10.1.1.1 255.255.255.0

ip nat outside

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip nat inside source static network 192.168.1.0 20.1.1.0 /24

ip route 30.1.1.0 255.255.255.0 10.1.1.2

on router 2:

s0/0

ip address 10.1.1.2 255.255.255.0

ip nat outside

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip nat inside source static network 192.168.1.0 30.1.1.0 /24

ip route 20.1.1.0 255.255.255.0 10.1.1.1

now you can ping the same device ip address

i mean if you you ping 192.168.1.1 from router 1 to tow will automaticly be sent to 30.1.1.1 and in router 2 will be translated to 192.168.1.1

and so on

this is copy of a debug icmp from r1 to r2 on R2

r0#ping 30.1.1.1 source loopback 0

ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1

ICMP: echo reply sent, src 192.168.1.1, dst 20.1.1.1

the repley sent to 20.1.1.1

dont forget source the ping from the lo0 to make nating working

and on R1 u see bellow the reply recieved as from 30.1.1.1

ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1

ICMP: echo reply rcvd, src 30.1.1.1, dst 192.168.1.1

NOTE: you can do the same on one side router useing the commands bellow:

ip nat inside source static network 192.168.1.0 20.1.1.0 /24

ip nat outside source static network 192.168.1.0 30.1.1.0 /24

notice the inside and outisde in the commands!! use this way if you wana do the nating only in your side and they need to have route for example a static route to your nated IPs in our example should be 20.1.1.0/24

and thier network will aprear to your network as 30.1.1.0

good luck

if helpful Rate

What a great reply!

Thanks for taking your time up to answer.

How did you set this all up so quick do you have the equipment or do you use virtual equipment, I'd love to know.

Thanks

useing gns3

which use ios imag

wish will help you

if helpful Rate

Hi,

Not sure what I have done wrong, but I have installed GNS3 and copied your configs onto each router and I can ping the WAN IP's but the ping from R0 to R1's IP fails, but it looks like R1 receives something as the debug shows this:

R0#ping 30.1.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

R0#

R1#

*Mar 1 02:53:55.727: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:53:55.731: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:53:57.682: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:53:57.682: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:53:59.757: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:53:59.761: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:54:01.724: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:54:01.724: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:54:03.724: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 02:54:03.728: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

R1#

this looks like the nat not working

can you post your config here

i know you copied but maybe somthing missing

also ping and do debug ip nat detail and post it as well

good luck

I started again, how does this look:

R0#ping 30.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 17/81/148 ms

R0#

*Mar 1 00:03:04.610: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:04.742: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:04.822: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:04.839: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:04.871: ICMP: echo reply rcvd, src 192.168.1.1, dst 10.1.1.1

R1#

*Mar 1 00:03:01.994: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [0]

*Mar 1 00:03:02.002: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:02.170: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [1]

*Mar 1 00:03:02.174: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:02.262: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [2]

*Mar 1 00:03:02.262: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:02.278: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [3]

*Mar 1 00:03:02.278: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:03:02.298: NAT*: s=10.1.1.1, d=30.1.1.1->192.168.1.1 [4]

*Mar 1 00:03:02.298: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Mar 1 00:04:02.485: NAT: expiring 30.1.1.1 (192.168.1.1) icmp 0 (0)

I will add more loopbacks to practise.

You mentioned I can add this just to one route, would it be possible to have that example, the reason I ask I think the other LAN I will connect have the knowledge, so I can controll it from my side?

sounds good it working now :)

the other config i have put ti for u in my first post under the note in the end

u need tow lines

inside and outside

inside will trnalsate you r traffic from 192 to 20 for example

and the outside will trnaslate the coming source 192 to ur network to apear as 30 for example

make sure you have a route such as static route point to the new internal outside address i mean the address that your inter nall network will see it

like here in the above nating you did your network in R1 see the traffic as it comfig from 10.1.1.1

good luck

if helps Rate

Couple of questions.

1.) To NAT one side I guess I will remove all NAT commands from one side? Then just add the routes only.

2.) I would like to try a PAT (NAT overload) lab too, could NAT overload be for this scenario to simplify things, woudl be nice to try, am I right in thinking I could get subnets 192.168.1.x/24 and 192.168.2.x/24 seens as one IP address? Making routes & ACL's just for this IP (or pool)?

Thanks let me know if it is best to open a new post so I can rate as a separate post.

whiteford
Level 1
Level 1

I will give it a go, here is 5+ points.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: