Nat for backdoor

Answered Question
Jul 7th, 2009

Hi all,


I'm trying to setup a backdoor to access to a PDU when first link down.

I am sure that is possible do it with nat but i can't config it.


In the attachment there are a draw of my scenario, the access throght Router A is possible without problems via static nat.

My problem start when i try to access via HTTP trought Router B (2.2.2.2). The MasterSW send packets to their default gateway so connection can't work.

I need that NAT translate my IP (3.3.3.3) into LAN IP of Router B (192.168.120.2) then, MasterSW will see the conection from IP source 192.168.120.2.


Is this possible? Somebody can give me a clue for the config?


thanks in advance




Attachment: 
Correct Answer by Jon Marshall about 7 years 7 months ago

David


Not what you asked though. Your request was -


"I need that NAT translate my IP (3.3.3.3) into LAN IP of Router B (192.168.120.2) then, MasterSW will see the conection from IP source 192.168.120.2."


and the config supplied does that. However it looks like you also need to access the remote MasterSW on 2.2.2.2.


This complicates the config considerably as there is no way to translate source IP addresses coming in from the outside without a NAT pool (unlike the pix/ASA devices).


So you need at least 2 spare addresses from the 192.168.120.x subnet. Lets assume you can use 192.168.120.4 -> 5.


On router B

===========


int fa0/0 (LAN interface)

ip nat inside --> (note this has changed from previous config)


int fa0/1 (WAN interface)

ip nat outside --> (note this has changed from previous config)


ip route 192.168.120.4 255.255.255.252 fa0/1


--> this is needed for return traffic from MasterSW because of the order of NAT/routing in IOS.


ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30


ip nat inside source static tcp 192.168.120.30 80 2.2.2.2 80

ip nat outside source list 101 pool TPL


ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30


access-list 101 permit tcp host 3.3.3.3 host 2.2.2.2 eq 80


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 07/07/2009 - 03:36

David


router B


int fa0/0 (LAN interface)

ip nat outside


int fa0/1 (WAN interface)

ip nat inside


access-list 101 permit ip host 3.3.3.3 host 192.168.120.30


ip nat inside source list 101 interface fa0/0 overload


Jon

david.knet Tue, 07/07/2009 - 03:49

Thank you for your answer Jon but this not work for me.


The config that you propose need that I try to access directly to the IP of MasterSW (192.168.120.30) but i need access to 2.2.2.2 (http://2.2.2.2) and router B must translate my query to 192.168.120.30:80

Correct Answer
Jon Marshall Tue, 07/07/2009 - 04:42

David


Not what you asked though. Your request was -


"I need that NAT translate my IP (3.3.3.3) into LAN IP of Router B (192.168.120.2) then, MasterSW will see the conection from IP source 192.168.120.2."


and the config supplied does that. However it looks like you also need to access the remote MasterSW on 2.2.2.2.


This complicates the config considerably as there is no way to translate source IP addresses coming in from the outside without a NAT pool (unlike the pix/ASA devices).


So you need at least 2 spare addresses from the 192.168.120.x subnet. Lets assume you can use 192.168.120.4 -> 5.


On router B

===========


int fa0/0 (LAN interface)

ip nat inside --> (note this has changed from previous config)


int fa0/1 (WAN interface)

ip nat outside --> (note this has changed from previous config)


ip route 192.168.120.4 255.255.255.252 fa0/1


--> this is needed for return traffic from MasterSW because of the order of NAT/routing in IOS.


ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30


ip nat inside source static tcp 192.168.120.30 80 2.2.2.2 80

ip nat outside source list 101 pool TPL


ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30


access-list 101 permit tcp host 3.3.3.3 host 2.2.2.2 eq 80


Jon

david.knet Tue, 07/07/2009 - 06:24

Sorry for the inconvenients Jon. My english is not so good as i would like :)


This config works perfectly, Thank you for your help

Jon Marshall Tue, 07/07/2009 - 06:43

David


No problem, glad to have helped.


PS. - your English seems fine to me !


Jon

Actions

This Discussion