08-07-2009 08:38 AM - edited 03-06-2019 07:08 AM
Hi every body.
i have few questions about nat.
static nat:
please consider the following case:
h1(10.10.10.1)----f0(Route)So----internet
Router:
int fo
10.10.10.2/24
ip nat inside
Int so
ip address 200.200.200.1/24
ip nat outside.
ip nat inside source static 10.10.10.2 int s0
Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?
How about the following :
ip nat inside source int so.
My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?
thanks a lot.
Solved! Go to Solution.
08-07-2009 08:45 AM
Sarah,
The easiest way is:
access-list 10 permit ip 10.10.10.0 0.0.0.255
ip nat inside source list 10 int s0 overload
HTH,
John
08-07-2009 08:45 AM
Sarah,
Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?
Yes.
How about the following :
ip nat inside source int so.
The source must be internal - in your case that's the external interface.
My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?
You will need the following:
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
ip nat inside source list 101 interface s0 overload
08-07-2009 08:52 AM
Sarah
"Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?"
Yes it will.
"How about the following :
ip nat inside source int so.
My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?"
No it won't as there is no option to put the "int" keyword straight after the "source" keyword.
To achieve what you want you need -
access-list 1 permit any
ip nat inside source list 1 int s0/0 overload
Note if you want to be more specific than just any in acl 1 you can use specific source IP's and you can also use extended acls if you want src/dst IP/ports.
Jon
08-07-2009 10:16 AM
Sarah,
You sure can but you are statically assigning 10.10.10.1 to interface s0 and you can't assign other internal IPs (10.10.10.x/24) statically to the same internal interface.
On this situation, you have to do PAT (Port Address Translation) and the source IP addresses would be called from a ACL instead of static NAT.
You must also add the overload keyword to activate PAT. Without the overload keyword, the first address on the translation will take over the process and it will not allow others to be translated.
HTH,
__
Edison.
08-07-2009 10:27 AM
Sarah,
Your understanding is correct. That's often called 'conditional natting'
HTH,
__
Edison.
08-07-2009 10:32 AM
Sarah
"That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2"
Yes, except in your acl you have 199.199.199.0, but your understanding is correct :-)
"If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111."
This is not correct however. The acl 111 is not used to deny or allow packets, it is merely used to decide which packets to NAT. So any machine on 198.198.198.0/24 network that telnets to another machine on the other side of the router will be allowed to. It's just that 198.198.198.x address will not be natted to the s0 interface ie. it the source address will remain unchanged.
Jon
08-07-2009 03:00 PM
Sarah
"int e0
ip address 10.10.1.1/8
ip nat inside
int s0
ip address 200.200.200.1/24
access-list 1 permit host 10.10.1.1
ip nat inside source list 1 int s0
will the above config work ?"
Yes it does work altho i did have my doubts as i thought it might not because the traffic doesn't actually go through the router rather the packet originates on the router. Obviously to test it i used a ping and specified the source address as 10.10.1.1
Your second example will also work although you need to modify your config -
ip nat pool zee 200.1.1.1 200.1.1.254 netmask 255.255.255.0
ip nat inside source list 1 pool zee overload
What will happen here is the 200.1.1.1 -> 200.1.1.253 will be used for the first 253 one to one NAT connections then .254 will be used to PAT the rest of them.
Both your examples are a bit misleading in that your access-list defines the e0 router interface address whereas usually NAT is used for addresses connected to the interface rather than the actual interface address. But it all still works.
Have a good weekend yourself.
Jon
08-07-2009 08:45 AM
Sarah,
The easiest way is:
access-list 10 permit ip 10.10.10.0 0.0.0.255
ip nat inside source list 10 int s0 overload
HTH,
John
08-07-2009 09:52 AM
Thanks John.
My intention is learn how different parameters in the command " ip nat inside source " work.
My book mentioned different forms of nat. One of nat , i was studying is static nat.
The book only mention one way to perform static nat. So i was left wondering if i could perform static nat as:
ip nat inside source 10.10.10.1 int s0
I found out i can.
Thanks a lot John and you have a nice weekend.
08-07-2009 10:16 AM
Sarah,
You sure can but you are statically assigning 10.10.10.1 to interface s0 and you can't assign other internal IPs (10.10.10.x/24) statically to the same internal interface.
On this situation, you have to do PAT (Port Address Translation) and the source IP addresses would be called from a ACL instead of static NAT.
You must also add the overload keyword to activate PAT. Without the overload keyword, the first address on the translation will take over the process and it will not allow others to be translated.
HTH,
__
Edison.
08-07-2009 08:45 AM
Sarah,
Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?
Yes.
How about the following :
ip nat inside source int so.
The source must be internal - in your case that's the external interface.
My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?
You will need the following:
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
ip nat inside source list 101 interface s0 overload
08-07-2009 08:52 AM
Sarah
"Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?"
Yes it will.
"How about the following :
ip nat inside source int so.
My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?"
No it won't as there is no option to put the "int" keyword straight after the "source" keyword.
To achieve what you want you need -
access-list 1 permit any
ip nat inside source list 1 int s0/0 overload
Note if you want to be more specific than just any in acl 1 you can use specific source IP's and you can also use extended acls if you want src/dst IP/ports.
Jon
08-07-2009 10:07 AM
Thanks John.
just out of curiosity, if i have following config.
ip nat inside source list 111 int s0 overload.
access-list 111 permit tcp 199.199.199.0 0.0.0.255 host 2.2.2.2 eq www
Does the above config tell the router perform nat only for hosts which fulfil the criteria set out in access-list 111. That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2.
If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111.
Is my understanding correct ?
thanks a lot .
08-07-2009 10:27 AM
Sarah,
Your understanding is correct. That's often called 'conditional natting'
HTH,
__
Edison.
08-07-2009 10:32 AM
Sarah
"That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2"
Yes, except in your acl you have 199.199.199.0, but your understanding is correct :-)
"If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111."
This is not correct however. The acl 111 is not used to deny or allow packets, it is merely used to decide which packets to NAT. So any machine on 198.198.198.0/24 network that telnets to another machine on the other side of the router will be allowed to. It's just that 198.198.198.x address will not be natted to the s0 interface ie. it the source address will remain unchanged.
Jon
08-07-2009 01:44 PM
Very good catch John.
How about following config;
int e0
ip address 10.10.1.1/8
ip nat inside
int s0
ip address 200.200.200.1/24
access-list 1 permit host 10.10.1.1
ip nat inside source list 1 int s0
will the above config work ?
===============================
How about if i configure:
ip nat pool zee 200.1.1.0 netmask 255.255.255.0
ip nat inside source list 1 pool zee overload
Is the above config correct?
thanks and have a nice weekend.
08-07-2009 03:00 PM
Sarah
"int e0
ip address 10.10.1.1/8
ip nat inside
int s0
ip address 200.200.200.1/24
access-list 1 permit host 10.10.1.1
ip nat inside source list 1 int s0
will the above config work ?"
Yes it does work altho i did have my doubts as i thought it might not because the traffic doesn't actually go through the router rather the packet originates on the router. Obviously to test it i used a ping and specified the source address as 10.10.1.1
Your second example will also work although you need to modify your config -
ip nat pool zee 200.1.1.1 200.1.1.254 netmask 255.255.255.0
ip nat inside source list 1 pool zee overload
What will happen here is the 200.1.1.1 -> 200.1.1.253 will be used for the first 253 one to one NAT connections then .254 will be used to PAT the rest of them.
Both your examples are a bit misleading in that your access-list defines the e0 router interface address whereas usually NAT is used for addresses connected to the interface rather than the actual interface address. But it all still works.
Have a good weekend yourself.
Jon
08-08-2009 07:53 AM
Hi John.
First of all thank for repying to my lond winded post.
I am little confused here, as you mentioned Acl has no effect on locally generated packets. Acl only affects the transit packets. My weird example, I briefly describe again as follows for reference:
"int e0
ip address 10.10.1.1/8
ip nat inside
int s0
ip address 200.200.200.1/24
access-list 1 permit host 10.10.1.1
ip nat inside source list 1 int s0
as you mentioned in your post, router still able to peform nat for a locally generated packet.
The question is why?
i am thinking and in the meantime if someone finds or knows the answer ,please share with us
Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: