Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
6
Replies

NAT configuration issue cisco 2621

Go to solution
juanalejo
Level 1
Level 1

‎10-05-2009 06:47 AM - edited ‎03-06-2019 08:00 AM

Hello,

I'm using NAT with overload to translate IP adresses from a small office into an IP adress from the main office. The connection from the branch office with the main office is OK and the NAT is working, but the connection between main office and small office doesn't work. I think that is due to the reponse packets are being translate when they are travelling through the inside interface. How can I resolve this issue?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ohassairi

‎10-06-2009 04:45 AM

Juan

While Oussama makes some interesting points I believe that the fundamental problem is different than what he describes. NAT as you are doing it (which is actually PAT since you are translating multiple inside addresses to a single outside address) creates an entry in the translate table when it sees outgoing traffic from the inside interface. This allows an inside host to initiate traffic and when an outside host responds there is an entry to translate back to the correct inside address.

But PAT does not support traffic initiated from an outside host (at the main office) to reach a remote host (at the branch office) since it does not know what entry in the translate table to use.

Perhaps another way to look at this issue is that if the inside host has address 192.168.1.5 the host at the main office does not have any route to get to that address and there may not be any entry in the translate table for that address (and even if there were an existing translate entry, how would the main office host know what it was?).

So if you have a requirement for main office hosts to initiate traffic to the branch office hosts then you will need some different solution. In some cases it is possible to not translate traffic from the remote office going to the main office and provide a routing entry at the main office for the remote office network, and just translate for traffic from the branch that is going outside of the enterprise network. Perhaps that could work for you?

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-05-2009 09:45 AM

Juan

It's not clear from your description what the problem is. Could you do a quick diagram and post any relevant configs so we can help you.

Jon

0 Helpful

Go to solution
juanalejo
Level 1
Level 1
In response to Jon Marshall

‎10-06-2009 12:02 AM

Hi Jon,

First of all, I'm sorry about my English, because it's not very good.

I've made a quick diagram of my situation. The problem is that I must make NAT in the main router because it's necessary that the source IP of the packages which are comming from the branch office are 172.21.60.48, but also I need to access to the branch office from the main office and it doesn't work.

Thank you.

Preview file
90 KB
0 Helpful

Go to solution
ohassairi
Level 5
Level 5
In response to juanalejo

‎10-06-2009 01:29 AM

this normal.

suppose one PC (172.21.60.1) from main office try to connect to one PC (192.168.1.5) in remote. the first packet will reach the remote PC but when the remote PC will answer the NAT will occur so 172.21.60.1 will see the response coming from 172.21.60.48.

the solution is: try to modify the ACL. if you need NAT for only one kind of traffic (web, telnet,...) so add these protocols to the ACL. doing so will not trigger the NAT when HO contact remote office

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ohassairi

‎10-06-2009 04:45 AM

Juan

While Oussama makes some interesting points I believe that the fundamental problem is different than what he describes. NAT as you are doing it (which is actually PAT since you are translating multiple inside addresses to a single outside address) creates an entry in the translate table when it sees outgoing traffic from the inside interface. This allows an inside host to initiate traffic and when an outside host responds there is an entry to translate back to the correct inside address.

But PAT does not support traffic initiated from an outside host (at the main office) to reach a remote host (at the branch office) since it does not know what entry in the translate table to use.

Perhaps another way to look at this issue is that if the inside host has address 192.168.1.5 the host at the main office does not have any route to get to that address and there may not be any entry in the translate table for that address (and even if there were an existing translate entry, how would the main office host know what it was?).

So if you have a requirement for main office hosts to initiate traffic to the branch office hosts then you will need some different solution. In some cases it is possible to not translate traffic from the remote office going to the main office and provide a routing entry at the main office for the remote office network, and just translate for traffic from the branch that is going outside of the enterprise network. Perhaps that could work for you?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
juanalejo
Level 1
Level 1
In response to Richard Burts

‎10-06-2009 05:54 AM

Hello,

You are right, if I only translate the traffic from the branch to outside of my enterprise network I can access from the main office to the remote office.

I've used the extended ACL:

access-list 101 ip 192.168.1.0 0.0.0.255 DESTINATION DESTINATION-WILDCARD

Thank you very much for your help.

Regards,

Juan.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to juanalejo

‎10-06-2009 09:44 AM

Juan

I am glad that my suggestion pointed you toward a solution and that you now have it working satisfactorily. If the problem is solved then perhaps you can use the check box to indicate that the issue is resolved. This will help other users in the forum to know that they can read about the issue and will find a solution for the issue.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card