NAT on 3845 router

Answered Question
Apr 23rd, 2010
User Badges:

Hi Guys,


Quick question.  Does anyone know how to NAT BOTH the source and destination IP address on a router?  I've been through several articles and it looks like this functionality is reserved for the ASA firewall but was looking for confirmation.


Need to configure a router for an Extranet with overlapping IP space.  So source IP NAT is needed to hide the partners IP space and Destination NAT is needed to access the database IP on our network as that IP overlaps as well.


Hoping someone has some very creative advice


Correct Answer by Federico Coto F... about 7 years 1 month ago

I'm trying to think ;-)


ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4


In the above example,
when host 1.1.1.1 wants to access 3.3.3.3 in reality what's going to happen is that
host 1.1.1.1 is translated to 2.2.2.2 and the destination IP 3.3.3.3 to 4.4.4.4

In this way the real IP address of the communication are 1.1.1.1 and 3.3.3.3
But the communication flows between 2.2.2.2 and 4.4.4.4


I have not tried this, but I'm just thinking it can be done. I might be wrong. Is this the configuration you have looked up?


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Fri, 04/23/2010 - 14:03
User Badges:
  • Green, 3000 points or more

Hi,


On a router normally you NAT the source address.

This is done with the command: ip nat inside source....


If you want to translate the destination address, you can do so with the command: ip nat outside source....


In both options you can reference an ACL or a route-map.


Federico.

d.serra Fri, 04/23/2010 - 14:15
User Badges:

Thanks Fredrico,


Unfortunatly what I'm trying to do is a little more complex.   I need to translate both the source and destination IPs in the same packet.


ip nat inside source static  and ip nat outside will do only one of those at a time.


Incidentally, in nat inside source static and ip nat outside perform very similar function as both will take traffic initiated on the outside interface and translate the destination IP to the inside destination address but only ip nat inside source statice will allow traffic initiated on the inside of the network to be source natted out.


To better explain, here is an article I've been referencing.  It is a cisco authored doc but comes from another web site:

http://www.firewall.cx/downloads/articles/sample%20config%20using%20ip%20nat.pdf


So if anyone knows how I can nat both the source and destination IPs of the same packet, that would be very helpful.


Thanks!


Dave

Federico Coto F... Fri, 04/23/2010 - 14:19
User Badges:
  • Green, 3000 points or more

Ok, I see...

What is the option you mentioned on the ASA to translate both the source and destination addresses on the same packet?


Federico.

d.serra Fri, 04/23/2010 - 14:24
User Badges:

well....the option is not to use the ASA, lol! 


I know firewalls in general have this capability.  Checkpoint certainly does and I'm confident the ASA has the ability too but there is no firewall in the network path for this connectivity so I'm trying to find out if it can be done on a router.

Correct Answer
Federico Coto F... Fri, 04/23/2010 - 14:35
User Badges:
  • Green, 3000 points or more

I'm trying to think ;-)


ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4


In the above example,
when host 1.1.1.1 wants to access 3.3.3.3 in reality what's going to happen is that
host 1.1.1.1 is translated to 2.2.2.2 and the destination IP 3.3.3.3 to 4.4.4.4

In this way the real IP address of the communication are 1.1.1.1 and 3.3.3.3
But the communication flows between 2.2.2.2 and 4.4.4.4


I have not tried this, but I'm just thinking it can be done. I might be wrong. Is this the configuration you have looked up?


Federico.

Jon Marshall Fri, 04/23/2010 - 14:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Federico


On an ASA


static (inside.outside) 195.177.10.10 192.168.5.1 netmask 255.255.255.255


static (outside,inside) 10.228.53.6 212.22.10.10 netmask 255.255.255.255


so a packet sent from the inside of 192.168.5.1 to destination of 10.228.53.6 would get it's source translated to 195.177.10.10 and it's destination translated to 212.22.10.10


however i don't think this is possible on IOS. I have a feeling you can use a NAT pool for outside addresses but it's been a while since i did it.


Jon

Federico Coto F... Fri, 04/23/2010 - 14:44
User Badges:
  • Green, 3000 points or more

Jon,


That's what I was thinking on a router:


ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4


But I don't know if it's going to work.


Federico.

Jon Marshall Fri, 04/23/2010 - 15:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dave


I'll lab this up tomorrow but from memory it's a real bear to get working.


One thought. Do you have more than one router in the path ? If so you could do



(ip nat inside f0/0) R1 (fa01/ ip nat outside)   <--->  (ip nat outside fa0/0) R2 (fa0/1 ip nat inside)


then translate the source addresses on R1 and the destination addresses on R2


Jon

d.serra Sat, 04/24/2010 - 05:23
User Badges:

Thanks Jon!  Keep me posted




Frederico,


ip nat outside source static and ip nat inside source static will both nat the Destination IP address when packets are sourced from the network behind the Outside interface.  The only difference between the two commands is that when packets are sourced from the network behind the Inside interface, 'ip nat inside source static' will nat the Source IP address and 'ip nat outside source static' will not.


Neither command will NAT BOTH the source and destination IP address of the packet that flows from outside to inside.


Check out the link to the doc I sent.  It explains the two well.


Thanks!


Dave

d.serra Sun, 04/25/2010 - 12:10
User Badges:

Fredrico,


Please ignore my last post.  I must have been having a senior moment


I have tried to use 'ip nat inside source static' to translate packets originating on the outside network destined for inside.  Destination IP is correctly being natted.


I then added 'ip nat outside source static' to translate the source IP of packets originating from the outside network and have had limited success.  I can see in a sniffer trace that both source IP and destination IP are being NATted but the router for some reason for return traffic is not NATting the Destination IP back to the original IP.  I've isolated the issue to be with the 'ip nat outside source static' command as when I only have that configured I'm getting the same issue.


I'll continue to test and let you guys know.


Thanks again!


Dave

d.serra Sun, 04/25/2010 - 16:12
User Badges:

Ok, I managed to get this working in a friends lab.


I used two lines of configuration:


ip nat inside source static

ip nat outside source static


Having both of those lines in the configuration did infact translate both the SA and DA of packets.  Very cool!


The snag that I was running into was that when the SA of traffic originating on the Outside interface was an IP on the same network interface (ie on the NAT router ip 1.1.1.3 was used and the 'ip nat outside' interface had an ip of 1.1.1.1) return packets would not be forwarded to from the NAT router over the outside interface and on to the destination.  But when I made the SA address on a network beyond the local network to the NAT router it worked.


Thanks again guys!  Your help is much appreciated!!


Dave

Federico Coto F... Sun, 04/25/2010 - 16:31
User Badges:
  • Green, 3000 points or more

Dave,


I am very glad that it worked and thank you much for letting us know.

Great feedback.


Federico.

Actions

This Discussion