NAT on 3845 router

Answered Question
Apr 23rd, 2010

Hi Guys,

Quick question.  Does anyone know how to NAT BOTH the source and destination IP address on a router?  I've been through several articles and it looks like this functionality is reserved for the ASA firewall but was looking for confirmation.

Need to configure a router for an Extranet with overlapping IP space.  So source IP NAT is needed to hide the partners IP space and Destination NAT is needed to access the database IP on our network as that IP overlaps as well.

Hoping someone has some very creative advice

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 7 months ago

I'm trying to think ;-)

ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4

In the above example,
when host 1.1.1.1 wants to access 3.3.3.3 in reality what's going to happen is that
host 1.1.1.1 is translated to 2.2.2.2 and the destination IP 3.3.3.3 to 4.4.4.4

In this way the real IP address of the communication are 1.1.1.1 and 3.3.3.3
But the communication flows between 2.2.2.2 and 4.4.4.4

I have not tried this, but I'm just thinking it can be done. I might be wrong. Is this the configuration you have looked up?

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Fri, 04/23/2010 - 14:03

Hi,

On a router normally you NAT the source address.

This is done with the command: ip nat inside source....

If you want to translate the destination address, you can do so with the command: ip nat outside source....

In both options you can reference an ACL or a route-map.

Federico.

d.serra Fri, 04/23/2010 - 14:15

Thanks Fredrico,

Unfortunatly what I'm trying to do is a little more complex.   I need to translate both the source and destination IPs in the same packet.

ip nat inside source static  and ip nat outside will do only one of those at a time.

Incidentally, in nat inside source static and ip nat outside perform very similar function as both will take traffic initiated on the outside interface and translate the destination IP to the inside destination address but only ip nat inside source statice will allow traffic initiated on the inside of the network to be source natted out.

To better explain, here is an article I've been referencing.  It is a cisco authored doc but comes from another web site:

http://www.firewall.cx/downloads/articles/sample%20config%20using%20ip%20nat.pdf

So if anyone knows how I can nat both the source and destination IPs of the same packet, that would be very helpful.

Thanks!


Dave

Federico Coto F... Fri, 04/23/2010 - 14:19

Ok, I see...

What is the option you mentioned on the ASA to translate both the source and destination addresses on the same packet?

Federico.

d.serra Fri, 04/23/2010 - 14:24

well....the option is not to use the ASA, lol! 

I know firewalls in general have this capability.  Checkpoint certainly does and I'm confident the ASA has the ability too but there is no firewall in the network path for this connectivity so I'm trying to find out if it can be done on a router.

Correct Answer
Federico Coto F... Fri, 04/23/2010 - 14:35

I'm trying to think ;-)

ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4

In the above example,
when host 1.1.1.1 wants to access 3.3.3.3 in reality what's going to happen is that
host 1.1.1.1 is translated to 2.2.2.2 and the destination IP 3.3.3.3 to 4.4.4.4

In this way the real IP address of the communication are 1.1.1.1 and 3.3.3.3
But the communication flows between 2.2.2.2 and 4.4.4.4

I have not tried this, but I'm just thinking it can be done. I might be wrong. Is this the configuration you have looked up?

Federico.

Jon Marshall Fri, 04/23/2010 - 14:36

Federico

On an ASA

static (inside.outside) 195.177.10.10 192.168.5.1 netmask 255.255.255.255

static (outside,inside) 10.228.53.6 212.22.10.10 netmask 255.255.255.255

so a packet sent from the inside of 192.168.5.1 to destination of 10.228.53.6 would get it's source translated to 195.177.10.10 and it's destination translated to 212.22.10.10

however i don't think this is possible on IOS. I have a feeling you can use a NAT pool for outside addresses but it's been a while since i did it.

Jon

Federico Coto F... Fri, 04/23/2010 - 14:44

Jon,

That's what I was thinking on a router:

ip nat inside source static 1.1.1.1 2.2.2.2
ip nat outside source static 3.3.3.3 4.4.4.4

But I don't know if it's going to work.

Federico.

Jon Marshall Fri, 04/23/2010 - 15:08

Dave

I'll lab this up tomorrow but from memory it's a real bear to get working.

One thought. Do you have more than one router in the path ? If so you could do

(ip nat inside f0/0) R1 (fa01/ ip nat outside)   <--->  (ip nat outside fa0/0) R2 (fa0/1 ip nat inside)

then translate the source addresses on R1 and the destination addresses on R2

Jon

d.serra Sat, 04/24/2010 - 05:23

Thanks Jon!  Keep me posted

Frederico,

ip nat outside source static and ip nat inside source static will both nat the Destination IP address when packets are sourced from the network behind the Outside interface.  The only difference between the two commands is that when packets are sourced from the network behind the Inside interface, 'ip nat inside source static' will nat the Source IP address and 'ip nat outside source static' will not.

Neither command will NAT BOTH the source and destination IP address of the packet that flows from outside to inside.

Check out the link to the doc I sent.  It explains the two well.

Thanks!


Dave

d.serra Sun, 04/25/2010 - 12:10

Fredrico,

Please ignore my last post.  I must have been having a senior moment

I have tried to use 'ip nat inside source static' to translate packets originating on the outside network destined for inside.  Destination IP is correctly being natted.

I then added 'ip nat outside source static' to translate the source IP of packets originating from the outside network and have had limited success.  I can see in a sniffer trace that both source IP and destination IP are being NATted but the router for some reason for return traffic is not NATting the Destination IP back to the original IP.  I've isolated the issue to be with the 'ip nat outside source static' command as when I only have that configured I'm getting the same issue.

I'll continue to test and let you guys know.

Thanks again!

Dave

d.serra Sun, 04/25/2010 - 16:12

Ok, I managed to get this working in a friends lab.

I used two lines of configuration:

ip nat inside source static

ip nat outside source static

Having both of those lines in the configuration did infact translate both the SA and DA of packets.  Very cool!

The snag that I was running into was that when the SA of traffic originating on the Outside interface was an IP on the same network interface (ie on the NAT router ip 1.1.1.3 was used and the 'ip nat outside' interface had an ip of 1.1.1.1) return packets would not be forwarded to from the NAT router over the outside interface and on to the destination.  But when I made the SA address on a network beyond the local network to the NAT router it worked.

Thanks again guys!  Your help is much appreciated!!

Dave

Federico Coto F... Sun, 04/25/2010 - 16:31

Dave,

I am very glad that it worked and thank you much for letting us know.

Great feedback.

Federico.

Actions

This Discussion