NAT help

Andy White · ‎05-25-2010

Hello,

I've not had to deal with a NAT issue (luck I guess). I have 2 routers connected by their WAN serial cables, one site (local config) has 3 subnets 192.168.10.x/24, 192.168.20.x/24, 192.168.30.x/24, the router is providing the local routing to the L2 2960 switches (router on a stick etc). This router connects to a remote route via it's serial cable but the remote site also uses 192.168.10.x/24 for it's LAN and we both need to share our servers across the WAN. I need some help to hide/NAt this range and allow communication between sites. I did ask if we could change the remote sites IP range but we can't (long story).

I have attached the configs in hope somebody can give me an example. I did make start by adding the "ip nat inside" and "ip nat outside " commands then I got a little lost.

Thanks

andrew.prince · ‎05-25-2010

Hi Andy,

This can be solved - however it's tricky, the biggest thing is both ends want to communicate with each other. To that end, you need to NAT both sides, the big question's are:-

1) Is the 192.168.10.0/24 subnet the only subnet that needs natting?

2) Do you want to perform network based nat (the whole /24) or just partial IP's?

3) Do you take advantage of the OSPF process you have running to advertise the NAT routes

4) Or just simple statics

5) Will the 192.168.10.0/24 from both sides need to communicat outside of this pt-pt network?

Once you answer the above - the solution will present itself!

HTH>

Andy White · ‎05-25-2010

Hi, thanks for answering my question. Seems I'm in luck at the moment (I hope), it seems we only need the local site with the 3 subnets 192.168.10.x, 192.168.20.x, 192.168.30.x to be able to access servers on the remote site that are on 192.168.10.x, the servers seems to be on random IP's on the last octet. What options do I have, some sort of NAT pool?

Thanks

andrew.prince · ‎05-25-2010

Well I would personally have:-

Local

int fa 0/0.10 <> Only this interface needs to have ip nat inside

ip nat inside

!

int s0/0/0

ip nat outside

!

ip nat inside source network 192.168.10.0 192.168.x.0 /24

ip route 192.168.y.0 255.255.255.0 s0/0/0

Remote

int fa0/0

ip nat inside

!

int s0/0/0

ip nat outside

!

ip nat inside source network 192.168.10.0 192.168.y.0 /24

ip route 192.168.x.0 255.255.255.0 s0/0/0

HTH>

Andy White · ‎05-25-2010

Thanks, how will the local site know which server to connect to at the remote site?

andrew.prince · ‎05-25-2010

Well the 2 key words in the NAT config are "Network" and "/24", This instructs both routers it's a subnet translation & the size of the subnet.

so let's say the local router translates 192.168.10.0/24 to 192.168.100.0/24, you have 5 servers

Local Translated

192.168.10.1 192.168.100.1

192.168.10.15 192.168.100.15

192.168.10.23 192.168.100.23

192.168.10.37 192.168.100.37

192.168.10.59 192.168.100.59

And the remote end has 2 servers and translates 192.168.10.0/25 to 192.168.200.0/24

Remote Translated

192.168.10.125 192.168.200.125

192.168.10.42 192.168.200.42

It's a 1:1 NAT translation the only octet that is changed is the "3rd" one.

HTH>

Andy White · ‎05-26-2010

Thanks, on the remote site the server IP's are:

192.168.10.10 - email

192.168.10.15 - file server

192.168.10.24 - Apps

I see you have created 1-to-1 NAT's for the local site subnet of 192.168.10.x to get to these, but how will the other 2 local subnet sget to these? What the traffic for the subnet 192.168.20.x and 192.168.30.x remain local and route the local 192.168.1.x subet?

andrew.prince · ‎05-26-2010

Andy,

I see from your config's, in the local router you have:-

!
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
!

and the remote router you have:-

!
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.3 area 0
!

Since the local & remote router have 10.10.10.0 /29 in area 0 - they will form a neighbor. Since they are neighbors - the local router will send the 192.168.10.0/20 & 30 subnets to the remote router. I presume the servers at the remote site have IP addresses with a "Default Gateway" of the router interface? Routing is preserved for 192.168.20.0/ 30.0 as they are NOT being NAT'td. Since the 192.168.10.0 is local to the remote router via a CONNECTED interface - it will ignore the OSPF route for 192.168.10.0/24

How do you plan to connect to these servers, by IP address or Name - either way you need a DNS server.

HTH>

Andy White · ‎05-26-2010

Thanks for explaining that Andrew. I don't seem to have the NAT options you mention:

ip nat inside source network 192.168.10.0 192.168.x.0 /24 ip route 192.168.y.0 255.255.255.0 s0/0/0

I have:

Local-Router(config)#ip nat inside source ?
list Specify access list describing local addresses
static Specify static local->global mapping
Local-Router(config)#

Also on the remote router I guess I would need to add the "new" NAT range to the OSPF to advertise to the local router network?

Thanks

andrew.prince · ‎05-26-2010

Yeah - sorry about that, the correct config is

ip nat inside source static network 192.168.10.0 192.168.x.0 /24

ip route 192.168.y.0 255.255.255.0 s0/0/0

OSPF will not advertise a NAT range with a network command. If you want to advertise it in OSPF add:-

ip route 192.168.y.0 255.255.255.0 fa0/0.10 - this will put a valid route into the routing table

Then add:-

router ospf #

redistribute static subnets

This WILL advertise the NAT subnet to the remote side. For it to work from the other side - the same config applies.

HTH>