Nat scenario where two companies hide from each other

Unanswered Question
Jul 2nd, 2010
User Badges:

Hi all,

i need some help to create the following nat scenario on a cisco 29xx router.

Two companies should hide from each other because they have overlapping networks. There should be a "demarcation" subnet where each company can

route to. (see picture)  The router is manged by the us (the customer)

1.) We (customer) should hide all our networks behind the ip address

     So service provider should see our packets coming from

2.) Since we (customer) cannot route to service provider host directly, we want to address target ip to get to service provider host, in other words SP host should be visible as for us.

3) Service provider host should be able to address printers (our real address, but should address the printer as

So we like to have those two demarcation subnets and to communicate.

Both networks should know only about the demarcation subnets (except our final cpe router that has eth1 in the SP network

I tried a lot of setups in my lab, mixing inside/outside definitions, but i must say that i get confused now, and i'm not getting this to work.

Can someone please provide me with a sample code snippet and show me the right direction?

Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
hoedl.degudent Fri, 07/02/2010 - 07:04
User Badges:

Hi Andrew,

thanks for your answer. I'm not sure if a simple network nat will do the job. This is only a simplified example. The customer network is a large company network with lots of subnets. Only the SP host is a single host that we have to address.

The nat is done by us (customer side) and should be configured only on the router in my picture.

Multiple clients should hide themselves behind an address the SP can accept, and the SP host should be visible under an address that we (customer) can live with. The SP also must address static printers on the customer side.

All that translations should happen on that single (customer) router in my picture.

From your diagram:-

1) Hiding the behind is not an issue.

2) Since the SP is behind a "firewall" - I would presume they would/should NAT to, if not this can be done on your router.

3) Your printer just needs a static NAT translation.

If the diagram is the simple one, then you need to attach the complicated one.  As every NAT solution is specific to the requirement, there is no "one NAT fits all" solutions in my opnion.

hoedl.degudent Fri, 07/02/2010 - 07:38
User Badges:

i aggree.

Just imagine a larger customer network on the left side of my picture, using address space, having clients and printers in various different subnets. That all basically. The right side is correct and consists only of the small SP network.

I aggree. Hiding or other source networks behind or behind the ETH1 address of our router is no issue.

Asuming i will configure nat INSIDE on the left customer side, and nat OUTSIDE on the right SP side......

1) Hiding the customer network could be done with a ip nat inside soure list blabla interface eth1 overload

(or with a small nat-pool or whatever )

3) Printers will be covered with a static nat translation: ip nat inside source static

  for example...

BUT: how do i configure that the customers on the left side address the SP host destination on the right side with an address different from the SP host's real address (, because the customer can not route to (overlapping networks).

How do i combine all these features on that router?

OK using your diagram I would configure the router something like :-

int fa 0/0

description *** LAN ***

ip address

ip nat inside


int fa 0/1

description *** WAN ***

ip address

ip nat outside


ip nat pool SP prefix-length 30
ip nat inside source list 1 pool SP

ip nat inside source static

ip nat outside source static add-route
access-list 1 permit


This Discussion