Creating a NAT translation on a Cisco router for only one translation instance

Answered Question
Jul 27th, 2010
User Badges:

Forum


I have a client whom has a need to perform a static NAT translation on a 3825 router.  Here is the situation:  WHEN and only when a source address of 192.168.103.59 attempts to send data to destination address 206.223.104.X and 206.223.105.X, we need for the router to translate the source addess of 192.168.103.59 to source address 172.28.6.136.  The source address of 192.168.103.59 resides on our G0/0 interface (which we can call inside).  The destination address 206.223.104.X resides off of the serial (multilink) interface (which we can call outside).

The rest of the time, there should be absolutely no translation occuring on this router.


PJMrouterNAT.JPG


Thanks for any help here

Kevin

Correct Answer by Jon Marshall about 6 years 8 months ago

k-melton wrote:


Jon


We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.


Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?


Thanks

Kevin


Kevin


Can you be more specific in exactly what stopped working ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Tue, 07/27/2010 - 12:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

k-melton wrote:


Forum


I have a client whom has a need to perform a static NAT translation on a 3825 router.  Here is the situation:  WHEN and only when a source address of 192.168.103.59 attempts to send data to destination address 206.223.104.X and 206.223.105.X, we need for the router to translate the source addess of 192.168.103.59 to source address 172.28.6.136.  The source address of 192.168.103.59 resides on our G0/0 interface (which we can call inside).  The destination address 206.223.104.X resides off of the serial (multilink) interface (which we can call outside).

The rest of the time, there should be absolutely no translation occuring on this router.




Thanks for any help here

Kevin


Kevin


access-list 101 permit ip host 192.168.103.59 206.223.104.0 0.0.0.255

access-list 101 permit ip host 192.168.103.59 206.223.105.0 0.0.0.255


route-map NAT permit 10

match ip address 101


ip nat inside source static 192.168.103.59 172.28.6.136 route-map NAT


+ you need "ip nat inside" and "ip nat outside" under the relevant interfaces.


Jon

Kevin Melton Wed, 07/28/2010 - 05:53
User Badges:

Jon


We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.


Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?


Thanks

Kevin

Correct Answer
Jon Marshall Wed, 07/28/2010 - 05:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

k-melton wrote:


Jon


We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.


Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?


Thanks

Kevin


Kevin


Can you be more specific in exactly what stopped working ?


Jon

Kevin Melton Thu, 07/29/2010 - 07:02
User Badges:

Jon


All other traffic in and out of the interface stopped working.  SCADA activity on that link stopped working.  We have SCADA servers (192.168.103.59) on what is effectively the inside interface in the NAT statement on the 3825 router.  We lost some connectivity to other networks on the inside interface as well.


I am including a picture for you that is an excerpt of the customers network diagram.  I have circled the router to perform the NAT on for the workstation 192.168.103.59 and then labeled (as best I could in Paint) the inside and outside with respect to the NAT functionality.


The report i have is that all systems that we talk to (on the INSIDE) became unreachable when we implemented the changes.


Thanks Jon

Kevin

Jon Marshall Thu, 07/29/2010 - 07:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


No problem. Can you post picture ?


Also it would help if you could give some idea of what IPs stopped working and in what direction in relation to the inside and outside interfaces of the router.


Can you also post the exact config that was added. I tested this before posting and it worked perfeclty but there may be something else on your production router that is causing the problem.


Jon

Kevin Melton Thu, 07/29/2010 - 07:33
User Badges:

Yes I am attaching the photo.


Also it would help if you could give some idea of what IPs stopped working and in what direction in relation to the inside and outside interfaces of the router.


The best I can do is tell you what I know.  We could not communicate to 192.168.103.59 from our Networks at our Headquarters sight.  We also lost the ability to communicate to our Core Switch at the DR site (shown in pic).  The core sw we could not connect to 172.16.32.1.


Here is what we implemented:


access-list 101 permit ip host 192.168.103.59 206.223.104.0 0.0.0.255

access-list 101 permit ip host 192.168.103.59 206.223.105.0 0.0.0.255


route-map NAT permit 10

match ip address 101


ip nat inside source static 192.168.103.59 172.28.6.136 route-map NAT


we then put "ip nat inside" on the G0/0 interface, and "ip nat outside" on the Multilink Interface.

Attachment: 
Jon Marshall Thu, 07/29/2010 - 07:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


If possible could you also post the config of the router in question.


Jon

Jon Marshall Thu, 07/29/2010 - 08:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


From the config -


ip nat source static 192.168.103.59 172.28.6.133
ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.136 route-map PJMNAT


The first line is natting 192.168.103.59 to 172.28.6.133 for all traffic, do you know what this is for because i thought you only wanted to NAT 192.168.103.59 for some traffic.


Can you post the output of "sh ip nat translations" from this router ?


Jon

Kevin Melton Thu, 07/29/2010 - 08:38
User Badges:

Good catch.  I should have seen that myself.



ip nat source static 192.168.103.59 172.28.6.133
ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.136 route-map PJMNAT


the "ip nat source static 192.168.103.59 172.28.6.133" should not be there.  I wrote that earlier in the week as I was trying to write what we needed before requesting help.


I have removed it from the config.


Here is the post (once that was removed) for the ip nat translations.


lo-mpls3825#sho ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
--- 172.28.6.133          192.168.103.59        ---                   ---
lo-mpls3825#


I had to change the translsated address from 172.28.6.136 to 133.  I had it incorrect.


Here is the NAt config on the box now:


ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.133 route-map PJMNAT


I dont think I need the first two statements at all, do I?   I do not even have route maps for those two...

Actions

This Discussion