×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Help configuring NAT

Answered Question
Aug 3rd, 2012
User Badges:

Hello all,


First of all, excuse any language mistake, I am not an English native speaker but I will try to do my best


I´ve been trying to configure a connection which requires NAT translation but my devices are too old and seems that the configurations I tried doesn´t work or I don´t know how to implement it properly.


Firstly, I will introduce my router to you, it is a Cisco C3640-JS-M Version 12.2(1), so I found many ways to solve my problem, but none of them are supported by it.


To continue,the connection I am trying to configure is the following one:


10.1.1.0/24(My LAN) --- (My ROUTER) --- 192.168.9.1/25  <-----> 192.168.9.126/25 --- (OTHER ROUTER) --- 172.22.1.0/24 (Their LAN)


So one host from 172.22.1.0/24 needs to connect to a server in my LAN (10.1.1.20) but they can´t use the real IP and we need to configure a NAT rule to translate traffic from them to 192.168.6.10 to 10.1.1.20, but only for this connection (there are other "WAN" interfaces.


These are my failed attemps:

1)


interface FastEthernet0/0.302

  ip nat outside


ip nat inside source static 10.1.1.20 192.168.9.10


PROBLEM: Works for this connection, but other connections are affected and no one can reach 10.1.1.20 apart from LAN and incoming traffic to F0/0.302


2) This attemp is quite hilarious... I´m desperate


ip nat pool NAT_OUT_POOL 192.168.9.10 192.168.9.10 prefix-length 1

ip nat pool NAT_IN_POOL 10.1.1.20 10.1.1.20 prefix-length 1



ip access-list standard ACL_NAT_GLOBAL

permit host 192.168.9.10

permit host 10.1.1.20


ip access-list standard NAT_OUT_LIST

permit host 10.1.1.20

permit host 192.168.9.10


route-map NAT_OUT_RM permit 10

match ip address NAT_OUT_LIST

match interface FastEthernet0/0.302



ip nat inside destination list ACL_NAT_GLOBAL pool NAT_IN_POOL

ip nat outside source route-map NAT_OUT_RM pool NAT_OUT_POOL




I have tried many examples from these links:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

https://supportforums.cisco.com/docs/DOC-5061


But as I said before, some configurations are not supported by my device.


I´m suspecting that it is not possible but I would like to think it is just my lack of knoledge XD


Many thanks in advance,

Jose

Correct Answer by John Blakley about 5 years 2 weeks ago

Glad to hear! Please mark this question as resolved.


Thanks!

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
John Blakley Fri, 08/03/2012 - 04:34
User Badges:
  • Purple, 4500 points or more

Your english is great!


ip nat pool Server 192.168.9.10 192.168.9.10 prefix 25  <--- you'll want a free ip address from your block

ip nat inside source list 101 pool Server

ip nat outside source list 102 pool Server


access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50


HTH,

John

eltote1982 Fri, 08/03/2012 - 08:38
User Badges:

Thank you very much John, it is working perfectly, I just did a small  change in the ACLs, here is the final configuration I included:


ip nat pool Server 192.168.9.10 192.168.9.10 prefix 25

ip nat inside source list 102 pool Server

ip nat outside source list 101 pool Server


access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50



Anyway, I did tests when I generated the traffic, I still need the other entity to try to reach my host, but looks really good.


Many many thanks again,

Jose

Correct Answer
John Blakley Fri, 08/03/2012 - 08:46
User Badges:
  • Purple, 4500 points or more

Glad to hear! Please mark this question as resolved.


Thanks!

John

eltote1982 Mon, 08/27/2012 - 02:25
User Badges:

Hi,


After implementing this configuration, I have found an issue, the nat translation is applied for all traffic from 10.1.1.20 and not only for connections to 172.22.1.50 if previously there is a connection to 172.22.1.50, so I cannot have multiple connections from 10.1.1.20 if I want to connect to 172.22.1.50.


I have mitigated the issue configuring the following nat timeouts (not sure if I used sensible amounts of time):


ip nat translation timeout 30

ip nat translation udp-timeout 10

ip nat translation tcp-timeout 60

ip nat translation finrst-timeout 10


Is there any other way to fix this?


Thanks!

Jose

John Blakley Tue, 08/28/2012 - 03:43
User Badges:
  • Purple, 4500 points or more

Seems odd considering you have an acl that's specifically ties those 2 hosts together. Can you post your configuration and "sh ip nat translation?" Just to refresh my memory, you were needing all traffic from the 10.x.x.x host to nat going to the single 172.x.x.x host and same thing in reverse, correct?

eltote1982 Tue, 08/28/2012 - 07:29
User Badges:

Hi,


Yes it is strange... other issue that I have seen is that the nat translation is not working for traffic from 172.x.x.x, so I need to send some traffic to make the nat translation to be in memory and then 172.x.x.x can reach 10.x.x.x using the 192.x.x.x IP. I suppose this is because I configured the interface with "ip nat outside" but if I don´t include that the other configuration doesn´t work.


Here is the configuration


interface FastEthernet0/0.302

ip address 192.168.9.1 255.255.255.128

ip nat outside


ip route 172.22.1.50 255.255.255.255 192.168.9.126


ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25 


access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50


ip nat outside source list 101 pool FTP_IN

ip nat inside source list 102 pool FTP_IN



Martr-002#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 192.168.9.10       10.1.1.20       ---                ---

John Blakley Tue, 08/28/2012 - 08:37
User Badges:
  • Purple, 4500 points or more

I'll lab this up and get back with you..

John Blakley Tue, 08/28/2012 - 16:39
User Badges:
  • Purple, 4500 points or more

Okay, I was able to lab this up and able to recreate what you're seeing. The "ip nat inside source list 102" line is using nat translation to everything (much like you're seeing). It does seem like it ignores the acl that's applied even if you have only the 2 hosts listed. So, the way I was able to get around this is to enable pat on the inside line:


ip nat inside source list 102 pool FTP_IN overload


This will allow you to nat only to the destination that you're needing and not nat everywhere else. When you do this, you'll see a different result in your translation table:


R1(config)#do sh ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.9.1:17    192.168.57.7:17    10.46.0.6:17       10.46.0.6:17


Without the overload keyword, I had a 1-1 nat:


R1#sh ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

--- 192.168.9.1        192.168.57.7       ---                ---

R1#



HTH,

John

eltote1982 Wed, 08/29/2012 - 02:22
User Badges:

Many thanks John,


Looks better now but it works when I generate traffic and not when 172.22.1.50 tries to iniciate the connection.


I have done a test and include an static translation:

ip nat inside source static tcp 10.1.1.20 80 192.168.9.10 80


It works, but other connections are affected since it is static, so I cannot use this configuration.



Here is the configuration I´m using. For sure there must be something wrong but I can´t find it.


interface FastEthernet0/0.62

description *** LAN ***

encapsulation dot1Q 62

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.302

description *** Connection to WND ***

encapsulation dot1Q 302

ip address 192.168.9.1 255.255.255.128

no ip redirects

ip nat outside


ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25 


access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50


ip nat outside source list 101 pool FTP_IN

ip nat inside source list 102 pool FTP_IN overload


ip route 172.22.1.50 255.255.255.255 192.168.9.126

John Blakley Wed, 08/29/2012 - 04:49
User Badges:
  • Purple, 4500 points or more

Okay...let's try this:


Remove the "ip nat outside source list 101 pool FTP_IN" line and the "ip nat inside source list 102 pool FTP_IN overload" line.


For this, use the 102 acl assuming that the 10.1.1.20 is on the inside interface.


Create a route-map called something, Nat for instance:


route-map Nat permit 20

match ip address 102


Then create your inside static mapping:


ip nat inside source static 10.1.1.20 192.168.9.10 route-map Nat reversible


This seems to work in both directions, but I'd be very interested to hear with what you come up with....


HTH,

John


*** Please rate all useful posts ***

eltote1982 Wed, 08/29/2012 - 07:32
User Badges:

John, I think the problem is that my router is too old, I tried to follow your instructions but when I was going to create the inside static mapping there was an invalid input error from the route-map... It doesn´t allow me to use the reversible option either...


It is on my agenda to change this device soon (months), so I will use the previous configuration (without the overload), configure nat timeouts and coordinate with my partner the FTP connections when no other connection is affected in the meantime.


Thank you very much for your efforts, but seems that it is not possible to make it working in the way I wanted but probably I will update this thread with the configuration for a newer device

Anyway, thanks again, I have learnt many things about NAT, so you helped a lot.


Finally, here is the configuration I will implement:


interface FastEthernet0/0.62

description *** LAN ***

encapsulation dot1Q 62

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.302

description *** Connection to WND ***

encapsulation dot1Q 302

ip address 192.168.9.1 255.255.255.128

no ip redirects

ip nat outside

!

ip nat pool FTP_IN 192.168.9.10 192.168.9.10 prefix 25 

!

access-list 101 permit ip host 172.22.1.50 host 10.1.1.20

access-list 102 permit ip host 10.1.1.20 host 172.22.1.50

!

ip nat outside source list 101 pool FTP_IN

ip nat inside source list 102 pool FTP_IN

!

ip route 172.22.1.50 255.255.255.255 192.168.9.126


!

ip nat translation timeout 30

ip nat translation udp-timeout 10

ip nat translation tcp-timeout 60

ip nat translation finrst-timeout 10

Actions

This Discussion