Open Subj:SNAT on CISCO ROUTER(change source IP)

leonard.docea · ‎03-06-2015

Hello,

I opening again the subject because nobody answere on my question.This time i attached a sample made in Packet Tracer with my problem.

So do not add route on routers or change/add gateway ...... use only nat.

In Linux i made this using DNAT (PREROUTING) and SNAT (POSTROUTING) in ios cannot resolve so pls help me.

The objective: Access from 10.125.56.4 URL with http://10.125.56.3:8080 and from there redirect to web server 192.168.9.159:80 and back.Just it

If anybody think can do that using router (no Packet tracer) i hope show me how he did it.

I have a router C850 and he has NVI(NAT) so...give me a solution

Thank's

Roberto Kippins · ‎03-07-2015

Hi if i got this correct the web server is at 192.168.9.159:80 on the lan and you want to do a static nat translation of 10.125.56.3:8080 for it to be accesses externally ? if so here is how the nat mapping is done on the router:

ip nat inside source static tcp 192.168.9.159 80 10.125.56.3 8080

leonard.docea · ‎03-08-2015

Do you see attached file? my router has this command ...

Roberto Kippins · ‎03-08-2015

Hi no it says your file is incompatable with my packe tracer its ben a long time since I used that try gns 3 you will get better functionality since many features are limited on PT.

leonard.docea · ‎03-08-2015

thank you i found the solution, Jon Marshall help me.I use PT2.6.

u have right about GNS3 i will try.But i think i need image IOS for GNS3 do i?

Jon Marshall · ‎03-08-2015

Yes you do need an IOS image to work with GNS3 and unfortunately Cisco don't provide free IOS images to use in a lab.

So unless you have access to download IOS images from Cisco you can't really use GNS3.

Jon

Jon Marshall · ‎03-08-2015

so...give me a solution

I think the word you are looking for is "please".

Do you see attached file?

Roberto is just trying to help in his free time and most of us don't use PT so posting a PT file is useless.

Okay, that said if it is just one router it should work without changing the source IP because of proxy arp.

However assuming you do want to change the source IP I checked your other post and you are almost there. The reason it doesn't work is because of the order of operations with IOS. So what happens is your NAT statement from the other post is doing what it is meant do eg. -

ip nat outside source static 10.10.10.12 192.168.9.3

will translate 10.10.10.12 to 192.168.9.3. It's what happens when the packet is sent back to the router from the NVR device and there are two issues -

1) firstly don't use the router interface IP ie. 192.168.9.3 because then the router thinks the packet is for it. So you need to pick an unused IP in the 192.168.9.x subnet

2) if you do that the next problem is IOS order of operation. From inside to outside routing is done before NAT. So what happens if you do this -

ip nat outside source static 10.10.10.12 192.168.9.5

is the router receives the return packet from your NVR device and the destination IP is 192.168.9.5. It then does a route lookup and because the IP is from the same subnet as it's inside interface it does not route it to the outside interface so the packet is dropped.

If your router supports the "add-route" option you can use that ie.

ip nat outside source static 10.10.10.12 192.168.9.5 add-route

what this does is put a host specific route in the IP routing table for 192.168.9.5 with the next hop IP of 10.10.10.12 ie.

192.168.9.5 255.255.255.255 10.10.10.12

this means when the router does the route lookup for 192.168.9.5 it sees the next hop IP as being reachable via the interface connected to the 10.10.10.0/24 network and so can then forward it and do the necessary NAT on the IP addresses.

If you don't have the "add-route" command you can try adding your own static route on the router to do the same thing and see if that works.

Jon

leonard.docea · ‎03-08-2015

I read first phrase from your comment and u right.

I'm sorry but when i opening this thread again i was hurry and angry, and i forgot "please" and you right.

I'm really sorry..i swear!

I tried your solution and it's work!..i'm happy...really happy!!!! :) because that problem buzzing me for long time (1 month).I asked many people but nobody help me.

I use day by day Linux and under Linux the problem resolve very easy(dnat/snat , 2 instruction using ROUTER INTERFACE, !!!..and that's all).

Under IOS very strange the solution.

The router cannot nat the packet if i use his interface..wow!why?i understand your explication..but why?so.. every time i must reserve a free IP for that type of nat?

Please :) can u explain more details about that think.I finished last month CCNA (1 and 2) and i asked my tutor the problem and he doesn't know about that type of solution.He told me... Try NVI ! it will work

..thank you , thank you..and thank you again

Jon Marshall · ‎03-08-2015

No problem, I understand, sometimes I can post a response when I'm irritated and it can come across wrong.

Totally understand.

Okay you cannot use the router interface IP because you could never have a host specific route in the routing table that would override that because the router interface is directly connected.

So the IP routing table (on the IOS version I am using) has a route for 192.168.9.0/24 and a host route for the actual router interface and both are directly connected.

You can't override a directly connected route with a static for the same prefix and subnet mask.

Which means you cannot add a route for 192.168.5.3 pointing to the outside because the router already has a host specific route for this IP.

But you can add a more specific host route for any other unused IP on that subnet because the router only has a 192.168.9.0 255.255.255.0 entry.

Remember the longest match always wins in the routing table.

So yes if the source device eg. your 10.10.10.12 was different each time you would need another unused IP in the 192.168.9.x subnet per source device because it adds a host specific route for the 192.168.9.x IP back to the source device IP.

Note I assume this is just a lab because in production your clients would have default gateways.

It's also worth pointing out that it will work if your clients don't have gateways and you do not NAT the 10.10.10.12 IP because of proxy arp running on the router (assuming it hasn't been turned off).

But only if both subnets ie. 10.10.10.0/24 and 192.168.9.0/24 are connected to the same router. If there were multiple routers between you would need the NAT solution again.

I just assumed this was an exercise so you wanted to NAT the 10.10.10.x IP as well.

Hope that makes sense and if you have any more queries please feel free to ask.

Jon

leonard.docea · ‎03-09-2015

Thank's for everything.I have a question (strange but not imposible :) )

If everybody from 10.10.10.0 wants have access (254 users) in 192.168.9.0 what can i do if i don't have 254 free ip ? or maybe someday an user wants connect and i'm on vacation

In linux when i made SNAT i can refer entire network. to access.

-A POSTROUTING -t nat -o eth0 -s 10.10.10.0/24 -d 192.168.9.159 (...etc) SNAT--to-source 192.168.9.3

(all out eth0-192.168.9.3 interface router with source subnet 10.10.10.0/24 and destination 192.168.9.159(web server) will have source 192.168.9.3) So 10.10.10.1-254 access 192.168.9.0 will have source 192.168.9.3 without problem.One oinstruction for entire subnet.

Thank's

Jon Marshall · ‎03-09-2015

If everybody from 10.10.10.0 wants have access (254 users) in 192.168.9.0 what can i do if i don't have 254 free ip ? or maybe someday an user wants connect and i'm on vacation

Well you could always make the 192.168.9.0/24 subnet bigger by changing the subnet mask.

The thing is you are talking more about lab scenarios. You wouldn't set up your network like this in production so it really isn't an issue.

For a start your clients would have a default gateway of the router. And if they did then you could use a different subnet altogether for the NAT ie. it wouldn't have to be 192.168.9.0/24 any more.

Cisco and Linux are different so being able to do one thing with one doesn't mean you can automatically do it with another.

What you are asking is more theoretical than anything you would actually setup and if you did set it up like that you should probably be rethinking the design.

Jon

leonard.docea · ‎03-10-2015

Thank you very much i understand entire your post.Thank you again :)