cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
978
Views
0
Helpful
11
Replies

NAT question...

snickered
Level 1
Level 1

My Cisco simulator won't do 'ip nat inside source static tcp ...' so I figured I'd ask here how this will behave.

!----

interface ethernet0

ip address 1.1.1.1 255.255.255.0

ip nat outside

interface fastEthernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip nat inside source list 10 interface ethernet0 overload

ip nat pool MYPOOL1 5.5.5.1 5.5.5.254 netmask 255.255.255.0

ip nat inside source static tcp 192.168.1.10 25 5.5.5.1 25 extendable

ip nat inside source static tcp 192.168.1.60 25 5.5.5.2 25 extendable

access-list 10 permit 192.168.1.0 0.0.0.31

!----

Now, I figure I have the following correct. Only 192.168.1.0-.32 will be allowed to translate their source to the ethernet0 interface. So, they will be able to browse the internet and their source address will appear as 1.1.1.1.

My questions are:

1. do I need to define my nat pool with the line 'ip nat pool MYPOOL1 5.5.5.1 5.5.5.254 netmask 255.255.255.0' before I can use 'ip nat inside source static tcp 192.168.1.10 25 5.5.5.1 25 extendable'?

2. Will host 192.168.1.20 be able to access the mail server on 192.168.1.10 using the external address of 5.5.5.1?

3. Will host 192.168.1.50 be able to access the mail server on 192.168.1.10 using the external address of 5.5.5.1?

4. Will host 192.168.1.60 be able to function properly as a mail server when someone externally hits it from 5.5.5.2 even though it's not allowed outbound by access-list 10? (I'm pretty sure it will but I want to be sure)

5. Is the 'extendable' keyword needed?

TIA!!

1 Accepted Solution

Accepted Solutions

i-kendall
Level 1
Level 1

I will try to do my best to answer these, but don't shoot me if I am not 100% as I am doing this from memory and not actually testing it.

1. no the pool is not needed for this to work

2. no, the packet needs to pass between the outside and inside interfaces for the nat to take place, and that won't happen with this config.

3. This is on the same subnet as for the previous question , so the same answer.

4. Yes, you are correct. The access list is not filtering traffic, it is being used to say what addresses have hteir source address natted when going from the inside to outside. For this to filter the traffic it would need to be applied to the interface with an 'access-group 10 in' command.

5. no :-) Never fully understood this one myself. Doesn't seem to cause any problems, but not needed on a 1-to-1 nat as far as I can tell.

Hope this helps.

Regards,

Iain

View solution in original post

11 Replies 11

i-kendall
Level 1
Level 1

I will try to do my best to answer these, but don't shoot me if I am not 100% as I am doing this from memory and not actually testing it.

1. no the pool is not needed for this to work

2. no, the packet needs to pass between the outside and inside interfaces for the nat to take place, and that won't happen with this config.

3. This is on the same subnet as for the previous question , so the same answer.

4. Yes, you are correct. The access list is not filtering traffic, it is being used to say what addresses have hteir source address natted when going from the inside to outside. For this to filter the traffic it would need to be applied to the interface with an 'access-group 10 in' command.

5. no :-) Never fully understood this one myself. Doesn't seem to cause any problems, but not needed on a 1-to-1 nat as far as I can tell.

Hope this helps.

Regards,

Iain

Thanks for your response. I'd like to ask another question given your answers.

2. What do I need to do to enable internal computers to access services with an external IP address?

You can't really do that. If you had a DNS entry for these, you could have the external IP associated with the name for outside, and an entry for internal users, that has the inside IP. But using the IP addresses, the inside clients go to the 5.5.5.x address, this goes to the router, and is routed to the outside interface, and then into oblivion. If it did get routed back, the packet would reach the server, but the source is on the same network, so the server would send the reply from it's 'real' IP address, and the inside client would not know this was part of the same conversation.

Basically it won't work. Sorry.

Surely there is another way to do this. Let's pretend I host 100's of websites on my internal LAN. Are you telling me that I would have to maintain 2 separate DNS servers (inside and outside) just for my internal people to be able to see the sites? This seems like it would be prone to error as this would be a manual mapping... "192.168.1.2 is the same as xxx.xxx.xxx.xxx" "192.168.1.3 is the same as yyy.yyy.yyy.yyy"... I can see where that would get extremely hard to maintain. I saw something called "Inside to Inside NAT" here: http://www.cisco.com/en/US/docs/ios/12_3/12_3y/release/notes/rn800ys.html. It seems like other routers would have a similar feature. How would one suggest I handle this problem besides maintaining two sets of DNS servers.

It is the same dns server, just different entries. You need to speak to an application guy to know how, I just know it can be done.

You should be able to do what you want, but not if the users and servers are on the same network (subnet). If they are on different networks (subnets), you can put them both on the router, and both be inside , and do the nat from that link.

Are you suggesting that I can put my servers on one interface and my users on another then I could access the servers from the users' interface with their external IP address? The way I see it is I would have to have 3 interfaces. It seems like I would still need to have NAT "inside" on the two internal interfaces (users and servers). But from your first post you said you had to pass through the outside and inside interfaces for NAT to work. So, I'm a little confused... that is if I'm reading you correctly. Can you give a simple example please? Thanks for your help with me understanding this.

Sorry for the confusion. When I said inside and outside in my first reply, it was referring to your original scenario and the nat insdie/outside applied to the ethernet and fastethernet interfaces.

You are correct in that you need three interfaces, but these do not need to be physical, the server and user ones could be VLAN interfaces (sub interfaces of a physical ethernet), however this does then need a switch that supports VLANS. Both those should then be able to use the nat enable command that you found the document for. This is the way I see it working, because if the hosts and servers are on the same subnet, you get the problem I described earlier, where the replies bypass the nat and are disassociated from the initial ones that were natted. Otherwise the host 192.168.1.20 connects to the server on 5.5.5.1, which is translated to 192.168.1.10, this then replies to 192.168.1.20 which is on the same subnet, so does not get sent to the router, and therefore no nat. The host sees this as an unsolicited packet and drops it. If you have them on separate interfaces, then nat occurs both ways, and it should work. I suspect you may be able to source nat the hosts to a different subnet, but I think the three interface solution is easier to follow, adn to debug.

If I were doing this for real, I would build and test it in a lab first. My explaination is theory, but needs testing and debugging in a practical form. When testing you can see the nat happening, and if it is not, then work out why and make config changes to fix it. That is half the fun of doing this job :-)

Alright, sounds like I have some testing to do. I wish there was a good doc on this. It seems like a pretty common scenario and I can't believe there isn't one. Can you explain why e0 and e1 have the same IP address in the config here: http://www.cisco.com/en/US/docs/ios/12_3/12_3y/release/notes/rn800ys.html#wp68417 ? Also, I can't even do the command 'ip nat source static tcp 192.168.123.1 interface Ethernet1 1' on my router. I am forced to put a port number following the inside local address (that's not even an inside local address in that configuration, btw). Is inside-to-inside NAT a feature only allowed in Cisco 830 Series and SOHO 90 routers? Or are there just a bunch of typo's?

You are right, I think there are errors in that document as well. The two interfaces have the same IP address, which is possible if using vrf, but this is not configured or shown in the example, or in the nat commands.

You can nat any address to any other address, they do not need to be configured on the same, router, so that bit is actually ok, but you would need to see other information to fit it into context. I always thought you needed to specify the port, for a tcp or udp nat, but would need to check this on the router to confirm.

This is an IOS feature, not only on a specific router. It came in with 12.3(14)T, so you need a version later than that to do these commands. Have a look at http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011476

for the full command reference details.

Good deal. I am sitting on 12.4(8) on my test routers so I'll be good there. I'm going to test this week. I'll most likely have a question or two if I can't get it working. Thanks for your help, Iain.

No problem, it has been fun. Feel free to ask any more questions, but I suspect you will work most of it out as you build the configs.

Regards, Iain

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: