How to do destination NAT in a 2600 router with IOS 12.3?

dfariborz · ‎11-03-2014

Hi All

I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:

FE 0/0 - 10.0.0.1/24 - client LAN - inside

FE 0/1 - 10.1.1.1/24 - server LAN - outside

The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.

I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.

Many Thanks

Darius.Fariborz@cgi.com

danjone3 · ‎11-03-2014

Yes, you can do this. You don't need destination NAT. Source NAT translations work both ways. This should work:

ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80

int fa 0/0

ip nat inside

int fa 0/1

ip nat outside

The bigger question is why you'd want to. Just because you CAN do something doesn't mean you SHOULD. Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts. Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10? If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead? You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense. If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.

dfariborz · ‎11-13-2014

Hi There

Sorry been out of the office recently. We managed to get the configuration working by introducing a 2nd router. Network diagram is attached for your consideration.

Cheers

Darius.Fariborz@cgi.com

dfariborz · ‎11-04-2014

Hello

I tried your suggested config but it didn't work. The results were as follows from 10.0.0.100:

ping to 10.1.1.10 - worked

ping to 10.1.1.100 - didn't work

TCP to 10.1.1.10 - didn't work

TCP to 10.1.1.100 - worked

The reason for this is that a legacy server (10.0.0.100) which is over 15 years old needs to communicate with a new server and we don't have the password to logon to it as admin to change configuration.

Thanks

DF

danjone3 · ‎11-04-2014

The NAT statement I posted (actually a PAT - Port Address Translation) only affects TCP packets going to port 80, so a ping will not be converted. You can change the NAT statement to:

ip nat inside source static ip 10.1.1.100 10.1.1.10

That will convert ALL ip traffic. Everything going to .10 will end up at 100, including pings. A quick lab mock-up verifies the basic functionality is there. My lab may not match your actual network configuration, of course. The results you posted suggest something else might be coming into play, since you can only ping one IP and TCP to the other. If you don't want to use a full NAT of all IP packets or the above change doesn't work, post some more details. What are the results of ping and TCP if you take NAT off? What device is IP address .10 assigned to?

dfariborz · ‎11-05-2014

Hello

Please find attached the network diagram of my tests.

The results that I got for using "ip nat inside source static ip 10.1.1.100 10.1.1.10" was as before i.e.

ping to 10.1.1.10 - worked

ping to 10.1.1.100 - didn't work

TCP to 10.1.1.10 - didn't work

TCP to 10.1.1.100 - worked

Thank you

DF

danjone3 · ‎11-05-2014

There is no device with IP 10.1.1.10 actually on the network, right? When you say that TCP to 10.1.1.10 didn't work, are you referring to opening a browser window to the IP? Does ping to 10.1.1.100 work if you take off the NAT statements?