11-03-2014 10:00 AM - edited 03-07-2019 09:21 PM
Hi All
I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
FE 0/0 - 10.0.0.1/24 - client LAN - inside
FE 0/1 - 10.1.1.1/24 - server LAN - outside
The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
Many Thanks
Darius.Fariborz@cgi.com
11-03-2014 11:15 AM
Yes, you can do this. You don't need destination NAT. Source NAT translations work both ways. This should work:
ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
int fa 0/0
ip nat inside
int fa 0/1
ip nat outside
The bigger question is why you'd want to. Just because you CAN do something doesn't mean you SHOULD. Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts. Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10? If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead? You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense. If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.
11-13-2014 07:54 AM
11-04-2014 01:54 AM
Hello
I tried your suggested config but it didn't work. The results were as follows from 10.0.0.100:
ping to 10.1.1.10 - worked
ping to 10.1.1.100 - didn't work
TCP to 10.1.1.10 - didn't work
TCP to 10.1.1.100 - worked
The reason for this is that a legacy server (10.0.0.100) which is over 15 years old needs to communicate with a new server and we don't have the password to logon to it as admin to change configuration.
Thanks
DF
11-04-2014 03:53 AM
The NAT statement I posted (actually a PAT - Port Address Translation) only affects TCP packets going to port 80, so a ping will not be converted. You can change the NAT statement to:
ip nat inside source static ip 10.1.1.100 10.1.1.10
That will convert ALL ip traffic. Everything going to .10 will end up at 100, including pings. A quick lab mock-up verifies the basic functionality is there. My lab may not match your actual network configuration, of course. The results you posted suggest something else might be coming into play, since you can only ping one IP and TCP to the other. If you don't want to use a full NAT of all IP packets or the above change doesn't work, post some more details. What are the results of ping and TCP if you take NAT off? What device is IP address .10 assigned to?
11-05-2014 05:34 AM
Hello
Please find attached the network diagram of my tests.
The results that I got for using "ip nat inside source static ip 10.1.1.100 10.1.1.10" was as before i.e.
ping to 10.1.1.10 - worked
ping to 10.1.1.100 - didn't work
TCP to 10.1.1.10 - didn't work
TCP to 10.1.1.100 - worked
Thank you
DF
11-05-2014 09:40 AM
There is no device with IP 10.1.1.10 actually on the network, right? When you say that TCP to 10.1.1.10 didn't work, are you referring to opening a browser window to the IP? Does ping to 10.1.1.100 work if you take off the NAT statements?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide