11-29-2007 06:49 AM - edited 03-05-2019 07:42 PM
Hi all,
Id like to ask someone for help with a NAT
configuration. Id like to publish source
PC in a reverse manner but I dont know how. Reverse manner means next:
source-->router1--->(ip nat outside)router2(ip nat inside)--->router3--->destination
--> means some IP range
Communication should flow from source to destination.
What I want to see is a communication from source translated to IP range of router R2 on inside.
Is over there any solution? Pls. could someone send me a functional configuration?
Any idea?
jl
11-30-2007 02:14 PM
:( ------------:((((((
So it does seem to be more complicated than anyone would think ah?
Edison, by any means, if you have to redo this 1841 configuration from scratch, please go ahead.
Main things we want are:
1)internet connectivity via ISP1
2)if ISP1 fails, router will re-route to ISP2
3)LAN-to-LAN tunnel with the 10.21.30.0 up.
As you already saw on the config, ip sla work, internet connectivity works, so again, it is the tunnel
If when in failover mode tunnel does not failover to ISP2, that is no problem. It is already a big issue to get it fixed via ISP1, so we dont want to have more nightmares specially when is not even working via ISP1 to begin with.
I was on-site and waiting :( but np. please let me know once we get it. You have my info.
Thank you very much again for your help. I really appreciate it
11-30-2007 02:20 PM
Angel,
Please remain working with TAC since I'm working with other projects and I do this as volunteer in my spare time.
If this is a bug, TAC has the ability to contact the right people to address this issue.
I was trying to see if something was missing but based on your requirements, it's not a simple configuration and it will take some time on a proper design.
11-30-2007 02:26 PM
np again.
But I still think is simple. There isn't really any requirements outside of a very simple configuration: LAN to LAN tunnel with overlapping networks.
If anyone can shed some light on this, that wil be more than helpfull.
The thing that kills me is that I have this implementation between a pix and an ASA and it took 2 lines on the pix. I thought routers would be easier.
ap
11-30-2007 02:43 PM
Ok,
I got working by decreasing the NAT timers:
_____________
Here is what the host receives when the destination is a network other than 10.21.30/24
The source represents the overload F0/0 address
*Mar 1 01:50:34.187: IP: tableid=0, s=66.11.203.209 (Vlan1), d=10.0.2.1 (Loopback2), routed via RIB
*Mar 1 01:50:34.191: IP: s=66.11.203.209 (Vlan1), d=10.0.2.1, len 100, rcvd 4
*Mar 1 01:50:34.195: IP: tableid=0, s=10.0.2.1 (local), d=66.11.203.209 (Vlan1), routed via FIB
*Mar 1 01:50:34.199: IP: s=10.0.2.1 (local), d=66.11.203.209 (Vlan1), len 100, sending
*Mar 1 01:50:34.547: IP: tableid=0, s=66.11.203.209 (Vlan1), d=10.0.2.1 (Loopback2), routed via RIB
Now, it shows the NAT'd address as the source with destination 10.21.30.254
*Mar 1 01:50:36.763: IP: tableid=0, s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), routed via RIB
*Mar 1 01:50:36.767: IP: s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), len 100, rcvd 3
*Mar 1 01:50:36.771: IP: tableid=0, s=10.21.30.254 (local), d=10.12.0.254 (Vlan1), routed via FIB
*Mar 1 01:50:36.775: IP: s=10.21.30.254 (local), d=10.12.0.254 (Vlan1), len 100, sending
*Mar 1 01:50:37.251: IP: tableid=0, s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), routed via RIB
*Mar 1 01:50:37.255: IP: s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), len 100, rcvd 3
*Mar 1 01:50:37.259: IP: tableid=0, s=10.21.30.254 (local), d=10.12.0.254 (Vlan1), routed via FIB
________________________
These are the changes in your config:
ip nat pool NET10 10.12.0.0 10.12.0.254 prefix-length 24 type match-host
ip nat inside source list NET192-TO-NET10 pool NET10
ip access-list extended NET192-TO-NET10
permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255
ip nat translation timeout 2
ip nat translation tcp-timeout 2
ip nat translation udp-timeout 2
ip nat translation icmp-timeout 2
11-30-2007 03:02 PM
impossible.... too good to be true. :) ---
I will go ahead and implement it right away.
I happen to just be reading something about NAT time-outs when I read your post.
With theses changes, we are 100% sure that everything else will continue to work as it is, right? I mean inside (192.168.1.0/24 properly going to the internet and also the email server on the inside properly getting its traffic on port 25)?
just want to make sure.
Edison, thank you again.
11-30-2007 03:09 PM
I don't see any static nat for port 25 in your config. NAT timeout at 2 second will create a problem with translation for email.
The only 2 static translation I see are for port 20 and 21.
11-30-2007 03:12 PM
there is a line "ip nat inside source static tcp 192.168.1.3 25 66.11.203.210 25 route-map ISP1 extendable" and another one "access-list 100 permit tcp any host x.x.x.x eq smtp" that are taking care of the email server.
I guess you dont call it static nat, but rather port forwarding, right? please confirm if I am correct
11-30-2007 03:14 PM
forgot to ask you if I should continue with the implementation... will the email server still be able to act normally after these codes?
11-30-2007 03:26 PM
I did an implementation recently where the client had problems with email with the NAT timeout being too low.
Changing the timeout back to 60 seconds fixed it.
The problem with having a timeout so high is that the traffic will continue to use the pool list instead of the overload.
I suggest you try it and see if your email server is susceptible to this change.
If you really want to do this the right way. Place a device before the 1841 just doing the NAT for network 10.21.30.0/24 and let the 1841 do the NAT for overload.
11-30-2007 03:23 PM
11-30-2007 03:29 PM
11-30-2007 03:45 PM
Edison, I just finished and it works but only in one direction: from the 1841 to the ASA.
These are the lines I added to the config that I just sent you:
ip nat pool NET-10 10.12.0.0 10.12.0.254 prefix-length 24 type match-host
ip access-list extended NET192-TO-NET10
permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255
ip nat translation timeout 2
ip nat translation tcp-timeout 2
ip nat translation udp-timeout 2
ip nat translation icmp-timeout 2
ip nat inside source list NET192-TO-NET10 pool NET-10
Again, I added these lines to the current running config (the one I just updated you with).
Do I need to add other lines or modify some? Like the ones for the interesting traffic, they currently show as "access-list 190 deny ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255" and the other which is applied to the crypto map "permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255"
let me know
11-30-2007 04:56 PM
It didn't work. Every time a pc from the 192.168.1.0 side made a connection to the 10.21.30.0 side (by a simple ping for example), "ip sh nat tr" showed that the 192.168.1.3 device had a one to one translation to 10.12.0.3. The ping was successfull.
So all good. However, when that same 192.168.1.3 host tried to communicate to the outside world, this is what was happenning: it was timing out, it never really made a connection.
Also, when the ping was established from the 1841 side, the host was indeed pingable from the ASA side, but again, the 192.68.1.3 host couldnt communicate to anything else but the tunnel.
Bottom line is that it doesn't work :(
Any idea why this behavior?
12-01-2007 06:59 AM
Angel,
You are bringing a new set of requirements along with a different configuration.
Sorry, I don't have the equipment to duplicate your scenario anymore, it was a loaner.
I will step out of this thread and let someone else help you or continue working with TAC.
12-01-2007 10:08 AM
Edison I got it working. I remember an old dirty trick one cisco guy had suggested. Last night we went ahead and tried it and it worked.
all good.
thank you for the help
ap
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide