NAT to a public address

ippolito · ‎03-01-2008

I'm trying to verify that this NAT configuration will work...any help would be greatly appreciated. Here is the

problem (simplified for clarity):

1. Single router with two physical interfaces:

- 10.1.1.1/24 (inside network)

- 192.168.1.1/24 (outside/transit network)

2. When a host on the 10.1.1.0 network communicates across the router to a host on the 192.168.1.0 network, the

source IP must be NAT'ed to a single public IP address of, say, 2.2.2.2. That is, it is not a straightforward

overloaded NAT like in every configuration example, because the NAT doesn't assume the address of the router's

"outside" interface.

My proposed router config:

!

interface Fastethernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface Fastethernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat outside

!

ip nat pool NAT-POOL 2.2.2.2 2.2.2.2 netmask 255.255.255.0

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

ip nat inside source list 1 pool NAT-POOL overload

!

If I ping a host on the 192.168.1.0 network from the 10.1.1.0 network, will the echo-replies be able to find their

way back, since they will appear to originate from 2.2.2.2? My suspicion is that this won't work, because there is

no route to 2.2.2.2 from the 192.168.1.0 network. Is there a configuration example that I overlooked? Do I have to

add a secondary ip on the Fa0/1 interface on the 2.2.2.0 network? Or would I have to use a loopback interface for

traffic to flow from 2.2.2.2 back to 10.1.1.1?

Thanks for the help.

Edison Ortiz · ‎03-01-2008

Do I have to add a secondary ip on the Fa0/1 interface on the 2.2.2.0 network?

That's the easiest way.

Or would I have to use a loopback interface for traffic to flow from 2.2.2.2 back to 10.1.1.1?

You can do this too but it requires a PBR so traffic can be source from the loopback. It can be quite messy. Go with the secondary IP approach and you also need to advertise that interface to remote devices for the return traffic.

HTH,

__

Edison.

ippolito · ‎03-02-2008

Thank you for the reply, this was very helpful. But I'm having problems getting it to work. I tried these steps, and tested by pinging from 10.1.1.0 network to 192.168.1.0 network:

1. Added 2.2.2.2 as a secondary address on Fa0/1, kept dynamic NAT pool as is.

- could not ping 192.168.1.0 network

2. Made 2.2.2.2 the primary address, with 192.168.1.1 the secondary address on Fa0/1, kept dynamic NAT pool as is.

- could not ping 192.168.1.0 network, got warning of duplicate ip

3. Added 2.2.2.2 as a secondary address on Fa0/1, changed nat statement to an overload:

ip nat inside source list 11 interface Fa0/1 overload

- now I can ping the 192.168.1.0 network, but my address is translated to the ip address of Fa0/1 (192.168.1.1)

4. Tried #3 above, but swapped the primary and secondary ip's.

- could not ping 192.168.1.0 network

Thanks again for the help.

sundar.palaniappan · ‎03-02-2008

""4. Tried #3 above, but swapped the primary and secondary ip's.

- could not ping 192.168.1.0 network""

I assume you must have been using the NAT pool overload configuration when the primary address of f0/1 was set to 2.2.2.2.

If it's then remove the 2 NAT pool commands that you had in your original configuration and use the command 'ip nat inside source list 11 interface Fa0/1 overload'.

When configuring overload (PAT) using an interface you should use the interface overload option rather than the NAT pool overload configuration.

HTH

Sundar

Edison Ortiz · ‎03-03-2008

You are focusing your troubleshooting on pinging from 10.1.1.0/24 network to 192.168.1.0/24 network.

Let's take the 2.2.2.2 out of the picture, were you able to ping from 10.1.1.0/24 to 192.168.1.0/24 before adding the secondary IP address ?

You can't use the interface overload option while having multiple address on the NATed interface, you need to use the 'ip address' option.

Can you please repost the config with any changes you've made?

__

Edison.