Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static NAT question for Routers

Been searching over but haven't found a solution.

Basically, I want to do a static nat only over a VPN site to site tunnel.

So our lan is 10.0.0.0/22 and it will be static nat'ed to 172.16.0.0/22 when going over the vpn.  I want a one to one static nat, because it needs a two way communication.

normally it would be for a pc (10.0.0.1)

..<left out vpn config>

ip access-list extended nat

permit ip 10.0.0.0 0.0.3.255 192.168.0.0 0.0.0.255 <vpn destination>

route-map vpnNAT

match address nat

ip nat inside source static 10.0.0.1 172.16.0.1 route-map vpnNAT

But this only works for 10.0.0.1 ..  Is there a way I can do it so I can have the 10.0.0.0/22 go to 172.16.0.0/22 without typing a static nat statement for each IP?  There has to be some way to do it ... I hope.

6 REPLIES
New Member

Static NAT question for Routers

Create a NAT pool for 172.16.0.0/22 and use the "type match-host" option.  The router will make sure that the host portion of the NAT'd address matches the host portion of the inside address.  Therefore, 10.0.0.1 becomes 172.16.0.1, 10.0.0.2 becomes 172.16.0.2, etc.

New Member

Static NAT question for Routers

That only works after I started a communication from me to them.  If I dont, there's no nat translation yet.  And if the other side tries to reach me first, it would fail, unless I initiate first.  Which is something I want to avoid. 

New Member

Static NAT question for Routers

I see what you're saying now.  I'd love to have an answer for you but I don't.

New Member

Static NAT question for Routers

In the "ip nat inside..." command use the "reversible" option to allow the traffic to come inbound.  Try that and let me know.  I'm going to try and lab this up.

New Member

Static NAT question for Routers

Yea at this point I think I have to add like 1028 static nat entries ... 4 x 255 ...

New Member

Static NAT question for Routers

Well, here's an option you might consider if you can't get a better answer.  You could setup ip sla on a device and use it to generate interesting traffic across the tunnel so that all of the active IP addresses in the range are in the NAT table.  Just tune it so that the frequency of the ip sla is just under the threshold of the other timers.  I tested it in my lab.  Works OK for three IP address.  Don't know about 1022!

114
Views
0
Helpful
6
Replies