Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT in two ways

Hello,

i have configured a cisco router (IOS 12.3)

for PAT. There are some servers which have no official ip, only internal addresses.

The router has one official ip and one internal ip address.

Then i had to configure port forwardings.

All works so far.

But the router is NOT the default gateway of the machines. And if a request from outside through the port forwarding of the cisco router comes to the internal machine, the packets still have the official ip address of the requesting machine as source address. So the internal machine sends the answer to the default gateway.

Up to now we have used a linux system with the xined.d daemon. And it worked like a proxy and port forwarding as default.

It gets the request from outside, overwrites the source address with its own internal address and sends the packet to the defined forwarded port on the internal machine.

This job should be done by the cisco router now.

Here the current router config for nat:

ip nat pool nat_pool 212.xx.xx.xx 212.xx.xx.xx netmask 255.255.255.252

ip nat inside source list 105 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.105.201 80 212.xx.xx.xx 80 extendable

ip nat inside source static tcp 192.168.105.59 7000 212.xx.xx.xx 7000 extendable

ip nat outside source static 212.xx.xx.xx 192.168.105.254 add-route

access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.104.0 0.0.0.255

access-list 105 deny ip 192.168.105.0 0.0.0.255 192.168.103.0 0.0.0.255

access-list 105 permit ip 192.168.105.0 0.0.0.255 any

And one more question:

as you can see the configuration for the router above. Is the nat pool required in this case?

thanks and regards

chasm_Ger

9 REPLIES
New Member

Re: NAT in two ways

Hi chasm_Ger:

Where do you apply nat_pool? Looks like you want to do "ip nat inside source list 105 nat_pool overload".

Since you have static NAT for 2 addresses in 192.168.105.xx, you may want to put them in access-list 105 as "deny" first.

The networks in your deny statements in list 105 are all internal private networkes. You can use access list to control routing between internal networks, but that should have nothing to do with NATTing, which is a function between private and public address spaces. So from this perspective, you may want to use a different access list other than 105 to restrict routing between 104/103 sunets and 105 subnets.

Let me know what you think. Thanks

Gary

New Member

Re: NAT in two ways

Hi Gary,

Its only an extract out of the config. There are some more static NAT entries, sorry.

The ACL 105 is bigger too and controls the traffic flow through some VPN tunnels.

Why the nat_pool is not associated to the overload order instead of the interface - i don't know. I have to check this again.

But the problem i have is not routing. I need a solution for the official ip addresses from outside beeing masked while port forwarding in static NAT.

Is that possible as i descriped in my first post?

thanks for your help

chasm

Purple

Re: NAT in two ways

Hi Chasm,

Just to get a bit of clarification here: do you wish to translate the addresses of the source machines to some other address ? Is that the issue here ?

Paresh

New Member

Re: NAT in two ways

Hi Chasm:

The statement "ip nat outside source ..." translates the outside source into your internal private address/ports where the packets will be forwarded to.

New Member

Re: NAT in two ways

Hi there,

thanks for all your posts.

I have configured it now like this:

interface FastEthernet0/0

description WAN Link

ip address 212.xx.xx.xx 255.255.255.xxx

ip access-group incoming1 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Link

ip address 192.168.103.70 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 212.xx.xx.xx

!

ip nat pool nat_incoming 192.168.103.70 192.168.103.70 netmask 255.255.255.252 add-route

ip nat inside source list outgoing_nat_traffic interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.103.104 9200 212.xx.xx.xx 9200 extendable

ip nat outside source list incoming_nat_traffic pool nat_incoming add-route

!

ip access-list extended incoming1

permit tcp any host 212.xx.xx.xx eq 9200

permit icmp any any echo

permit icmp any any echo-reply

ip access-list extended incoming_nat_traffic

deny ip 192.168.103.0 0.0.0.255 192.168.103.0 0.0.0.255

permit tcp any host 212.59.42.189 eq 9200

ip access-list extended outgoing_nat_traffic

permit ip 192.168.103.0 0.0.0.255 any

It works while i can see via tcpdump on the internal server, that there are packets from 192.168.103.70 with some dynamic higher port on the 192.168.103.104:9200 - as i wished.

But, there is still something buddy on the back trace. Via tcpdump on the internal server, i can see that the internal server answers from 192.168.103.104:9200 to 192.168.103.70 with the dynamic higher port. But the answer newer reaches the external requesting system.

The tcpdump extract:

07:34:51.249968 IP (tos 0x0, ttl 119, id 3178, offset 0, flags [DF], proto 6, length: 48) 84.130.209.134.64720 > 212.xx.xx.xx.9200: S [tcp sum ok] 3590787105:3590787105(0) win 65535

0x0000: 0015 62af 25b8 0004 c1c4 6280 0800 4500 ..b.%.....b...E. ..W>..........

07:34:51.250479 IP (tos 0x0, ttl 118, id 3178, offset 0, flags [DF], proto 6, length: 48) 84.130.209.134.64720 > 192.168.103.104.9200: S [tcp sum ok] 3590787105:3590787105(0) win 65535

07:34:51.250534 IP (tos 0x0, ttl 64, id 62303, offset 0, flags [DF], proto 6, length: 40) 192.168.103.104.9200 > 84.130.209.134.64720: R [tcp sum ok] 0:0(0) ack 3590787106 win 0

Attention: you can see the request from external to the router, because there is a hub in use for this test. The 84... ip address is a dsl connection.

The sh ip nat translation:

#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 192.168.103.70 84.130.226.55

udp 212.xx.xx.xx:54238 192.168.103.70:54238 192.168.105.200:514 192.168.105.200:514

tcp 212.59.42.189:9200 192.168.103.104:9200 84.130.209.134:64720 84.130.209.134:64720

tcp 212.59.42.189:9200 192.168.103.104:9200 --- ---

And the sh ip nat statistic:

#sh ip nat statistics

Total active translations: 4 (1 static, 3 dynamic; 3 extended)

Outside interfaces:

FastEthernet0/0

Inside interfaces:

FastEthernet0/1

Hits: 5136 Misses: 23

CEF Translated packets: 67, CEF Punted packets: 0

Expired translations: 22

Dynamic mappings:

-- Inside Source

[Id: 3] access-list outgoing_nat_traffic interface FastEthernet0/0 refcount 1

-- Outside Source

[Id: 2] access-list incoming_nat_traffic pool nat_incoming refcount 1

pool nat_incoming: netmask 255.255.255.252

start 192.168.103.70 end 192.168.103.70

type generic, total addresses 1, allocated 1 (100%), misses 2

Queued Packets: 0

Does anybody suggest why the answer will not pass the router?

And still one question, as you can see, i have used the add-route parameter for the nat pool and the ip nat outside configuration. Do i need this? In the cisco manuals, i have read something like it is only useful for virtual interfaces?

Thanks to all for your help

c

New Member

Re: NAT in two ways

Hi Paresh,

yes. I want the internal server communicated via NAT to the WAN (no official addresses to the server). And i also want port forwardings for connections from outside to the internal server. Therefor i need the translation of the external requesting ip address to the internal ip address of the router, because this router is not the default gateway of the internal servers. The internal server will send the answer to the default gateway if the official external address is the source address of the packet.

Hope i could clarify...

chasm_Ger

New Member

Re: NAT in two ways

Create a pool of private addresses as outside local addresses (10.200.0.0/16); Configure nat to translate any outside source public IP addresses to private addresses from above pool; In your servers, configure a static route for destination 10.200.0.0/16 to your router's internal interface.

Hope this helps.

New Member

Re: NAT in two ways

Hi again,

i get the way from outside to inside with natting the official requesting ip with internal router ip working.

But the router now does not support nat from inside to outside any more, so the answer from the internal server is not natted and forwarded to the outside requesting system.

Here the nat extract from my config:

interface FastEthernet0/0

description WAN Link

ip address 212.xx.xx.xx 255.255.255.248

ip access-group incoming in

ip nat outside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Link

ip address 192.168.103.70 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 212.xx.xx.xx

!

ip nat pool nat_incoming 192.168.103.70 192.168.103.70 netmask 255.255.255.252

ip nat inside source list outgoing_nat_traffic interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.103.104 9200 212.xx.xx.xx 9200 extendable

ip nat outside source list incoming_nat_traffic pool nat_incoming

!

ip access-list extended incoming

permit tcp any host 212.xx.xx.xx eq 9200

permit tcp any any established

permit icmp any any echo

permit icmp any any echo-reply

ip access-list extended incoming_nat_traffic

permit tcp any host 212.xx.xx.xx eq 9200

ip access-list extended no_nat_traffic

permit ip 192.168.105.0 0.0.0.255 any

ip access-list extended outgoing_nat_traffic

permit ip 192.168.103.0 0.0.0.255 any

Hope anybody could help

thanks, chasm

New Member

Re: NAT in two ways

Hello all,

i have found the solution for my problem.

I have configured it this way now and it works:

Ich habe mir nun nochmal Ihren Link genau angeschaut und es funktioniert nun wie folgt:

interface FastEthernet0/0

description WAN Link

ip address 212.xx.xx.xx 255.255.255.248

ip access-group incoming in

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Link

ip address 192.168.103.70 255.255.255.0

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 212.xx.xx.yy

!

ip nat pool nat_incoming 192.168.103.70 192.168.103.70 netmask 255.255.255.252 add-route

ip nat source list incoming_nat_traffic pool nat_incoming

ip nat source list outgoing_nat_traffic interface FastEthernet0/0 overload

ip nat source static tcp 192.168.103.104 9200 212.xx.xx.xx 9200 extendable

!

ip access-list extended incoming

permit tcp any host 212.xx.xx.xx eq 9200

permit tcp any any established

permit icmp any any echo

permit icmp any any echo-reply

ip access-list extended incoming_nat_traffic

permit tcp any host 212.xx.xx.xx eq 9200

ip access-list extended outgoing_nat_traffic

permit ip 192.168.103.0 0.0.0.255 any

Informations this solution bases on:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041d91a.html#wp1054655

I've only replaced the "ip nat inside/outside" on the interfaces with "ip nat enable" and throw away the "inside" and "outside" in the nat configuration.

Thanks for your help, guys.

See you

chasm

143
Views
10
Helpful
9
Replies
CreatePlease login to create content