Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"Double" NATing ?

I'm trying to join two corporate networks via an ISDN link, with a 1004 on this side.

The users on this side needs to access a machine on the other side. I'd like both ip domains to stay separate, ie having an address on the segment of the 1004 mapped to the AS/400 machine on the other side, a bit like setting up public access to a web site.

The difference is, with a public web site the source will be a public address and easily routable back to the client. In my case I do not want the other side to be configured with all my address ranges (where there could be possible conflicts). Thus the 'double' NATing..

If one corporate network was 10.x.x.x and the other 172.x.x.x could it be possible that the client uses a 10.x.x.x address as a destination to the other side, and in turn the other side is also beleiving to be talking with a 172.x.x.x client ?

Not sure if this is clear, I've been turning the idea round and round inside my head all weekend..

3 REPLIES
New Member

Re: "Double" NATing ?

I'm assuming that by 'double NAT'ing you mean that both networks have private IP ranges and are behind NAT/PAT firewalls with a single public IP address exposed on each end?

If this is the case then what you are proposing will function BUT without a VPN you will have to staticly port forward all requests from the public (outside) interface to the inside ip interface of your AS/400. Lets assume you are telneting into your AS/400 - your remote clients connecting to the AS/400 will telnet to the PUBLIC ip of the network where your AS/400 resides - e.g. 208.48.23.4 port 23. AS far as the AS/400 is concerned it will simply see the other networks PUBLIC ip. ie on your AS/400 you will see multiple inbound telnet sessions from the other networks single public ip (NAP/PAT will fix the connections up at each end and route the proper session to the correct end node ip.)

I've had only passing experience with AS/400's but if you are using the standard AS/400 implimentation of telnet then it will work (the 'double NAT' will make NO difference to your configuration) One word of caution... if you are using standard telnet (as opposed to SSH or 'secure' AS/400 client software) then ALL of your traffic will be in the clear over the public IP network. Consider the implications of this before you do proceed. A much better option is to establish a VPN bewteen the two networks and route the two private IP spaces together. This will allow each side to address the other using private ip ranges. If I've misunderstood your question and given a pointless answer then please ignore ;)

New Member

Re: "Double" NATing ?

Well you did give me a couple of ideas, thanks :) But maybe a little ascii drawing.. watch out, I'm no artist..

Company 1:

--172.17.2.0/24--[RouterA]--10.0.0.0/8--[RouterB]

Company 2:

--[RouterC]--172.0.0.0/8--[RouterD]---10.0.0.0/8

I have clients sitting on the 10.x.x.x segment in company 1, who need to access a machine sitting on the 172.0.0.0 segment in company 2. We've added 2 routers between RouterB and RouterC, using an ISDN line.

How do I keep both IP domains separated while allowing the users to connect ?

For now Company 1 doesn't have a 172.17.2.0 segment, so I'm routing traffic over the isdn link and NATing on that side so clients appears as Company2's 172.0.0.0 clients to the server.

I know that we have more than enough private classes to just forget about 172.17.2.0 in Company1, but it's just a challenge to see if I can make it work with NAT/PAT without any company having to 'reserve' segments...

I've tried adding a static translation entry, but it didnt seem to work.. I'm not sure if it wasn't getting to destination at all, or if it's just because then it didnt go thru the address pool on the Company2 side...

New Member

Re: "Double" NATing ?

This is posibble as I have recently done the same deal with our Security command blocks. Our internal corporate network connects to a routable 10.x address while the devices inside the dmz's talk back to the security block and all internal 10.x addresses via 192.168.x addresses (and to increase security from the dmz to the corporate security block we do not route on any of the dmz interfaces).

The syntax would look like this:

I need my 10.1.1.1 to talk to my 192.168.1.1 via telnet and vice versa. 10.x is inside and 192.x is DMZ1...

!//define global so there is a nat'd

!//address to get DMZ3 and back again

!//assuming that you will only ever have

!//no more than 10 hosts connect at once

global(DMZ1) 1 192.168.1.100-192.168.1.109

!//you want to NAT all traffic leaving "inside"

!//with global_ID "1"

nat (inside) 1 0 0

!//alias a new address range for the 10.x to 19.x

!//mapping or double-NATing as you cannot use the

!//same address range that is already on your

!//inside interface.

alias (inside) 10.2.1.1 192.168.1.1 255.255.255.255

!//now, we want to let the DMZ1 connect to the

!//host 10.1.1.1 using a DMZ1 address

static (inside, DMZ1) 192.168.1.100 10.1.1.1 netmask 255.255.255.255

!//create a ACL or conduit (depending on version)

!//so DMZ1 can use static

access-list acl_dmz3 permit tcp any host 192.168.1.100 eq telnet

{or}

conduit permit tcp host 192.168.1.100 eq telnet any

!//that's it for special commands and here are the

!//nameif and ip addressing used in this example

nameif ethernet0 inside security100

nameif ethernet1 dmz1 security0

ip address inside 10.1.1.254 255.255.255.0

ip address dmz1 192.168.1.254 255.255.255.0

Hope this helps you out as it solved all my problems...

Cheers,

Gary Freeman

Network Analyst II

Rogers Communications

102
Views
0
Helpful
3
Replies