06-09-2012 06:20 AM - edited 03-04-2019 04:37 PM
Hi,
I need to change the source IP of a packet for one of my NAT's
I currently have an Cisco 1812.
I have an PPPoE connection as Dialer 0.
I have another VLAN that is connected to an Netscreen SSG5 VPN gateway via another Cisco switch.
I have a vlan trunk between the switch and the 1812.
What I would like to achive is the following :-
For any traffic going to the following three ranges make it apear as if it was coming from the VLAN50 address
Hear is the thee ranges :-
access-list 150 permit ip 192.168.0.0 0.0.255.255 any
access-list 150 permit ip 172.16.0.0 0.0.240.255 any
access-list 150 permit ip 10.0.0.0 0.0.0.255 any
Hear is where I need to send it :-
ip route 10.0.0.0 255.0.0.0 10.27.30.225
ip route 172.16.0.0 255.240.0.0 10.27.30.225
ip route 192.168.0.0 255.255.0.0 10.27.30.225
I have defined a VLAN with an ip address of 10.27.30.226
interface Vlan50
ip address 10.27.30.226 255.255.255.248
ip virtual-reassembly
I can ping my netscreen on 10.27.30.255 fine from the Cisco 1812. But any other PC fails, as for some reasion the traffic has a source of my Dialer 0 interface.
How can I write a nat to change the source just for the tree destitnations ?
06-09-2012 07:03 AM
Looks like there may be an ACL or routing problem. Can u post your config? And a copy of show ip route from the 1812?
Also what is the subnet of the pcs and what is the default gateway of the pcs?
Sent from Cisco Technical Support iPad App
06-09-2012 07:49 PM
Config attached.
#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer0
1.0.0.0/32 is subnetted, 1 subnets
C xxx.xxx.xxx.xxx is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 10.0.0.0/8 [1/0] via 10.27.30.225
C 10.27.30.224/29 is directly connected, Vlan50
L 10.27.30.226/32 is directly connected, Vlan50
xxx.0.0.0/32 is subnetted, 1 subnets
C xxx.xxx.xx.xxx is directly connected, Dialer0
S 172.16.0.0/12 [1/0] via 10.27.30.225
S 192.168.0.0/16 [1/0] via 10.27.30.225
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Vlan10
L 192.168.0.254/32 is directly connected, Vlan10
PC subnet is 192.168.0.x 255.255.255.0
Default g/w is 192.168.0.254
06-10-2012 07:20 AM
Try putting ip nat outside under interface VLAN 50.
06-10-2012 08:57 AM
interface Vlan50
ip address 10.27.30.226 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security LAN
No help
Still can not ping an IP address from a machine on my network to the VPN
06-11-2012 06:22 AM
RESOLVED!
I set Vlan 50 and Vlan 10 to have "ip nat enable"
I removed "ip nat outside" on vlan 50
I added the following to translate the source
ip nat source static 192.168.0.2 10.27.30.226
Now it all works.
Only from 192.168.0.2 as expected.
Not sure how I can translate for any address.
06-18-2012 06:19 AM
Can u ping the netscreen trust interface from a pc?
Sent via DroidX2 on Verizon Wireless™
06-18-2012 06:47 AM
Yes I can and any IP address in VPN. Of course only from 192.168.0.2 but that sok with me right now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: