cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2331
Views
0
Helpful
7
Replies

Change the source IP on NAT

brendanhoran
Level 1
Level 1

Hi,

I need to change the source IP of a packet for one of my NAT's

I currently have an Cisco 1812.

I have an PPPoE connection as Dialer 0.

I have another VLAN that is connected to an Netscreen SSG5 VPN gateway via another Cisco switch.
I have a vlan trunk between the switch and the 1812.

What I would like to achive is the following :-

For any traffic going to the following three ranges make it apear as if it was coming from the VLAN50 address

Hear is the thee ranges :-

access-list 150 permit ip 192.168.0.0 0.0.255.255 any

access-list 150 permit ip 172.16.0.0 0.0.240.255 any

access-list 150 permit ip 10.0.0.0 0.0.0.255 any

Hear is where I need to send it :-

ip route 10.0.0.0 255.0.0.0 10.27.30.225

ip route 172.16.0.0 255.240.0.0 10.27.30.225

ip route 192.168.0.0 255.255.0.0 10.27.30.225

I have defined a VLAN with an ip address of 10.27.30.226

interface Vlan50

ip address 10.27.30.226 255.255.255.248

ip virtual-reassembly

I can ping my netscreen on 10.27.30.255 fine from the Cisco 1812. But any other PC fails, as for some reasion the traffic has a source of my Dialer 0 interface.

How can I write a nat to change the source just for the tree destitnations ?

7 Replies 7

Josh Sprang
Level 1
Level 1

Looks like there may be an ACL or routing problem. Can u post your config? And a copy of show ip route from the 1812?

Also what is the subnet of the pcs and what is the default gateway of the pcs?

Sent from Cisco Technical Support iPad App

Config attached.

#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      1.0.0.0/32 is subnetted, 1 subnets

C        xxx.xxx.xxx.xxx is directly connected, Dialer0

      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

S        10.0.0.0/8 [1/0] via 10.27.30.225

C        10.27.30.224/29 is directly connected, Vlan50

L        10.27.30.226/32 is directly connected, Vlan50

      xxx.0.0.0/32 is subnetted, 1 subnets

C        xxx.xxx.xx.xxx is directly connected, Dialer0

S     172.16.0.0/12 [1/0] via 10.27.30.225

S     192.168.0.0/16 [1/0] via 10.27.30.225

      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.0.0/24 is directly connected, Vlan10

L        192.168.0.254/32 is directly connected, Vlan10

PC subnet is 192.168.0.x 255.255.255.0

Default g/w is 192.168.0.254

Try putting ip nat outside under interface VLAN 50.

interface Vlan50

ip address 10.27.30.226 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security LAN

No help

Still can not ping an IP address from a machine on my network to the VPN

RESOLVED!

I set Vlan 50 and Vlan 10 to have "ip nat enable"
I removed "ip nat outside" on vlan 50

I added the following to translate the source

ip nat source static 192.168.0.2 10.27.30.226

Now it all works.

Only from 192.168.0.2 as expected.

Not sure how I can translate for any address.

Can u ping the netscreen trust interface from a pc?

Sent via DroidX2 on Verizon Wireless™

Yes I can and any IP address in VPN. Of course only from 192.168.0.2  but that sok with me right now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: