Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Destination NAT

Hey,

I trying to figure out how i can NAT the destination (DNAT?).

The idea is not to route the public ranges in the network, but to use only private range, this beside.

In this setup, the idea is that when the pc 192.168.0.10 goest to 192.168.0.18, he arrives at 172.18.18.18.

What's the best way to do this? Thanks !!!

forum.jpg

11 REPLIES
Cisco Employee

Re: Destination NAT

Assuming that you have the following configured currently:

On the router interface 192.168.0.1 --> ip nat inside

On the router interface 172.18.18.1 --> ip nat outside

Then you would need to configure the following:

ip nat outside source static 172.18.18.18 192.168.0.18

Hope that helps.

Community Member

Re: Destination NAT

Hey,

Tried this, but isn't working. :$

I think it's because the routers isn't listening on this ip (192.168.0.18).

I've added it as a standby ip, so now it's listening. But also answering directly. So it's not being NAT or forwarded (?).

Cisco Employee

Re: Destination NAT

Please make sure that proxy arp is enabled on the router interface (192.168.0.1).

Community Member

Re: Destination NAT

Shouldn't this be one by default? :$

I've issued the command (ip proxy-arp) on the interface VLAN2 which is 192.168.0.1, but doesn't change a lot...

i've got debugging on 'ip nat' and 'ip icmp'. But no entries when i try to ping the 192.168.0.18 from the workstation.

Cisco Employee

Re: Destination NAT

What is the ARP entry on your PC for 192.168.0.18?

Also, please share the output of "show ip nat translation"

Community Member

Re: Destination NAT

See reply below....

Community Member

Re: Destination NAT

I am slightly confused about what you want, but you mean something different then

ip route 0.0.0.0 0.0.0.0 172.18.18.18

?

Do you want to not allow LAN users to access each other?

Community Member

Re: Destination NAT

The idea is that the router is listening on a ip (in this case 192.168.0.18), and translate it to/as 172.18.18.18.

This way, i don't need to have the 172.18.18.0 network known in the 192.168.0.0 network.

The idea is that the clients pc only can use 192.168.0.0 addresses.

So if they want to reach 172.18.18.18, they need to go to 192.168.18.18.

Maybe a bit of history?

Some compagnies don't allow public ip ranges (in our example 172.18.18.0) in their network (must go by proxy or whatever).

And this way, we can solve the issue of communicating with external server without the need of advertising the public ranges in our network. Just a kind of virtual ip on the router, he translate it to the internet and that's it...

The router here isn't necessary the internet/core router. So a default route on the client isn't the solution. :$

Community Member

Re: Destination NAT

Oh. 

I guess for some reason I missed the "NAT" part. 

Thank you for the explination.  Always love new information.

Community Member

Re: Destination NAT

Okay,

Just dit a complete 'rebuild' of my setup, and now the ping is answering once i've got the nat in there (without a standby).

But i see that the NAT itself isn't done.

Ping from the router to the server

TestA#ping 172.18.18.18

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.18.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms

The NAT table on the router

TestA#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
---   ---                     ---                    192.168.0.18       172.18.18.18

The configuration of the interface

interface Vlan1
ip address 172.18.18.1 255.255.255.0
ip nat outside
ip virtual-reassembly

interface Vlan2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly

The debugging on the router

TestA#sh debugging 
Generic IP:
  ICMP packet debugging is on
  IP NAT debugging is on

A ping from the client towards 192.168.0.18 results in:

TestA#
Jun  3 09:10:17.376 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.380 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.384 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.384 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10
Jun  3 09:10:17.388 CEDT: ICMP: echo reply sent, src 192.168.0.18, dst 192.168.0.10

But as you can see in the debug, no natting is performed. :$

Community Member

Re: Destination NAT

Okay, found it.

I needed to add a route for the 192.168.0.18 towards the other network.

So once i've added

ip route 192.168.0.18 255.255.255.255 vlan 1

And now it works...

Or if you see issues why not to do this....

413
Views
0
Helpful
11
Replies
CreatePlease to create content