Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Nat for backdoor

Hi all,

I'm trying to setup a backdoor to access to a PDU when first link down.

I am sure that is possible do it with nat but i can't config it.

In the attachment there are a draw of my scenario, the access throght Router A is possible without problems via static nat.

My problem start when i try to access via HTTP trought Router B (2.2.2.2). The MasterSW send packets to their default gateway so connection can't work.

I need that NAT translate my IP (3.3.3.3) into LAN IP of Router B (192.168.120.2) then, MasterSW will see the conection from IP source 192.168.120.2.

Is this possible? Somebody can give me a clue for the config?

thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Nat for backdoor

David

Not what you asked though. Your request was -

"I need that NAT translate my IP (3.3.3.3) into LAN IP of Router B (192.168.120.2) then, MasterSW will see the conection from IP source 192.168.120.2."

and the config supplied does that. However it looks like you also need to access the remote MasterSW on 2.2.2.2.

This complicates the config considerably as there is no way to translate source IP addresses coming in from the outside without a NAT pool (unlike the pix/ASA devices).

So you need at least 2 spare addresses from the 192.168.120.x subnet. Lets assume you can use 192.168.120.4 -> 5.

On router B

===========

int fa0/0 (LAN interface)

ip nat inside --> (note this has changed from previous config)

int fa0/1 (WAN interface)

ip nat outside --> (note this has changed from previous config)

ip route 192.168.120.4 255.255.255.252 fa0/1

--> this is needed for return traffic from MasterSW because of the order of NAT/routing in IOS.

ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30

ip nat inside source static tcp 192.168.120.30 80 2.2.2.2 80

ip nat outside source list 101 pool TPL

ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30

access-list 101 permit tcp host 3.3.3.3 host 2.2.2.2 eq 80

Jon

5 REPLIES
Hall of Fame Super Blue

Re: Nat for backdoor

David

router B

int fa0/0 (LAN interface)

ip nat outside

int fa0/1 (WAN interface)

ip nat inside

access-list 101 permit ip host 3.3.3.3 host 192.168.120.30

ip nat inside source list 101 interface fa0/0 overload

Jon

New Member

Re: Nat for backdoor

Thank you for your answer Jon but this not work for me.

The config that you propose need that I try to access directly to the IP of MasterSW (192.168.120.30) but i need access to 2.2.2.2 (http://2.2.2.2) and router B must translate my query to 192.168.120.30:80

Hall of Fame Super Blue

Re: Nat for backdoor

David

Not what you asked though. Your request was -

"I need that NAT translate my IP (3.3.3.3) into LAN IP of Router B (192.168.120.2) then, MasterSW will see the conection from IP source 192.168.120.2."

and the config supplied does that. However it looks like you also need to access the remote MasterSW on 2.2.2.2.

This complicates the config considerably as there is no way to translate source IP addresses coming in from the outside without a NAT pool (unlike the pix/ASA devices).

So you need at least 2 spare addresses from the 192.168.120.x subnet. Lets assume you can use 192.168.120.4 -> 5.

On router B

===========

int fa0/0 (LAN interface)

ip nat inside --> (note this has changed from previous config)

int fa0/1 (WAN interface)

ip nat outside --> (note this has changed from previous config)

ip route 192.168.120.4 255.255.255.252 fa0/1

--> this is needed for return traffic from MasterSW because of the order of NAT/routing in IOS.

ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30

ip nat inside source static tcp 192.168.120.30 80 2.2.2.2 80

ip nat outside source list 101 pool TPL

ip nat pool TPL 192.168.120.4 192.168.120.5 prefix-length 30

access-list 101 permit tcp host 3.3.3.3 host 2.2.2.2 eq 80

Jon

New Member

Re: Nat for backdoor

Sorry for the inconvenients Jon. My english is not so good as i would like :)

This config works perfectly, Thank you for your help

Hall of Fame Super Blue

Re: Nat for backdoor

David

No problem, glad to have helped.

PS. - your English seems fine to me !

Jon

469
Views
0
Helpful
5
Replies
CreatePlease to create content