NAT one-to-one-to-only-one

jnarvaez · ‎08-13-2007

Hello,

I'm trying to do the following, but can't find the way.

I have to configure a 1721 with one Serial and two ethernets. Serial0 receive internet trafic AND WAN trafic. One ethernet is connected to "internal" LAN and the other to the "unsecure" LAN.

A resumed configuration:

interface Serial0

ip address 172.30.0.41 255.255.255.252

ip nat outside

interface FastEthernet0

description INSIDE LAN

ip address 10.1.0.1 255.255.0.0

interface Ethernet0

description UNSECURE LAN

ip address 172.20.0.1 255.255.0.0

ip nat inside

interface Loopback0

description IP internet connections

ip nat outside

ip address x.x.x.113 255.255.255.240

interface Loopback1

description IP for GRE-TUNNELS

ip address 172.30.0.25 255.255.255.255

interface Tunnel1,2,3...

(.../...)

ip nat inside source list NAT interface Loopback0 overload

ip nat inside source static tcp 172.20.0.21 25 x.x.x.114 25 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip access-list standard NAT

permit 172.20.0.0 0.0.255.255

Customer need that:

-When 172.20.0.99 connect to internet host Z.Z.Z.1, this connection have NATed as from x.x.x.117

-When internet host Z.Z.Z.1 (but... only this host) connect to x.x.x.117 (all ports, TCP UDP and ICMP) have a NATed route to host 172.20.0.99

-When host goes to any other internet hosts (as web surfing, for example) not be specifically NATed as x.x.x.117, instead would be NATed as a generic host (NATed as x.x.x.113)

I only find to do some-like-this as:

ip nat inside source static 172.20.0.99 x.x.x.117

But then, ALL internet trafic that goes to x.x.x.117 is NATed to 172.20.0.99, and all traffic from 172.20.0.99 is NATed to x.x.x.117. Where to say that this static NAT translation is only for/from Z.Z.Z.1?

I try to apply access-list to Loopback0 but in loopbacks, access-list dont work.

Is there some workaround to do all this?

Thanks in advance!!

Jon Marshall · ‎08-13-2007

Hi

What you need is policy NAT ie. you NAT from one address to another not just based on the source IP address but also the destination IP address. You can do this with route-maps in your NAT statements.

Attached is a link to white paper on NAT - there are some examples of using route-maps near the end.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

HTH

Jon

jnarvaez · ‎08-14-2007

Hello Jon,

Thanks for your fast reply, your idea put me on the road again :-)

I've create a new access-list to be NATed in the "general way"

ip access-list extended NEWNAT

deny ip host 172.20.0.99 host Z.Z.Z.1

permit ip 172.20.0.0 0.0.0.255 any

then, change this:

no ip nat inside source list NAT interface Loopback0 overload

ip nat inside source list NEWNAT interface Loopback0 overload

Now ALL the trafic from host 172.20.0.99 goes to be NATed, but the destination Z.Z.Z.1

To do this, as you say:

access-list 188 permit ip host Z.Z.Z.1 host X.X.X.117

access-list 188 permit ip host 172.20.0.99 host Z.Z.Z.1

route-map SPECIALNAT permit 10

match ip address 188

then:

no ip nat inside source static 172.20.0.99 X.X.X.117

ip nat inside source static 172.20.0.99 X.X.X.117 route-map SPECIALNAT extendab

The packets from 172.20.0.99 to Z.Z.Z.1 are NATd as from X.X.X.117

But ALL trafic to X.X.X.117 is statically NATd to 172.20.0.99 :-(

Well...

interface Serial0

ip access-group BADBOYS in

ip access-list extended BADBOYS

permit ip host Z.Z.Z.1 host X.X.X.117

deny ip any host X.X.X.117

(.../...)

Thanks for your guide,

Jose