cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
0
Helpful
5
Replies

Outside --> Inside NAT question

John Blakley
VIP Alumni
VIP Alumni

All,

I have 3 public subnets. I have a situation that is going to require me to NAT 2 public subnets, and not NAT 1.

Of these 2 that will need to be natted, I need to statically NAT a complete subnet to inside addresses.

Int fa0/0

ip address 1.1.1.1 255.255.255.0

ip address 2.2.2.1 255.255.255.0 sec

ip address 3.3.3.1 255.255.255.0 sec

I've NEVER set up complete pools to be translated before, but I've done one-to-one before. The interesting thing with this is that this router will have a public address on the inside interface because it connects to a public facing switch. It has to nat to the 1.1.1.0 subnet if it's coming from 2.2.2.0 or 3.3.3.0 because the router only knows of the 1.1.1.0 subnet on it's inside interface.

What lines do I need to get this to work? Do I need a NAT pool, or do those only affect outbound traffic?

Would:

ip nat outside source static 3.3.3.5 1.1.1.5

ip nat outside source static 2.2.2.6 1.1.1.6

work?

Thanks!

John

HTH, John *** Please rate all useful posts ***
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

John

NAT is bi-directional so

ip nat inside source static 1.1.1.5 3.3.3.5

would mean that traffic coming from 3.3.3.5 inbound would translate to 1.1.1.5 and traffic going out from 1.1.1.5 would translate to 3.3.3.5.

Jon

So, I wouldn't need to create a pool for the subnets that I own for this to work? This is part of what we were talking about yesterday.

In the statement:

ip nat outside source static 3.3.3.5 1.1.1.5

isn't the first host the source, and the second the destination really?

John

HTH, John *** Please rate all useful posts ***

ip nat outside ... is used when you want to present an outside address as an inside address. Inside/outside in this context are purely to do with which interfaces you designate as inside/outside.

But that's not really what you are trying to do. You just want to make sure that inside address of 1.1.1.x are translated to addresses of 3.3.3.x.

What we do need to sort out is you keep mentioning pools but the examples you are giving are one-to-one mappings.

Jon

We have 3 public blocks of IPs from 3 different ISPs. I need to provide a way for people from outside to get to our web servers, mail servers, etc.

The addresses that are on the public interface are routable addresses. The reason that I keep going back to "ip nat outside" is because I'd be expecting traffic coming from the public interface in.

I have one to one mappings because I looked in the fatpipe today, and I noticed that we're doing one-to-one from the other two subnets to the "private" subnet. (It's not a private IP, just on the inside interface.)

So, all translations need to be done from 2.2.2.0 and 3.3.3.0 to an public address on the 1.1.1.0 subnet.

Thanks Jon!

John

HTH, John *** Please rate all useful posts ***

John

I admit NAT is a bit confusing in terms of inside/outside. If you have the time some day we can through it in details. But suffice to say if you want to present an internal address to the outside then "ip nat inside source static is the way to go.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: