cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
5
Replies

Outside -> Inside Source NAT?

mrgadgetnz
Level 1
Level 1

Hi,

I have a situation where I wish to have an inbound connection from the internet (say a web server). Normally I'd just use something like "ip nat inside source static etc etc" and that would work great.

The difference is in this case the server that it's communicating with has it's default gateway pointing to a different internet router, so I want to NAT the source address that the internet connections appear to be coming from so the webserver sees the router's LAN address as the source for all internet-based connections.

I've been looking at "ip nat outside source static etc" but can't get that to work.

Any ideas would be greatly appreciated!

Cheers,

Ben.

5 Replies 5

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

I'm not sure to have understood correctly, but what you want cannot be done.

If the router was to send requests from the outside to the server using the "different internet router" source address, that would generate a duplicate address and wouldn't work.

So what problem are you trying to solve ?

Rupesh Kashyap
Level 1
Level 1

I got your point. You mean Web server is connected for Router A and you are configuring NAT on Router B. Please brief me your exact routing. How both routers are connected and who is publishing internet.

You will use a NAT INSIDE statement to do this because you want to modify the address of a device behind the inside interface. The OUTSIDE statement is only used to change the remote address.

It does not really matter which address you choose to use. The address does not even have to be on a interface on the router. The most important part is to ensure that the traffic from outside devices return the traffic to a outside interface.

In the most simple case this work. For example say my inside address is 10.10.10.1 and my outside address is 192.168.10.1. As long as the remote device know to send the 10.10.10.1 network to 192.168.10.1 you can use either of these addresses.

Now in you case I am guessing that the 10.10.10.1 network would actually return via x.x.x.x. You in effect are running asynchronous routing which nat very much does not like.

The very nasty way to fix this type problem is to run what is called nat on a stick.

So your outbound traffic would go out router 1 and get assigned the LAN address of router 1 as the nat source for all packet to remote location. Your traffic comes back via router 2 who know where this address is since to him it is just router 1. When it gets to router 1 he will get all confused since this traffic is not really for a session the router itself used and he will drop it. Since this is the inside interface he does not know to look it up in the nat table before he attempt to process the packet.

The trick it to convert the inside interface to a outside interface. The way this is done is to match traffic that needs to be natted and policy route it to a loopback interface that is defined as a nat outside. This in effect tricks the router into think that the packet came into the router from a loopback. Since this is a outside interface it will run the nat> He does not really care if there are more than one outside interface it does the same translation.

If you look up NAT on a Stick you will find examples similar to yours but not exactly. The key is you are using policy routing which is run before NAT on a inside interface to make it appear to be a outside interface.

mrgadgetnz
Level 1
Level 1

I'm not sure I explained this well enough, sorry guys. I have now drawn a quick visio and attached it.

Ignore the first internet router (Router A), I've not drawn it, what I'm trying to achieve is in the red box on my drawing - essentially all packets hitting the webserver I want to have the inside interface IP of Router B - this way the return packets will go to back to Router B (and undergo NAT translation to go back to the correct internet address) rather than getting routed by the default gateway on the web server to Router A.

Another way to look at the solution is everything appearing in the webserver log would be the inside interface of Router B. The webserver wouldn't see any internet IP addresses. This is easy to achieve with ISA, but I'm having some trouble with Cisco IOS (877)!

Have I made myself any clearer this time? I hope so :)

Cheers again,

Ben.

Maybe a little better since it is the sever that has the problem and not a network so somewhat simpler to solve.

The outbound traffic is no issue since that is normal nat of the inside machines. Your requirement to nat the outside machine addresses also is where it get hard. IN the simple case this is just normal IP NAT OUTSIDE command. The main issue you have is that you want it to map to a single inside address. This would only work if there was a single otuside machine. Unfortuantly the outside nat does not support PAT its only 1-1 unless you do it all static.

So I will suggest something and if that wont work then we can do down the road of policy routing and nat on a stick to solve it.

The way you can make it work is if the outside nat statement has a pool of address to choose from. This will allow him to map multiple machines 1-1 at the same time. Your pool size and timeout value will determine how many machines can be active at the same time.

So to make this work first you would makeup some address range that nobody in your network is using. Lets use 10.123.123.0/24

You on the PC put in a static route for this block pointing to 10.1.1.1. So the traffic now gets to the router but since this is a inside interface he does routing before nat. You must put in a route for 10.123.123.0/24 to 202.3.2.x so that the traffic will be send to the correct interface.

Because this is a outside interface nat will do the inside to outside process and translate both the inside and outside local address to global address. In this case it would use your normal nat to change the source to 202.3.2.1 and the 10.123.123.x to whatever the real address was placed in the nat table when the traffic entered.

Hopefully I correctly understood this time

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco