Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Overlapping 192.16.x.x subnets

Hello

I acquired a comany comprising of 5 sites. I am phasing these onto my AVPN network which currently consists of 12 sites.

The phasing aspect is being done by denying their subnets from my current routers and vice-verse.

The new sites have re-ip addresssed their LAN subnets. However, -These new sites are using a specific subnet, say 192.168.101.x for their VoIP system.

-I am already using that same subnet for my data center.

The same subnet range plays an important role for each company.

I am using Cisco 29xx and 39xx routers for ALL sites with "universalk9-mz.SPA.152-4.M3.bin"

It seems I should be able to create a pool on the (5) new site routers that NAT that subnet, 192.168.101.x to some other subnet range. I could then allow

that subnet to be rouer only amongst the new sites until their new VoIP system is in place. I could deny that natted subnet from my current AVPN routers.

The plan seems simple enough.

Can this be done?

If so, please provide configuration examples to help me implement this.

sMc
8 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Overlapping 192.16.x.x subnets

Hi Steve,

I assume that you want to create a 1-to-1 NAT with the servers in your data centre. That is, you want to translate 192.168.101.10 --> 192.168.226.10. So that users can connect to 192.168.226.10 and access the services.

If so, then you need to use static NAT. Use this instead.

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

Sachin

New Member

Overlapping 192.16.x.x subnets

Yes. Your LAN interface or translation source should have "ip nat inside" and your WAN interface or translation destination should have "ip nat outside".

So

!

interface fastEthernet0/0

description LAN

ip address

ip nat inside

!

interface fastEthernet0/1

description WAN

ip address

ip nat outside

!

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

!

Hope this helps.

Sachin

New Member

Overlapping 192.16.x.x subnets

The no-alias command prevents the router from responding to arp requests (aka proxy arp). This is not required in this case as the subnet is not attached to an existing network (at least I assume it's not).

"ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias" replaces all of your NAT commands. You are not creating a pool, you are creating static 1-to-1 NAT.

Sachin

New Member

Overlapping 192.16.x.x subnets

No, you won't need the access-list.

Sachin

New Member

Overlapping 192.16.x.x subnets

Hmmm. Honestly, I don't have an answer for that. I've never tried NAT and routing protocols before.

Since this is temporary, can you use static routes instead.

Sachin

New Member

Overlapping 192.16.x.x subnets

Ok. So at one of your newly acquired sites, they are using the same subnet as your data centre. You want to translate that one subnet to something else (192.168.226.0/24 in this case) and send it for the other sites. Am I correct?

Why can't you just change the subnet? Because that may be the less complicated option.

I was suggesting that you put a static route on each of the other four routers rather than advertising it over BGP, unless there is a reason for doing that. Because you are denying access from your existing sites to that subnet.

Sachin

New Member

Overlapping 192.16.x.x subnets

Yes. That static is correct.

But since this is a VoIP network, you might have some problems because voice traffic, whether it's H.323 or SIP, embeds the IP within the payload, and that does not get translated. Calls will go through, but you will not hear anything.

Sachin

New Member

Re: Overlapping 192.16.x.x subnets

I have no experience with ALG but you can try it. Your IOS version should already support it.

ip nat service sip udp port 5060

ip nat service sip tcp port 5060

Sachin

21 REPLIES
New Member

Overlapping 192.16.x.x subnets

Please review and advise on syntax

ip nat pool "name" 192.168.226.0 192.168.226.254 netmask 255.255.255.0
ip nat inside source list 226 pool "name"
access-list 226 permit 192.168.101.0 0.0.0.255

sMc
New Member

Overlapping 192.16.x.x subnets

Hi Steve,

I assume that you want to create a 1-to-1 NAT with the servers in your data centre. That is, you want to translate 192.168.101.10 --> 192.168.226.10. So that users can connect to 192.168.226.10 and access the services.

If so, then you need to use static NAT. Use this instead.

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

Sachin

New Member

Overlapping 192.16.x.x subnets

sganpat

Thank you for the reply.

I am unsure what command to put on interface.

Should the inside LAN interface have "ip nat inside" configured on it?

sMc
New Member

Overlapping 192.16.x.x subnets

Yes. Your LAN interface or translation source should have "ip nat inside" and your WAN interface or translation destination should have "ip nat outside".

So

!

interface fastEthernet0/0

description LAN

ip address

ip nat inside

!

interface fastEthernet0/1

description WAN

ip address

ip nat outside

!

ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias

!

Hope this helps.

Sachin

New Member

Overlapping 192.16.x.x subnets

The no-alias command prevents the router from responding to arp requests (aka proxy arp). This is not required in this case as the subnet is not attached to an existing network (at least I assume it's not).

"ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias" replaces all of your NAT commands. You are not creating a pool, you are creating static 1-to-1 NAT.

Sachin

New Member

Overlapping 192.16.x.x subnets

Sachin

Awesome!! Thank you

sMc
New Member

Overlapping 192.16.x.x subnets

Sachin

What is the benefit of using the "no-alias" command?

sMc
New Member

Overlapping 192.16.x.x subnets

Sachin

Please forgive me for my "slowness to understand"

This command " ip nat inside source static network 192.168.101.0 192.168.226.0 /24 no-alias" replaces which command from my original post?

     ip nat pool "name" 192.168.226.0 192.168.226.254 netmask 255.255.255.0

     ip nat inside source list 226 pool "name"

sMc
New Member

Overlapping 192.16.x.x subnets

Sachin

will I still need the "access-list 226 permit 192.168.226.0 0.0.0.255"

sMc
New Member

Overlapping 192.16.x.x subnets

Also

Will I need to advertise the 192.168.226.x out to my other sites using BGP?

This way my other site can continue to advertise its .101

sMc
New Member

Overlapping 192.16.x.x subnets

Hmmm. Honestly, I don't have an answer for that. I've never tried NAT and routing protocols before.

Since this is temporary, can you use static routes instead.

Sachin

New Member

Overlapping 192.16.x.x subnets

Sachin

That confuses me a little.

A summary of network, (mostly to organize this in my own head)

-My network is on an AVPN cloud

-I have 5 new sites that need to continue to communicate to each other on this subnet for their VoIP.

-I am or will need to advertise this subnet from my VoIP Call Manager site to the other 4 sites on my AVPN cloud.

So would the static look like ip route 192.168.226.0 255.255.255.0 (LAN interface ip)

router bgp x

redistribute static

sMc
New Member

Overlapping 192.16.x.x subnets

Ok. So at one of your newly acquired sites, they are using the same subnet as your data centre. You want to translate that one subnet to something else (192.168.226.0/24 in this case) and send it for the other sites. Am I correct?

Why can't you just change the subnet? Because that may be the less complicated option.

I was suggesting that you put a static route on each of the other four routers rather than advertising it over BGP, unless there is a reason for doing that. Because you are denying access from your existing sites to that subnet.

Sachin

New Member

Overlapping 192.16.x.x subnets

Sachin

1). Yes to your first paragraph

2). The VoIP vendor advised the new sites not to change the subnet. Although this would be the best solution.

The new AVPN site where the VoIP Call manager is located has a WAN ip address of 172.16.240.1 (example)

So my static on the other (4) sites (241.1, 242.1 etc..) would be "ip route 192.168.226 0 255.255.255.0 172.16.240.1"

sMc
New Member

Overlapping 192.16.x.x subnets

Yes. That static is correct.

But since this is a VoIP network, you might have some problems because voice traffic, whether it's H.323 or SIP, embeds the IP within the payload, and that does not get translated. Calls will go through, but you will not hear anything.

Sachin

New Member

Overlapping 192.16.x.x subnets

Sachin

"Calls will go through, but you will not hear anything" = not good.

if it is embedded in payload and payload gets transmitted, why won't this work?

What options do I have?

This has to work?

sMc
New Member

Overlapping 192.16.x.x subnets

Sachin

Per a document witha title of Voice and Multimedia over IP networks

"The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with NAT to be translated and encoded back to the packet"

So it looks like I need to use an Application-level gateway

sMc
New Member

Overlapping 192.16.x.x subnets

I am using  the following IOS

universalk9-mz.SPA.152-4.M3.bin

Per the Cisco Feature navigator this version has supprt for NAT - Support for SIP IP, IP addressing and Application services

This version also has support for NAT-PT: support for DNS ALG and FTP ALG

Do you have any knowledge of an IOS version required to support what I am trying to accompish?

sMc
New Member

Re: Overlapping 192.16.x.x subnets

I have no experience with ALG but you can try it. Your IOS version should already support it.

ip nat service sip udp port 5060

ip nat service sip tcp port 5060

Sachin

New Member

Overlapping 192.16.x.x subnets

Sachin

This conversation has been very helpful. Thank you for the input.

One question that lingers for me is what to do and/or how to verify, prior to production implementation, that your prior statement of "But since this is a VoIP network, you might have some problems because  voice traffic, whether it's H.323 or SIP, embeds the IP within the  payload, and that does not get translated. Calls will go through, but  you will not hear anything. is not what will happen?!?

sMc
New Member

Overlapping 192.16.x.x subnets

No, you won't need the access-list.

Sachin

765
Views
0
Helpful
21
Replies
CreatePlease login to create content