steven_alilovic
asked on
Selective IP NATTing from External Interface to Internal Interface
I have our own internal network running the 10.x.x.x 255.x.x.x range of addresses (split into various subnets) and a client of mine also has the same issue. The problem is all the server addresses are mapped statically. Can do do conditionally NATTing on the external interface. I would like to nat all external addresses being sent to anywhere from the client network, except to one particular C class range 10.1.2.0/24 running on our own network.
NETWORK 1 (OWN) NETWORK 2 (CLIENT)
(NAT) INSIDE OUTSIDE OUTSIDE INSIDE
10.x.x.x/8 ------------------192.168. x.x/24|--- ---------- ----|192.1 68.x.x/24- ---------- -------10. x.x.x/8
INTERNAL INT EXTERNAL INT| |EXTERNAL INT INTERNAL INT
I should state this is the router config on the client side.
ROUTER CONFIG :
interface Ethernet0
ip address 192.168.x.x 255.255.255.252
no ip proxy-arp
ip nat inside
no ip route-cache
no ip mroute-cache
full-duplex
crypto map clientmap
!
interface FastEthernet0
ip address 10.255.x.x 255.255.255.252
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
ip nat outside source static 10.254.1.1 172.16.0.1
ip nat outside source static 10.254.1.3 172.16.0.2 (There a about 50 static mappings like this)
The router is a 1710 running IOS Image c1710-k9o3sy-mz.122-13.T9. bin
Any help would be great. Let me know if you need more information.
Would give more points but 500 seems to be the most I can give.
NETWORK 1 (OWN) NETWORK 2 (CLIENT)
(NAT) INSIDE OUTSIDE OUTSIDE INSIDE
10.x.x.x/8 ------------------192.168.
INTERNAL INT EXTERNAL INT| |EXTERNAL INT INTERNAL INT
I should state this is the router config on the client side.
ROUTER CONFIG :
interface Ethernet0
ip address 192.168.x.x 255.255.255.252
no ip proxy-arp
ip nat inside
no ip route-cache
no ip mroute-cache
full-duplex
crypto map clientmap
!
interface FastEthernet0
ip address 10.255.x.x 255.255.255.252
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
ip nat outside source static 10.254.1.1 172.16.0.1
ip nat outside source static 10.254.1.3 172.16.0.2 (There a about 50 static mappings like this)
The router is a 1710 running IOS Image c1710-k9o3sy-mz.122-13.T9.
Any help would be great. Let me know if you need more information.
Would give more points but 500 seems to be the most I can give.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what steven_alilovic wants is feasible, just enabling port based NAT, let those internal computers at each side can see other side's external ip adress, then access other side's internal computers via different ports after static port/address mappings established. hope it helps, bbao
ASKER
Sorry I should have added that the outside nat so from the remote network coming in must remain static. We are using monitoring software, so if we a pool of address for the outside nat the machines being monitored will come back on different addresses all the time. Which causes problems with the monitoring software.
I read somewhere, cant remeber can you do a static mapping of address one to one so say
10.0.0.0/24 ----> 172.168.0.0/24 so that if the IP is 10.0.0.1 external it would be mapped to 172.16.0.1/24 internal.
I read somewhere, cant remeber can you do a static mapping of address one to one so say
10.0.0.0/24 ----> 172.168.0.0/24 so that if the IP is 10.0.0.1 external it would be mapped to 172.16.0.1/24 internal.
note sure is it what you need:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm
IMO, in the scenario you described above, your external interface should be multihomed, else the outside can not access it one to one. is it good to bind a lot of addresses on one interface?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm
IMO, in the scenario you described above, your external interface should be multihomed, else the outside can not access it one to one. is it good to bind a lot of addresses on one interface?
>I read somewhere, cant remeber can you do a static mapping of address one to one so say
10.0.0.0/24 ----> 172.168.0.0/24 so that if the IP is 10.0.0.1 external it would be mapped to 172.16.0.1/24 internal.
that's what the ip nat outside source static 10.254.1.3 172.16.0.2 statements are doing, you're looking for a simpler expression?
10.0.0.0/24 ----> 172.168.0.0/24 so that if the IP is 10.0.0.1 external it would be mapped to 172.16.0.1/24 internal.
that's what the ip nat outside source static 10.254.1.3 172.16.0.2 statements are doing, you're looking for a simpler expression?
steven_alilovic, any feedback please?
ASKER
Thanks for all your help. This issues has been resolved.
What conditions are you trying to accomodate?
>I would like to nat all external addresses being sent to anywhere from the client network,
> except to one particular C class range 10.1.2.0/24 running on our own network.
Sounds more like you need a tunnel with filters.
You're showing private IP on the link, is this point to point?
If you're trying to give the client unfettered access to some subnets, you can tunnel them in with an access list.
If you're natting to avoid network nubering overlap, I'm afraid you're stuck with your static maps.