Solved

Selective IP NATTing from External Interface to Internal Interface

Posted on 2003-12-04
8
1,181 Views
Last Modified: 2010-03-19
I have our own internal network running the 10.x.x.x 255.x.x.x range of addresses (split into various subnets) and a client of mine also has the same issue.  The problem is all the server addresses are mapped statically. Can do do conditionally NATTing on the external interface. I would like to nat all external addresses being sent to anywhere from the client network, except to one particular C class range 10.1.2.0/24 running on our own network.

                   
        NETWORK 1 (OWN)                                                                NETWORK 2 (CLIENT)
(NAT) INSIDE                           OUTSIDE                           OUTSIDE                         INSIDE
10.x.x.x/8 ------------------192.168.x.x/24|-----------------|192.168.x.x/24------------------10.x.x.x/8
INTERNAL INT                EXTERNAL INT|                    |EXTERNAL INT                  INTERNAL INT


I should state this is the router config on the client side.
ROUTER CONFIG :
interface Ethernet0
 ip address 192.168.x.x 255.255.255.252
 no ip proxy-arp
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 full-duplex
 crypto map clientmap
!
interface FastEthernet0
 ip address 10.255.x.x 255.255.255.252
 no ip proxy-arp
 ip nat outside
 no ip route-cache
 no ip mroute-cache

ip nat outside source static 10.254.1.1 172.16.0.1
ip nat outside source static 10.254.1.3 172.16.0.2  (There a about 50 static mappings like this)

The router is a 1710 running IOS Image c1710-k9o3sy-mz.122-13.T9.bin

Any help would be great. Let me know if you need more information.
Would give more points but 500 seems to be the most I can give.
0
Comment
Question by:steven_alilovic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9880250
>Can do do conditionally NATTing on the external interface.
What conditions are you trying to accomodate?

>I would like to nat all external addresses being sent to anywhere from the client network,
> except to one particular C class range 10.1.2.0/24 running on our own network.
Sounds more like you need a tunnel with filters.
You're showing private IP on the link, is this point to point?
If you're trying to give the client unfettered access to some subnets, you can tunnel them in with an access list.
If you're natting to avoid network nubering overlap, I'm afraid you're stuck with your static maps.
0
 
LVL 7

Accepted Solution

by:
NicBrey earned 500 total points
ID: 9880977
You can do overlapping networks with dynamic NAT.
Config is more tricky, but works well.

You have to define an outside pool and an inside pool.
In your case it will look something like this:


ip nat pool outsidepool 172.16.0.1 172.16.0.100 netmask 255.255.255.0     <--- defines outside address pool of 100 addresses
ip nat pool inside 10.254.1.1 10.254..2 10.1.1.254 netmask 255.255.255.0  <--- defines inside address pool                              
ip nat outside source list 1 pool outsidepool                                              <--- NAT statement for incomming traffic    
ip nat inside source list 2 pool inside pool                                                 <--- NAT statement for outgoing traffic

access-list 1 permit 10.0.0.0  0.0.0.255                                                   <--- Access List defining the overlapping network without restrictions

access-list 2 deny 10.1.2.0  0.0.0.255                                                       <--- Access List defining the overlapping network with restrictions
access-list 2 permit 10.0.0.0  0.0.0.255                                                  



What I will suggest is that you use seperate access lists for defining your own network and the customer network. That will give you the flexibility of deying some subnets with the access lists like I showed above.

access-list 2 deny 10.225.0.0  0.0.255.255
access-list 2 permit 10.0.0.0  0.0.0.255



Here is a link with more details
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml

0
 
LVL 37

Expert Comment

by:bbao
ID: 9883892
what steven_alilovic wants is feasible, just enabling port based NAT, let those internal computers at each side can see other side's external ip adress, then access other side's internal computers via different ports after static port/address mappings established. hope it helps, bbao
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 2

Author Comment

by:steven_alilovic
ID: 9890979
Sorry I should have added that the outside nat so from the remote network coming in must remain static. We are using monitoring software, so if we a pool of address for the outside nat the machines being monitored will come back on different addresses all the time. Which causes problems with the monitoring software.

I read somewhere, cant remeber can you do a static mapping of address one to one so say
10.0.0.0/24  ----> 172.168.0.0/24    so that if the IP is 10.0.0.1 external it would be mapped to 172.16.0.1/24 internal.

0
 
LVL 37

Expert Comment

by:bbao
ID: 9892024
note sure is it what you need:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm

IMO, in the scenario you described above, your external interface should be multihomed, else the outside can not access it one to one. is it good to bind a lot of addresses on one interface?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9892510
>I read somewhere, cant remeber can you do a static mapping of address one to one so say
10.0.0.0/24  ----> 172.168.0.0/24    so that if the IP is 10.0.0.1 external it would be mapped to 172.16.0.1/24 internal.

that's what the ip nat outside source static 10.254.1.3 172.16.0.2 statements are doing, you're looking for a simpler expression?
0
 
LVL 37

Expert Comment

by:bbao
ID: 10054141
steven_alilovic, any feedback please?
0
 
LVL 2

Author Comment

by:steven_alilovic
ID: 13891278
Thanks for all your help. This issues has been resolved.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cannot view videos at msnbc 12 70
Hidden network 2 43
DHCP Scope not working Windows Server 2012 10 50
Websites pages will not open in any browser 7 33
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question