Avatar of manuel2002m
manuel2002m
 asked on

Static NAT Cisco 2811 Part II (NAT on public interfaces)

Hello

I have been trying to set up something on my Cisco 2811.

Basically I need to forward traffic that is coming to me on one of my Public IP addresses to another Public IP address (the last one belonging to a Business partner)

I was experimenting with NAT, it works with Private IP address (when the Hosts and their respective interfaces on the router where on the same subnet)
Please check my last post:
https://www.experts-exchange.com/Hardware/Routers/Q_21980435.html

I did that a as a preliminary test, I don't know if NAT will help me with what I'm trying to do now:

Basically one customer will send data to me and I have to forward that to a business partner.
Both, my customer and my business partner have public IPs.
Only one Host on my customer's side and another host on my Business partner's side
The idea is that my customer connects to me and not to my business partner (marketing reasons, tell me about it)
My ISP gave me about 12 IP addresses on a T1; I don’t have control over the T1 router, so nothing can be done there.
I can assign my public IPs to any device on my network.

Anyways, I though that having my Cisco 2811 with one public IP on each interface will do it, setting up a NAT, receiving traffic on one from my BP and forwarding to my Customer through the other interface.
I tried to do NAT, but looks like the NAT has to be done specifying Hosts that are on the same subnet as the router's interfaces.

I can request another T1 in case my second interface has to be on a different public subnet to do this.

Can anyone give me some tips whether or not this can be done? Using NAT or using anything else.

Thanks so much for the help

MM


Routers

Avatar of undefined
Last Comment
manuel2002m

8/22/2022 - Mon
rsivanandan

How are you and others connected wrt to the current scenario ? Can you draw up a quick diagram here using text symbols? Let me tell you though, I'm not quite sure you can do this using NAT but we'll see if anything else can be done because we're talking about all public ip here....

Cheers,
Rajesh
manuel2002m

ASKER
Ok,, let me see if I can explain with words (I have a Visio Diagram, but I can not attach files in here)
I still don't know the public IPs from my customer or vendor (I'm not implementing anything yet)
But I have three geographical locations with Public IPs I can use to simulate everything the same way my real implementation will be.

Location A (for now: Customer)
Location B (for now: My Data Center)
Location C (for now: Vendor)

The goal here is that my Customer doesn’t know that the data he's requesting is not on my Data Center but on my Vendor. So he connects to me and I serve as a "HUB" for the connection, relaying the traffic to my vendor.

=============================
On “Location A” I have this public IP available:
IP: 66.237.250.205/28
Gateway: 66.237.250.193
Subnet: 255.255.255.240
=============================
On “Location B” I have these public IP available:
66.237.238.226/28
66.237.238.227/28
Gateway: 66.237.238.225
Subnet: 255.255.225.240

Each on them is already set up on each of my Cisco 2811 interfaces
=============================
On “Location C” I have this public IP available:
IP: 67.91.36.112/27
Gateway: 67.91.36.97
Subnet: 255.255.255.2224
=============================


So, I want to maintain a connection from
66.237.250.205
To:
66.237.238.226
And receive it on:
67.91.36.112

Anything that helps me accomplishing that I will use it (NAT, routing, etc)
As I said before, my Cisco 2811 has two public IPs on the interfaces, from the same ISP and same subnet, but I can request another T1 if necessary.
I can request changes to my ISP router (I don’t know what, but I can request changes)

Thanks so much for the help again.

MM
manuel2002m

ASKER
It is obvious, but on my last comment I forgot to say that
Location A, B, C has different T1's
They are three diferent cities (but I handle all of them though)
Thanks
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
harbor235

why not just receive the data on your system, then initiate the transfer once received. If you have a linux or any *NIX system this should be trival. At least that way that you will know the data was transfered by the client, and then you forward the data again you will know that the transfer happened.

This can be done with scripts.  Translating the traffic and then routing the data directly to your end customer will not give you the control of the data.

harbor235 ;}
manuel2002m

ASKER
Well,
I really don't want to have control over the data, I just want to serve as a "hub".
The Host on my Vendor's side is a server that provides small chunks of data, depending of what is requesting.
Basically my Customer will send some parameters, my vendor will do calculations with those parameteres and return an answer.

Right now I have only one Customer for this, but I want to have multiples customers connected to one the same vendor.
And instead of connecting all my customers to my vendor with multiples VPNs beetween them, I want to have one VPN with my vendor and multiple VPN with my customers. I will deal with my customers so my vendor doesnt have to do that for each of them.

Thanks
MM
rsivanandan

Ahh man, I can't think of anything.... I've been searching route-maps, different types of nats and all but I don't have an answer. This situation is pretty unique for the reason all the other 2 ip addresses are not in your control. I don't find a way to translate the 'Destination' address from one to another....

I'll keep thinking and probably somebody with more experience will be joining soon to get this done.

Q though:

1. Can't the customer access the vendor site directly ? Is there a limitation?

Cheers,
Rajesh
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
manuel2002m

ASKER
The Customer can access the Vendor,, both have public IPs.
The thing is that we are reseling the vendor services and don't want customers to connect to them directly.
We want our customers and vendor connected to us and the traffic coming here.

Any other sugestion will be of great help. We will be able to acquire/implement any device that do this.

Also, the customer side and vendor side are public addresses, but we could request private addresses, connect them to us using VPN and put both interfaces on the firewall on their same subnets. I'm just thinking loudly here.

Thanks
MM


ASKER CERTIFIED SOLUTION
rsivanandan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
manuel2002m

ASKER
That sounds like a good idea.
And since with my vendor there will be just one pipe, the cost will be only one time.
From my customer I will still use public internet right?
I have to check the cost on that.
One more question,,, can I support multiples customers like this? with just one vendor.
I would say using different TCP ports for their connections, and just one pipe for my vendor.
Thanks so much again

MM
rsivanandan

Yeah, once you have the pipe in place, you can support as many as possible through the T1 bandwidth. All 65K ports are available to ya... :-)

And yeah, you can have all your customers talk to your public ip.

Cheers,
Rajesh
Your help has saved me hundreds of hours of internet surfing.
fblack61
manuel2002m

ASKER
Rajesh
I think I'm going to need a little bit more explanation. Let me see if I understand:
For example:
===================
My vendor:
66.237.250.194/28  (public IP)
===================
Me (outside interface):
66.237.238.226/28 (fastethernet0/0, public IP)
Me (inside interface):
192.168.1.231/24 (fastethernet0/1, private IP)
===================
My customer:
192.168.1.213/24 (private IP)
===================

I guess this is what you are suggesting (of course, having a separated circuit between my customer and I)

I tried that (simulating my Customer's side on my internal network, I think is just the same for the test)
Didn't work

I guess I must be doing something wrong,, I typed this:
===================================
ip nat outside source static 66.237.250.194 192.168.1.231

interface fastethernet0/0
ip nat outside

interface fastethernet0/1
ip nat inside

ip routing
ip route 0.0.0.0. 0.0.0.0 66.237.238.225 (I did this so I can ping my external interface from 66.237.250.194

debug ip nat
debug ip packet
===================================

When I seat on 66.237.250.194 and ping 66.237.238.226 I see the packets like this:
*Sep 13 15:44:03.311: IP: tableid=0, s=66.237.250.194 (FastEthernet0/0), d=66.237.238.226 (FastEthernet0/0), routed via RIB
*Sep 13 15:44:03.311: IP: s=66.237.250.194 (FastEthernet0/0), d=66.237.238.226 (FastEthernet0/0), len 60, rcvd 3

So the source is OK, and the destination,,, mmm, I dont know,, anyway, the NAT counter doesnt increase.

Question,,, if my customer is on 66.237.250.194 , what IP on my side he will connect to?
How my router knows where is the final destination for the packet?

Sorry to trouble to mush with this.
Thanks


rsivanandan

First of all, NOT a private link between you and your customer, in that case you'll need one each for each customer! What I meant was a private link between you and your vendor. So it will be something like this;

Customer(66.237.250.194)---------(66.237.238.226)You(10.0.0.1)----------P2P------------(10.0.0.2)Vendor--Server
                                                                       (192.168.1.231)                                                          (172.16.1.1)
                                                                            |
                                                                            |
                                                                       Your Internal Network

So say you are connected to your Vendor using ip address schema as this 10.0.0.1 (On your side) and 10.0.0.2(On Vendor Side).

Now you need to transfer the traffic coming onto your ip to be translated to 172.16.1.1

So on your router, you add a route so that traffic goes to 172.16.x.x network through your P2P link.

Then on your router, you do this;

ip nat inside source static 172.16.1.1 <The publicIP Customer Will Be hitting>

int <where 10.0.0.1 is assigned>
ip nat inside

int <Your wan interface>
ip nat outside

Hope this is clear.

Cheers,
Rajesh
manuel2002m

ASKER
I tested it,,, it worked!!,,
Now,, about the leased line,, I know it will cost money,, don't know how much,, I will reasearch on that.
But,, since the reason I will have to use it is because I need my Cisco inside interface on the same subnet as my vendor's host,,,, what about using VPN over the Internet with private IPs for the hosts? (for my inside interface, and their device receiving my connection), in that way we will both have hosts on the same private subnet.

I have it that way with my brach offices.
I don't know, it is just a tought, worst scenario I will acquire the lease line.

Thanks so much again for all the help.

MM
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
rsivanandan

Traffic coming on outside interface and then routing back through vpn network to the vendor site, it depends! It might work, or it might not but thatz a different story.

Anyways glad to be of help.

Cheers,
Rajesh
manuel2002m

ASKER
Rajesh

Thanks for the help.

I have gotten a little bit farher now.
I'm closing this question and granting the points.
If you can please help me with the next stage it will be of great benefit for me.
I jus posted another question on:

https://www.experts-exchange.com/Hardware/Routers/Q_21991140.html


Thanks