Solved

internal NAT

Posted on 2008-10-01
5
1,176 Views
Last Modified: 2012-05-05
I am trying to create a VPN between 2 locations, but the vendor on the remote side is telling me that i need to run internal NAT as they already have a customer using the IP that i have specified on my end (this is going to a stand alone workstation). I'm not sure how to translate the address they are giving me to the internal on that is on this workstation, and make the tunnel come up.
IE: 10.0.0.10 to 192.168.0.22
any help would be appreciated.
thanks
0
Comment
Question by:koconnell42
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:omic_admin
ID: 22619518
hm. This question is a bit vague as there are a few ways depending on how you want to set this up, but if you are using only a single workstation and trying to VPN in, the site you are trying to tunnel into should have VPN clients that allow you to just get on their network if the config is correct. However, if you are trying to create a point to point VPN, then a NAT would be used, with the gateway also doing the VPN routing as well.
0
 
LVL 6

Expert Comment

by:kavlins
ID: 22619539
ip nat
To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command.

ip nat create flow-entries |{inside | outside} | log {translations syslog}

no ip nat create flow-entries {inside | outside} | log {translations syslog}

Syntax Description
 create
 Creates flow entries.
 
flow-entries
 NAT flow-based entries.
 
inside
 Indicates that the interface is connected to the inside network (the network subject to NAT translation).
 
outside
 Indicates that the interface is connected to the outside network.
 
log
 Enables NAT logging.
 
translations
 Enables NAT logging translations.
 
syslog
 Enables syslog for NAT logging translations.
 



Defaults
Traffic leaving or arriving at this interface is not subject to NAT.

Command Modes
Interface configuration

Command History
 Release  Modification  
11.2
 This command was introduced.
 



Usage Guidelines
Only packets moving between inside and outside interfaces can be translated. You must specify at least one inside interface and outside interface for each border router where you intend to use NAT.

NAT translations logging can be enabled or disabled with the ip nat log translations syslog command.

Examples
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 171.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
 Command  Description  
clear ip nat translation
 Clears dynamic NAT translations from the translation table.
 
ip nat inside destination
 Enables NAT of the inside destination address.
 
ip nat inside source
 Enables NAT of the inside source address.
 
ip nat outside source
 Enables NAT of the outside source address.
 
ip nat pool
 Defines a pool of IP addresses for NAT.
 
ip nat service
 Enables a port other than the default port.
 
show ip nat statistics
 Displays NAT statistics.
 
show ip nat translations
 Displays active NAT translations.
 



ip nat inside destination
To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination command in global configuration mode. To remove the dynamic association to a pool, use the no form of this command.

ip nat inside destination list {access-list-number | name} pool name

no ip nat inside destination list {access-list-number | name}

Syntax Description
 list access-list-number
 Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.
 
list name
 Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.
 
pool name
 Name of the pool from which global IP addresses are allocated during dynamic translation.
 



Defaults
No inside destination addresses are translated.

Command Modes
Global configuration

Command History
 Release  Modification  
11.2
 This command was introduced.
 



Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Examples
The following example translates between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside destination list 1 pool net-208
!
interface ethernet 0
 ip address 171.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
 Command  Description  
clear ip nat translation
 Clears dynamic NAT translations from the translation table.
 
ip nat
 Designates that traffic originating from or destined for the interface is subject to NAT.
 
ip nat inside source
 Enables NAT of the inside source address.
 
ip nat outside source
 Enables NAT of the outside source address.
 
ip nat pool
 Defines a pool of IP addresses for NAT.
 
ip nat service
 Enables a port other than the default port.
 
show ip nat statistics
 Displays NAT statistics.
 
show ip nat translations
 Displays active NAT translations.
 



ip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-name | vrf name] [overload]

no ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-name | vrf name] [overload]

Static NAT

ip nat inside source {static {local-ip global-ip} [vrf name] [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name] | {esp local-ip interface type number}}

no ip nat inside source {static {local-ip global-ip} [vrf name] [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name] | {esp local-ip interface type number}}

Port Static NAT

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

no ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

Network Static NAT

ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]

no ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]

Syntax Description
 list access-list-number
 Number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
 
list access-list-name
 Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
 
route-map name
 Specifies the named route map.
 
interface type
 Specifies the interface type for the global address.
 
interface number
 Specifies the interface number for the global address.
 
pool name
 Name of the pool from which global IP addresses are allocated dynamically.
 
mapping-id map-name
 (Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.
 
vrf name
 (Optional) Associates the NAT translation rule with a particular VPN routing and forwarding (VRF) instance.
 
overload
 (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or User Datagram Protocol (UDP) port number of each inside host distinguishes between the multiple conversations using the same local IP address.
 
static local-ip
 Sets up a single static translation. The local-ip argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
 
local-port
 Sets the local TCP/UDP port in a range from 1-65535.
 
static global-ip
 Sets up a single static translation. The local-ip argument establishes the globally unique IP address of an inside host as it appears to the outside world.
 
global-port
 Sets the global TCP/UDP port in a range from 1-65535.
 
extendable
 (Optional) Entends the translation.
 
no-alias
 (Optional) Prohibits an alias from being created for the global address.
 
no-payload
 (Optional) Prohibits the tanslation of an embedded address or port in the payload.
 
redundancy group-name
 (Optional) Establishes NAT redundancy.
 
esp local-ip
 Establishes IPSec-ESP (tunnel mode) support.
 
tcp
 Establishes the Transmission Control Protocol.
 
udp
 Establishes the User Datagram Protocol.
 
network local-network
 Specifies the local subnet translation.
 
global-network
 Specifies the global subnet translation.
 
mask
 Established the IP Network mask to be with used with subnet translations.
 



Defaults
No NAT translation of inside source addresses occurs.

Command Modes
Global configuration

Command History
 Release  Modification  
11.2
 This command was introduced.
 
12.2(4)T
 This command was modified to include the ability to use route maps with static translations, and the route-map name keyword and argument combination was added. This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.
 
12.2(13)T
 The interface keyword was added for static translations. The mapping-id map-name keyword and argument combination was added. The vrf name keyword and argument combination was added.
 



Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.

Alternatively, the syntax form with the keyword static establishes a single static translation.

Examples
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 171.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
The following example translates only traffic local to the providers edge device running NAT (NAT-PE):

ip nat inside source list 1 interface e 0 vrf shop overload
ip nat inside source list 1 interface e 0 vrf bank overload
!
ip route vrf shop 0.0.0.0 0.0.0.0 192.1.1.1
ip route vrf bank 0.0.0.0 0.0.0.0 192.1.1.1
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface e 1 vrf shop overload
ip nat inside source list 1 interface e 1 vrf bank overload
!
ip route vrf shop 0.0.0.0 0.0.0.0 172.1.1.1 global
ip route vrf bank 0.0.0.0 0.0.0.0 172.1.1.1 global
access-list 1 permit 10.1.1.0 0.0.0.255
Related Commands
 Command  Description  
clear ip nat translation
 Clears dynamic NAT translations from the translation table.
 
ip nat
 Designates that traffic originating from or destined for the interface is subject to NAT.
 
ip nat inside destination
 Enables NAT of the inside destination address.
 
ip nat outside source
 Enables NAT of the outside source address.
 
ip nat pool
 Defines a pool of IP addresses for NAT.
 
ip nat service
 Enables a port other than the default port.
 
show ip nat statistics
 Displays NAT statistics.
 
show ip nat translations
 Displays active NAT translations.
 



ip nat outside source
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.

ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [mapping-id map-name | vrf name] [add-route]

no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [mapping-id map-name | vrf name] [add-route]

Static NAT

ip nat outside source {static global-ip local-ip} [add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]

no ip nat outside source {static global-ip local-ip} [add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]

Port Static NAT

ip nat outside source {static tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]

no ip nat outside source {static tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]

Network Static NAT

ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]

no ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]

Syntax Description]
 list access-list-number
 Number of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
 
list access-list-name
 Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
 
route-map name
 Specifies a named route map.
 
pool pool-name
 Name of the pool from which global IP addresses are allocated.
 
mapping-id map-name
 (Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.
 
vrf name
 (Optional) Associates the NAT translation rule with a particular VPN.
 
add-route
 (Optional) Adds a static route for the outside local address.
 
static global-ip
 Sets up a single static translation. This argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.
 
local-ip
 Local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, Address Allocation for Private Internets).
 
extendable
 (Optional) Extends the transmission.
 
no-alias
 (Optional) Prohibits an alias from being created for the local address.
 
no-payload
 (Optional) Prohibits the translation of embedded address or port in the payload.
 
redundancy group-name
 (Optional) Enables the NAT redundancy operation.
 
tcp
 Establishes the Transmission Control Protocol.
 
udp
 Establishes the User Datagram Protocol.
 



Defaults
No translation of source addresses coming from the outside to the inside network occurs.

Command Modes
Global configuration

Command History
 Release  Modification  
11.2
 This command was introduced.
 
12.2(4)T
 This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.
 
12.2(13)T
 The mapping-id map-name keyword and argument combination was added. The vrf name keyword and argument combination was added.
 



Usage Guidelines
You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples
The following example translates between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24
ip nat inside source list 1 pool net-208
ip nat outside source list 1 pool net-10
!
interface ethernet 0
 ip address 171.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 9.114.11.39 255.255.255.0
 ip nat inside
!
access-list 1 permit 9.114.11.0 0.0.0.255
The following example shows NAT configured on the Provider Edge (PE) router with a static
route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT
is configured as inside source static 1- to -1 translations.
ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0
ip nat outside source list 1 pool mypool
access-list 1 permit 168.58.18.0 0.0.0.255
ip nat inside source static 192.168.121.33 2.2.2.1 vrf gold
ip nat inside source static 192.169.121.33.2.2.2.2 vrf silver
Related Commands
 Command  Description  
clear ip nat translation
 Clears dynamic NAT translations from the translation table.
 
ip nat
 Designates that traffic originating from or destined for the interface is subject to NAT.
 
ip nat inside destination
 Enables NAT of the inside destination address.
 
ip nat inside source
 Enables NAT of the inside source address.
 
ip nat pool
 Defines a pool of IP addresses for NAT.
 
ip nat service
 Enables a port other than the default port.
 
show ip nat statistics
 Displays NAT statistics.
 
show ip nat translations
 Displays active NAT translations.
 



ip nat pool
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool command in global configuration mode. To remove one or more addresses from the pool, use the no form of this command.

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}[type rotary]

no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [type rotary]

Syntax Description
 name
 Name of the pool.
 
start-ip
 Starting IP address that defines the range of addresses in the address pool.
 
end-ip
 Ending IP address that defines the range of addresses in the address pool.
 
netmask netmask
 Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.
 
prefix-length prefix-length
 Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong.
 
type rotary
 (Optional) Indicates that the range of address in the address pool identify real, inside hosts among which TCP load distribution will occur.
 



Defaults
No pool of addresses is defined.

Command Modes
Global configuration

Command History
 Release  Modification  
11.2
 This command was introduced.
 



Usage Guidelines
This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define either an inside global pool, an outside local pool, or a rotary pool.

Examples
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 171.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
 Command  Description  
clear ip nat translation
 Clears dynamic NAT translations from the translation table.
 
ip nat
 Designates that traffic originating from or destined for the interface is subject to NAT.
 
ip nat inside source
 Enables NAT of the inside destination address.
 
ip nat outside source
 Enables NAT of the outside source address.
 
ip nat pool
 Enables NAT of the outside source address.
 
ip nat service
 Enables a port other than the default port.
 
show ip nat statistics
 Displays NAT statistics.
 
show ip nat translations
 Displays active NAT translations.
 
0
 

Author Comment

by:koconnell42
ID: 22619545
i will check on the vpn client but would prefer point to point, but not sure how to setup the nat
0
 
LVL 3

Expert Comment

by:omic_admin
ID: 22620113
depends on the device, but a decent router will be able to do it, with the only info you need to enter in is the remote gateway and the pre-share key. The router should do the rest in terms of figuring out which packets need to be tunneled and which ones do not. However, make sure that your DNS is configured correctly, otherwise it may never hit the tunnel
0
 

Accepted Solution

by:
koconnell42 earned 0 total points
ID: 22949755
no solution has been found...we ended up changing IP addresses internally so no NAT was needed.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now