GageDigital
asked on
2 way nat?
This is the problem I have....
I have an access point that only has configuration settings available for IP address and subnet mask. It does not allow me to set a default gateway. As you would know this causes problem if I wish to administer this access point from a remote location on a different network.
I'm trying to take my router and perform some fancy NAT features to get this to work. Yes I know it would be cheaper to go out and get a new access point. But I thought it would be fun to see if this was possible.
Basically I need to take an available IP address on the outside interface. And translate this to my access point then I need to take my source IP address and translate this to an inside ip address on my router.
(ap)----------------------
192.168.2.1 192.168.2.2 10.0.0.1 10.0.0.5
attempt to connect from pc to access point:
10.0.0.2 <---- 10.0.0.5
translates to...
192.168.2.1 <--- 192.168.2.5
And then back...
192.168.2.1 ----> 192.168.2.5
translates back to...
10.0.0.2 ----> 10.0.0.5
Note: That all IP address above are static except for 10.0.0.5. This IP address is dynamic and would changed based on the system being used to administer the access point.
I have enabled the following debug:
Router#show debug
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
IP NAT detailed debugging is on
When I issue a ping 10.0.0.2 from my pc this is what I get on the router:
Jun 17 08:29:07.225: NAT*: o: icmp (10.0.0.5, 512) -> (10.0.0.2, 512) [57742]
Jun 17 08:29:07.225: NAT*: s=10.0.0.5->192.168.2.5, d=10.0.0.2 [57742]
Jun 17 08:29:07.225: NAT*: s=192.168.2.5, d=10.0.0.2->192.168.2.1 [57742]
Jun 17 08:29:07.229: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.5
It seems that the translation one direction works fine. And you even see the ping responding back from the access point. BUT it seems like this not translating back over to the outside interface.
Here is a show ip nat tran
Pro Inside global Inside local Outside local Outside global
--- 10.0.0.2 192.168.2.1 --- ---
--- --- --- 192.168.2.5 10.0.0.5
--- 10.0.0.2 192.168.2.1 192.168.2.5 10.0.0.5
I have played around for this for some time hope someone else can help out... Here is my full running config...
If I'm going at this all wrong please advise! Thanks!
I have an access point that only has configuration settings available for IP address and subnet mask. It does not allow me to set a default gateway. As you would know this causes problem if I wish to administer this access point from a remote location on a different network.
I'm trying to take my router and perform some fancy NAT features to get this to work. Yes I know it would be cheaper to go out and get a new access point. But I thought it would be fun to see if this was possible.
Basically I need to take an available IP address on the outside interface. And translate this to my access point then I need to take my source IP address and translate this to an inside ip address on my router.
(ap)----------------------
192.168.2.1 192.168.2.2 10.0.0.1 10.0.0.5
attempt to connect from pc to access point:
10.0.0.2 <---- 10.0.0.5
translates to...
192.168.2.1 <--- 192.168.2.5
And then back...
192.168.2.1 ----> 192.168.2.5
translates back to...
10.0.0.2 ----> 10.0.0.5
Note: That all IP address above are static except for 10.0.0.5. This IP address is dynamic and would changed based on the system being used to administer the access point.
I have enabled the following debug:
Router#show debug
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
IP NAT detailed debugging is on
When I issue a ping 10.0.0.2 from my pc this is what I get on the router:
Jun 17 08:29:07.225: NAT*: o: icmp (10.0.0.5, 512) -> (10.0.0.2, 512) [57742]
Jun 17 08:29:07.225: NAT*: s=10.0.0.5->192.168.2.5, d=10.0.0.2 [57742]
Jun 17 08:29:07.225: NAT*: s=192.168.2.5, d=10.0.0.2->192.168.2.1 [57742]
Jun 17 08:29:07.229: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.5
It seems that the translation one direction works fine. And you even see the ping responding back from the access point. BUT it seems like this not translating back over to the outside interface.
Here is a show ip nat tran
Pro Inside global Inside local Outside local Outside global
--- 10.0.0.2 192.168.2.1 --- ---
--- --- --- 192.168.2.5 10.0.0.5
--- 10.0.0.2 192.168.2.1 192.168.2.5 10.0.0.5
I have played around for this for some time hope someone else can help out... Here is my full running config...
If I'm going at this all wrong please advise! Thanks!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface Ethernet0
ip address 192.168.2.2 255.255.255.0
ip nat inside
full-duplex
!
interface FastEthernet0
ip address 10.0.0.2 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
ip nat outside
speed auto
!
interface Async1
no ip address
encapsulation slip
!
ip nat pool test2 192.168.2.5 192.168.2.5 netmask 255.255.255.0
ip nat pool wanip 10.0.0.1 10.0.0.4 netmask 255.255.255.0
ip nat inside source list 100 pool wanip overload
ip nat inside source static 192.168.2.1 10.0.0.2
ip nat outside source list 101 pool test2 add-route
ip classless
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip any any
access-list 101 permit ip any host 10.0.0.2
!
!
!
line con 0
line 1
modem InOut
modem autoconfigure discovery
transport input all
transport output pad udptn telnet rlogin ssh
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
line vty 5 15
login local
!
end
ASKER
Not quite sure how this will work. Seeing that the 192.168.2.2 is on the same network as ethernet0. So I will assume that you meant fa0.
ip nat inside source static tcp 192.168.2.2 443 interface FastEthernet0 443
Then it would seem this would only perform a single directional nat and the access point would receive a packet from with a public source IP address and not an ip on the local network.
I will try and report back...
ip nat inside source static tcp 192.168.2.2 443 interface FastEthernet0 443
Then it would seem this would only perform a single directional nat and the access point would receive a packet from with a public source IP address and not an ip on the local network.
I will try and report back...
i sure do mean ethernet0 as this is your NATted interface on which the port 443 is forwarded to the 192.168.2.2 device.
ASKER
I think I understand what you are doing now. Instead of me using an ip address on my fa0 interface to access my access point I would attempt to access it via the AP's IP address it's self and have the router only nat the source IP address.
I did as you noted and this is the commands I used:
ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 192.168.2.1 80 interface ethernet0 80
This seems like a good idea, but does not seem to work.
By the way my AP admin page runs on 192.168.2.1:80.
I did as you noted and this is the commands I used:
ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 192.168.2.1 80 interface ethernet0 80
This seems like a good idea, but does not seem to work.
By the way my AP admin page runs on 192.168.2.1:80.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for taking the time to test this out! It seems that the problem lies in my router and/or ios version. All research I have done states it should work.
Thanks again for working on this.
Thanks again for working on this.
ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 192.168.2.2 443 interface ethernet0 443