Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

2 way nat?

Posted on 2009-12-31
6
Medium Priority
?
480 Views
Last Modified: 2012-05-08
This is the problem I have....

I have an access point that only has configuration settings available for IP address and subnet mask.   It does not allow me to set a default gateway.   As you would know this causes problem if I wish to administer this access point from a remote location on a different network.

I'm trying to take my router and perform some fancy NAT features to get this to work.   Yes I know it would be cheaper to go out and get a new access point.   But I thought it would be fun to see if this was possible.

Basically I need to take an available IP address on the outside interface.   And translate this to my access point then I need to take my source IP address and translate this to an inside ip address on my router.


(ap)-----------------------(router)--------------(test_pc)
192.168.2.1     192.168.2.2   10.0.0.1        10.0.0.5


attempt to connect from pc to access point:
                              10.0.0.2  <---- 10.0.0.5
translates to...
192.168.2.1 <--- 192.168.2.5

And then back...
192.168.2.1 ----> 192.168.2.5

translates back to...
                               10.0.0.2  ----> 10.0.0.5


Note: That all IP address above are static except for 10.0.0.5.   This IP address is dynamic and would changed based on the system being used to administer the access point.


I have enabled the following debug:
Router#show debug
Generic IP:
  ICMP packet debugging is on
  IP NAT debugging is on
  IP NAT detailed debugging is on


When I issue a ping 10.0.0.2 from my pc this is what I get on the router:

Jun 17 08:29:07.225: NAT*: o: icmp (10.0.0.5, 512) -> (10.0.0.2, 512) [57742]    
Jun 17 08:29:07.225: NAT*: s=10.0.0.5->192.168.2.5, d=10.0.0.2 [57742]
Jun 17 08:29:07.225: NAT*: s=192.168.2.5, d=10.0.0.2->192.168.2.1 [57742]
Jun 17 08:29:07.229: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.5

It seems that the translation one direction works fine.   And you even see the ping responding back from the access point.   BUT it seems like this not translating back over to the outside interface.

Here is a show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global
--- 10.0.0.2           192.168.2.1        ---                ---
--- ---                ---                192.168.2.5        10.0.0.5
--- 10.0.0.2           192.168.2.1        192.168.2.5        10.0.0.5

I have played around for this for some time hope someone else can help out...   Here is my full running config...

If I'm going at this all wrong please advise!  Thanks!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!         
!
!
ip cef
ip audit po max-events 100
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface Loopback1
 no ip address
!
interface Ethernet0
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
 full-duplex
!
interface FastEthernet0
 ip address 10.0.0.2 255.255.255.0 secondary
 ip address 10.0.0.1 255.255.255.0
 ip nat outside
 speed auto
!
interface Async1
 no ip address
 encapsulation slip
!
ip nat pool test2 192.168.2.5 192.168.2.5 netmask 255.255.255.0
ip nat pool wanip 10.0.0.1 10.0.0.4 netmask 255.255.255.0
ip nat inside source list 100 pool wanip overload
ip nat inside source static 192.168.2.1 10.0.0.2
ip nat outside source list 101 pool test2 add-route
ip classless
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip any any
access-list 101 permit ip any host 10.0.0.2
!
!
!         
line con 0
line 1
 modem InOut
 modem autoconfigure discovery
 transport input all
 transport output pad udptn telnet rlogin ssh
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
line vty 5 15
 login local
!
end

Open in new window

0
Comment
Question by:GageDigital
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:gaffie
ID: 26155853
Assuming you only use this router for this purpose and your Accesspoint administration page runs on https://192.168.2.2 (port 443), remove all "ip nat" lines and replace them with these:

ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 192.168.2.2 443 interface ethernet0 443
0
 

Author Comment

by:GageDigital
ID: 26156626
Not quite sure how this will work.   Seeing that the 192.168.2.2 is on the same network as ethernet0.   So I will assume that you meant fa0.      

ip nat inside source static tcp 192.168.2.2 443 interface FastEthernet0 443

Then it would seem this would only perform a single directional nat and the access point would receive a packet from with a public source IP address and not an ip on the local network.

I will try and report back...
0
 
LVL 4

Expert Comment

by:gaffie
ID: 26158159
i sure do mean ethernet0 as this is your NATted interface on which the port 443 is forwarded to the 192.168.2.2 device.
 
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:GageDigital
ID: 26158540
I think I understand what you are doing now.   Instead of me using an ip address on my fa0 interface to access my access point I would attempt to access it via the AP's IP address it's self and have the router only nat the source IP address.

I did as you noted and this is the commands I used:
ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 192.168.2.1 80 interface ethernet0 80

This seems like a good idea, but does not seem to work.    

By the way my AP admin page runs on 192.168.2.1:80.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 26167118
Ok,

I have just taken the config you originally posted, and put it in a lab environment, and it works! It is correctly translating both the source and destnation address. I set up a router on the outside with IP 10.0.0.5 and a router on the inside with IP 192.168.2.1 and no default route.

Here is the response:-


Outside#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 200/277/416 ms
Outside#

inside#
*Mar  1 00:15:12.559: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.5
*Mar  1 00:15:12.855: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.5
*Mar  1 00:15:13.127: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.5
*Mar  1 00:15:13.415: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.5
*Mar  1 00:15:13.583: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.5

One thing that may cause some issues though is your wanip pool overlaps with the IP address you are statically natting the acces point to (10.0.0.2). I would recommend changing the pool or just using the outside interfaces address for all dynaic nat translations.

0
 

Author Closing Comment

by:GageDigital
ID: 31671666
Thanks for taking the time to test this out!   It seems that the problem lies in my router and/or ios version.  All research I have done states it should work.

Thanks again for working on this.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question