Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Source and destination NAT

Reply
Thread Tools

Source and destination NAT

 
 
1388-2/HB
Guest
Posts: n/a
 
      06-26-2007
I have a 2621 router with FE0 attached to the Internet and FE1 attached to
the LAN.

2621
FE0 X.X.X.1/29 (part of public IP block, 'outside' NAT interface)
FE1 a.a.a.1/24 (private, 'inside' NAT interface)

I have two goals here, both of which I can do, I just want a better way to
do them.

The first goal is to simply "port forward" public IP X.X.X.2 to LAN IP
a.a.a.2, which is simple enough with destination NAT:

[source <?>][dest X.X.X.2] DestNAT-> [source <?>][dest a.a.a.2]

The second goal is where I started making stuff up. Because in addition to
being destination NATed to "b.b.b.6", public IP X.X.X.3 must also be source
NATed to appear to have originated on the b.b.b.0 subnet. So for lack of a
better idea, I did this:

First I destination NAT it to the appropriate LAN address:

[source <?>][dest X.X.X.3] DestNAT-> [source <?>][dest b.b.b.6]

My hack solution is to then route it to a second 2621 router:

ip route b.b.b.0/24 -> a.a.a.5

And the second 2621 looks like this:

2621 #2
FE0 a.a.a.5/24 (inside)
FE1 b.b.b.1/24 (outside)

And using a traditional internet connection sharing routine, I nat the
source:

[source <?>][dest b.b.b.6] SourceNAT -> [source b.b.b.1][dest b.b.b.6]
ip route 0.0.0.0/0 -> a.a.a.1

So, from the perspective of the server at b.b.b.6, all the requests it's
getting appear to be coming from LAN source b.b.b.1 (rather than WAN source
<?>). Which accomplishes "the goal".

This works, but my question is, is it possible to do this with 1 router?
Could I put, say, an NM-4E module into a single 2621 and route packets to
"myself" so that I can destination NAT them as well as source NAT them?

I have to reproduce this at another location with the same goals, but at the
other location there's only one 2621 router to play with.


 
Reply With Quote
 
 
 
 
Barry Margolin
Guest
Posts: n/a
 
      06-26-2007
In article <rC%fi.27071$(E-Mail Removed)> ,
"1388-2/HB" <(E-Mail Removed)> wrote:

> This works, but my question is, is it possible to do this with 1 router?
> Could I put, say, an NM-4E module into a single 2621 and route packets to
> "myself" so that I can destination NAT them as well as source NAT them?


Google for "nat on a stick". You don't need another module, you use a
loopback interface for this.

--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
 
Reply With Quote
 
 
 
 
1388-2/HB
Guest
Posts: n/a
 
      06-28-2007

"Barry Margolin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Google for "nat on a stick". You don't need another module, you use a
> loopback interface for this.


Thanks for the hint.

I've got it "almost" working, I think, in my 1720 sandbox, but I'm not
seeing what I'm missing... the 1720 has 2 interfaces and a loopback, like
this:

WIC-1ENET (e0) outside NAT (faces WAN)
FastEther (f0) inside NAT (faces LAN)
Loopback (l0) inside

A packet shows up on e0 from the InternetGuy for my Public IP X.X.X.2

00:05:31: NAT: o: tcp ([InternetGuy], 3157) -> (X.X.X.2, 80) [18160]

An ip nat inside dest rule is in place to turn X.X.X.2 into 172.16.2.200,
which happens:

00:05:31: NAT: s=[InternetGuy], d=X.X.X.2->172.16.2.200 [18160]

Now before the device at 172.16.2.200 receives this packet I need to make
the source change from [InternetGuy] to 172.16.2.12. I have a policy route
(on e0) to loopback when this is the case, which happens:

00:05:31: IP: s=[InternetGuy] (Ethernet0), d=172.16.2.200, len 48, policy
match
00:05:31: IP: route map DoubleNAT, item 10, permit
00:05:31: IP: s=[InternetGuy] (Ethernet0), d=172.16.2.200 (Loopback0), len
48, policy routed
00:05:31: IP: Ethernet0 to Loopback0 172.16.2.200

An ip nat inside source rule is in palce to turn [InternetGuy] into
172.16.2.12, which does not happen. Now the packet is apparently routed to
172.16.2.200, because the next debug line appears to be my device (web
server) responding:

00:05:31: NAT: i: tcp (172.16.2.200, 80) -> ([InternetGuy], 3157) [51052]
00:05:31: NAT: s=172.16.2.200->X.X.X.2, d=([InternetGuy] [51052]

Without the second NAT occuring, my loopback is pointless overhead so far.

This is what I thought might happen (what I want to happen):

00:05:31: NAT: o: tcp ([InternetGuy], 3157) -> (X.X.X.2, 80) [18160]
00:05:31: NAT: s=[InternetGuy], d=X.X.X.2->172.16.2.200 [18160]
00:05:31: IP: s=[InternetGuy] (Ethernet0), d=172.16.2.200, len 48, policy
match
00:05:31: IP: route map DoubleNAT, item 10, permit
00:05:31: IP: s=[InternetGuy] (Ethernet0), d=172.16.2.200 (Loopback0), len
48, policy routed
00:05:31: IP: Ethernet0 to Loopback0 172.16.2.200
00:05:31: NAT: i: tcp ([InternetGuy], 3157) -> (172.16.2.200, 80)
00:05:31: NAT: s=[InternetGuy]->172.16.2.12, d=172.16.2.200

The last 2 lines never happen, even though there is an inside source NAT
rule in place that fits the criteria of what gets sent to loopback.


 
Reply With Quote
 
brink
Guest
Posts: n/a
 
      06-29-2007
Have a look here

http://www.cisco.com/en/US/customer/...80094430.shtml

for an example and explanations. ( that's Document ID: 6505 in case
you have a problem getting through on this link)

Luck, Frans

 
Reply With Quote
 
usenet
Guest
Posts: n/a
 
      07-04-2007
I had to implement nat on a stick, with multiple Loopback interfaces &
policy routes, etc. similar to the examples in document 6505. I had to fill
some gaps in my NAT knowledge to really get it, but I got it working
eventually. Thanks for the help guys.

"brink" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> Have a look here
>
> http://www.cisco.com/en/US/customer/...80094430.shtml
>
> for an example and explanations. ( that's Document ID: 6505 in case
> you have a problem getting through on this link)
>
> Luck, Frans
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ios : Source and destination nat on a single interface Laurent Cisco 2 06-24-2011 06:06 AM
How can I transform source range to destination range that is thesame as source? Lambda C++ 2 07-16-2008 05:18 PM
NAT source based on destination... per request? 1388-2/HB Cisco 0 02-22-2007 08:23 PM
changing both source and destination with nat cwarden@xerus.org Cisco 1 05-11-2005 07:26 AM
Destination not reachable until destination pings source! PIX501 Dave Cisco 0 02-27-2004 06:15 PM



Advertisments