IP NAT/PAT

Discussion in 'Cisco' started by Tomehb, Apr 7, 2009.

  1. Tomehb

    Tomehb Guest

    Hi Guys,

    Just a quick Questions. I want to setup NAT/PAT Translation details
    are below...

    SERVER << NAT ROUTER
    << WAN
    192.168.0.0 /24<< 192.168.0.0/24 | 172.17.0.0 / 16 <<
    WAN


    I want a WAN User to be able to http to an IP Address such as
    172.17.0.5:80 and then this to be translated to 192.168.0.5:80.

    I tried
    ip nat inside source static tcp 192.168.0.5 80 172.17.0.5 80
    extendable

    however when attempting to telnet to the 172.17.0.5 80 address no
    connection is open.
    the 172.17.0.5 Does not exist on any interface i just thought that the
    router would just redirect it to 192.168.0.5 once it has received a
    message for this network?


    Pro Inside global Inside local Outside local
    Outside global

    tcp 192.168.3.131:80 192.168.50.135:80 ---
    ---


    How would i go about doing this?
    Tomehb, Apr 7, 2009
    #1
    1. Advertising

  2. Tomehb

    bod43 Guest

    On 7 Apr, 14:32, Tomehb <> wrote:
    > Hi Guys,
    >
    > Just a quick Questions. I want to setup NAT/PAT Translation details
    > are below...
    >
    > SERVER          <<        NAT ROUTER
    > << WAN
    > 192.168.0.0 /24<<         192.168.0.0/24   | 172.17.0.0 / 16        <<
    > WAN
    >
    > I want a WAN User to be able to http to an IP Address such as
    > 172.17.0.5:80 and then this to be translated to 192.168.0.5:80.
    >
    > I tried
    > ip nat inside source static tcp 192.168.0.5 80 172.17.0.5 80
    > extendable
    >
    > however when attempting to telnet to the 172.17.0.5 80 address no
    > connection is open.
    > the 172.17.0.5 Does not exist on any interface i just thought that the
    > router would just redirect it to 192.168.0.5 once it has received a
    > message for this network?
    >
    > Pro Inside global         Inside local          Outside local
    > Outside global
    >
    > tcp 192.168.3.131:80      192.168.50.135:80     ---


    This sh NAT is inconsistent with the
    ip nat statement. I will ignore the sh nat.


    If memory serves me correctly you need a route for the
    incoming packet for the pre-natted address.

    ip route 172.17.0.5 255.255.255.255 192.168.0.x

    Make x anything you like except the router itself. It
    is never used to send traffic out of the router.

    I think of it like this -
    The router needs to know which interface the packet is
    going to exit from in order to notice the NAT inside/outside
    pair of interfaces. Without this the router has no idea what to
    do with the packet.
    bod43, Apr 7, 2009
    #2
    1. Advertising

  3. Tomehb

    Rick F Guest

    On Apr 7, 7:19 am, bod43 <> wrote:
    > On 7 Apr, 14:32, Tomehb <> wrote:
    >
    >
    >
    > > Hi Guys,

    >
    > > Just a quick Questions. I want to setup NAT/PAT Translation details
    > > are below...

    >
    > > SERVER          <<        NAT ROUTER
    > > << WAN
    > > 192.168.0.0 /24<<         192.168.0.0/24   | 172.17.0.0 / 16        <<
    > > WAN

    >
    > > I want a WAN User to be able to http to an IP Address such as
    > > 172.17.0.5:80 and then this to be translated to 192.168.0.5:80.

    >
    > > I tried
    > > ip nat inside source static tcp 192.168.0.5 80 172.17.0.5 80
    > > extendable

    >
    > > however when attempting to telnet to the 172.17.0.5 80 address no
    > > connection is open.
    > > the 172.17.0.5 Does not exist on any interface i just thought that the
    > > router would just redirect it to 192.168.0.5 once it has received a
    > > message for this network?

    >
    > > Pro Inside global         Inside local          Outside local
    > > Outside global

    >
    > > tcp 192.168.3.131:80      192.168.50.135:80     ---

    >
    > This sh NAT is inconsistent with the
    > ip nat statement. I will ignore the sh nat.
    >
    > If memory serves me correctly you need a route for the
    > incoming packet for the pre-natted address.
    >
    > ip route 172.17.0.5 255.255.255.255 192.168.0.x
    >
    > Make x anything you like except the router itself. It
    > is never used to send traffic out of the router.
    >
    > I think of it like this -
    > The router needs to know which interface the packet is
    > going to exit from in order to notice the NAT inside/outside
    > pair of interfaces. Without this the router has no idea what to
    > do with the packet.


    This sounds like something I've been looking for in order
    to allow me to access a domain name that maps back
    to a server behind my natted router..
    Currently if I do this, I get a message akin to 'no route to host'
    if I recall.. Of course it works fine outside my network..

    Anyway, sounds interesting..
    Rick F, Apr 7, 2009
    #3
  4. Tomehb

    bod43 Guest

    On 7 Apr, 23:48, Rick F <> wrote:
    > On Apr 7, 7:19 am, bod43 <> wrote:
    >
    >
    >
    >
    >
    > > On 7 Apr, 14:32, Tomehb <> wrote:

    >
    > > > Hi Guys,

    >
    > > > Just a quick Questions. I want to setup NAT/PAT Translation details
    > > > are below...

    >
    > > > SERVER          <<        NAT ROUTER
    > > > << WAN
    > > > 192.168.0.0 /24<<         192.168.0.0/24   | 172.17.0.0 / 16        <<
    > > > WAN

    >
    > > > I want a WAN User to be able to http to an IP Address such as
    > > > 172.17.0.5:80 and then this to be translated to 192.168.0.5:80.

    >
    > > > I tried
    > > > ip nat inside source static tcp 192.168.0.5 80 172.17.0.5 80
    > > > extendable

    >
    > > > however when attempting to telnet to the 172.17.0.5 80 address no
    > > > connection is open.
    > > > the 172.17.0.5 Does not exist on any interface i just thought that the
    > > > router would just redirect it to 192.168.0.5 once it has received a
    > > > message for this network?

    >
    > > > Pro Inside global         Inside local          Outside local
    > > > Outside global

    >
    > > > tcp 192.168.3.131:80      192.168.50.135:80     ---

    >
    > > This sh NAT is inconsistent with the
    > > ip nat statement. I will ignore the sh nat.

    >
    > > If memory serves me correctly you need a route for the
    > > incoming packet for the pre-natted address.

    >
    > > ip route 172.17.0.5 255.255.255.255 192.168.0.x

    >
    > > Make x anything you like except the router itself. It
    > > is never used to send traffic out of the router.

    >
    > > I think of it like this -
    > > The router needs to know which interface the packet is
    > > going to exit from in order to notice the NAT inside/outside
    > > pair of interfaces. Without this the router has no idea what to
    > > do with the packet.

    >
    > This sounds like something I've been looking for in order
    > to allow me to access a domain name that maps back
    > to a server behind my natted router..
    > Currently if I do this, I get a message akin to 'no route to host'
    > if I recall.. Of course it works fine outside my network..
    >
    > Anyway, sounds interesting


    This is just ordinary static NAT.

    I take it to mean that you wish to access your internal
    server from the inside using its external DNS name.

    My reading of the cisco documents suggests that
    the Cisco NAT Application Layer Gateway
    for DNS will fix this up I (and others it seems) have
    been unable to get it to work.

    That is - the router should notice DNS replies from the outside
    that contain the statically NATted address and
    will correctly fix up the address in the DNS reply.
    This does not seem to work but I have never raised
    a TAC case against it so I don't know the official
    cisco position.

    The fix for this is to uave an internal DSN server
    that returns the internal address or for a small network
    perhaps to use host file entrie(s) for the
    required host(s). In a Windows "Domain"
    or somewhere you have login scripts you can
    of course fix up all the host files centrally.

    I have not thought it all through but there is a
    possible NAT solution I suppose using policy
    based routing to a loopback for the "internal" server traffic
    that is 'incorrectly' heading for an external address.
    The loopback would be the NAT outside for this traffic
    and the traffic could come back inside after
    being NATted.

    It would be quite complex. You would need to do
    destination NAT to get the traffic to go the right way,
    source NAT so that the return traffic could be
    persuaded back to the router for more mumbo
    jumbo on the return.

    This is a real kludge but it might work for NATtable
    protocols. I like to think that have had the sense never
    to have tried it:)

    Look up "NAT on a stick" on the cisco web site
    for an example of NAT using PBR and a loopback.
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
    bod43, Apr 8, 2009
    #4
  5. Tomehb

    Rick F Guest

    On Apr 8, 1:31 am, bod43 <> wrote:
    > On 7 Apr, 23:48, Rick F <> wrote:
    >
    >
    >
    > > On Apr 7, 7:19 am, bod43 <> wrote:

    >
    > > > On 7 Apr, 14:32, Tomehb <> wrote:

    >
    > > > > Hi Guys,

    >
    > > > > Just a quick Questions. I want to setup NAT/PAT Translation details
    > > > > are below...

    >
    > > > > SERVER          <<        NAT ROUTER
    > > > > << WAN
    > > > > 192.168.0.0 /24<<         192.168.0.0/24   | 172.17.0.0 / 16        <<
    > > > > WAN

    >
    > > > > I want a WAN User to be able to http to an IP Address such as
    > > > > 172.17.0.5:80 and then this to be translated to 192.168.0.5:80.

    >
    > > > > I tried
    > > > > ip nat inside source static tcp 192.168.0.5 80 172.17.0.5 80
    > > > > extendable

    >
    > > > > however when attempting to telnet to the 172.17.0.5 80 address no
    > > > > connection is open.
    > > > > the 172.17.0.5 Does not exist on any interface i just thought that the
    > > > > router would just redirect it to 192.168.0.5 once it has received a
    > > > > message for this network?

    >
    > > > > Pro Inside global         Inside local          Outside local
    > > > > Outside global

    >
    > > > > tcp 192.168.3.131:80      192.168.50.135:80     ---

    >
    > > > This sh NAT is inconsistent with the
    > > > ip nat statement. I will ignore the sh nat.

    >
    > > > If memory serves me correctly you need a route for the
    > > > incoming packet for the pre-natted address.

    >
    > > > ip route 172.17.0.5 255.255.255.255 192.168.0.x

    >
    > > > Make x anything you like except the router itself. It
    > > > is never used to send traffic out of the router.

    >
    > > > I think of it like this -
    > > > The router needs to know which interface the packet is
    > > > going to exit from in order to notice the NAT inside/outside
    > > > pair of interfaces. Without this the router has no idea what to
    > > > do with the packet.

    >
    > > This sounds like something I've been looking for in order
    > > to allow me to access a domain name that maps back
    > > to a server behind my natted router..
    > > Currently if I do this, I get a message akin to 'no route to host'
    > > if I recall.. Of course it works fine outside my network..

    >
    > > Anyway, sounds interesting

    >
    > This is just ordinary static NAT.
    >
    > I take it to mean that you wish to access your internal
    > server from the inside using its external DNS name.
    >
    > My reading of the cisco documents suggests that
    > the Cisco NAT Application Layer Gateway
    > for DNS will fix this up I (and others it seems) have
    > been unable to get it to work.


    Thanks! You are spot-on.. Your answer is also what I had heard
    but not tried.. I've been thinking about setting up a local DNS
    server so perhaps I'll go down that route.. Thx!
    Rick F, Apr 8, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Holdoway
    Replies:
    0
    Views:
    1,247
    Steve Holdoway
    Jul 10, 2003
  2. Rik Bain

    NAT (PAT) over IOS Router

    Rik Bain, Jul 20, 2003, in forum: Cisco
    Replies:
    5
    Views:
    5,098
    Michael T. Hall
    Jul 20, 2003
  3. BinSur
    Replies:
    4
    Views:
    5,804
    BinSur
    Jan 13, 2006
  4. spec
    Replies:
    2
    Views:
    1,443
    Walter Roberson
    May 25, 2006
  5. Steven Carr
    Replies:
    7
    Views:
    756
Loading...

Share This Page