Is this even possible? (Excluding Subnet from Global NAT)

Discussion in 'Cisco' started by Dylan, Oct 12, 2005.

  1. Dylan

    Dylan Guest

    Hi there,

    I'm using a static NAT (overload) to map a subnet of private addresses
    to a single routable IP.

    However, from the "outside" (from the PIX) I would like to be able to
    ping/connect to the invidual private addresses. The static routes are
    there, but when I ping them, the ping is returned from the Routeable
    IP, not the private so it fails.

    eg ->

    ------------------------
    203.203.203.1
    Cisco PIX
    203.203.204.1
    -----------------------
    |
    |
    |
    -----------------------
    203.203.204.2
    192.168.0.1 (secondary addr for wireless net)

    Cisco 2610
    ----------------------




    Pinging 192.168.0.1 (2610) from 203.203.204.1 (PIX) ->


    ping intf2 192.168.205.1
    624: ICMP echo request (len 32 id 9233 seq 0) 203.203.204.1 > 192.168.0.1
    625: ICMP echo reply (len 32 id 9233 seq 0) 203.203.204.2 >
    203.203.204.1 <--- coming back
    from global NAT, not 192.168.0.1
    192.168.205.1 NO response received -- 1000ms





    The PIX is straightfoward routing eg

    route intf2 192.168.0.0 255.255.255.0 203.203.204.2 1


    The 2610 NAT is like so - >


    interface FastEthernet0/0
    ip address 192.168.0.1 255.255.255.0 secondary
    ip address 203.203.204.2 255.255.255.0
    ip nat inside
    ip policy route-map set-default
    duplex auto
    speed auto
    no cdp enable
    hold-queue 256 in

    ip nat pool no-overload 203.203.204.2 203.203.204.2 prefix-length 24
    ip nat inside source list 7 pool no-overload
    no ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 <ip address of public gateway>
    ip route 192.168.0.0 255.255.255.0 203.203.204.1

    access-list 7 permit 192.168.0.0 0.0.0.255
    dialer-list 1 protocol ip permit
    no cdp run
    route-map set-default permit 10
    match ip address 7
    set ip next-hop 203.203.204.1




    So is there a way to exclude the NAT for my PIX subnet (have even tried
    setting up 192.168.0.3 on a PIX interface with static routes to and
    from 2610 but no luck there either)

    I need to be able to ping/monitor hosts in the 192.168.0.0 subnet but
    also allow them all internet access with the NAT overload.

    Apologies for lack of detail, I'm no expert but fully appreciate any
    advice on better ways to achieve this aim, The PIX and 2610 are about
    40kms apart so am trying to find a way to monitor the 192.168.0.0 hosts
    from the PIX end (my office) rather than installing servers on the
    remote end.

    Cheers,

    Dylan.
     
    Dylan, Oct 12, 2005
    #1
    1. Advertising

  2. Dylan

    B Squared Guest

    Dylan wrote:
    > Hi there,
    >
    > I'm using a static NAT (overload) to map a subnet of private addresses
    > to a single routable IP.
    >
    > However, from the "outside" (from the PIX) I would like to be able to
    > ping/connect to the invidual private addresses. The static routes are
    > there, but when I ping them, the ping is returned from the Routeable IP,
    > not the private so it fails.
    >
    > eg ->
    >
    > ------------------------
    > 203.203.203.1
    > Cisco PIX
    > 203.203.204.1
    > -----------------------
    > |
    > |
    > |
    > -----------------------
    > 203.203.204.2
    > 192.168.0.1 (secondary addr for wireless net)
    >
    > Cisco 2610
    > ----------------------
    >
    >
    >
    >
    > Pinging 192.168.0.1 (2610) from 203.203.204.1 (PIX) ->
    >
    >
    > ping intf2 192.168.205.1
    > 624: ICMP echo request (len 32 id 9233 seq 0) 203.203.204.1 > 192.168.0.1
    > 625: ICMP echo reply (len 32 id 9233 seq 0) 203.203.204.2 >
    > 203.203.204.1 <--- coming back
    > from global NAT, not
    > 192.168.0.1
    > 192.168.205.1 NO response received -- 1000ms
    >


    From what I understand, this is the expected behavior. That is, the
    ping will fail. This is one of the shortcomings of NAT, that it prevents
    simple kinds of network diagnostic tools like ping from working.

    B Squared
    \-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/-\-/
    If C++ is your hammer, everything looks like your thumb.
     
    B Squared, Oct 12, 2005
    #2
    1. Advertising

  3. Dylan

    Guest

    That is more or less how NAT works.
    However you possibly could use static nats for certain
    addresses/protocols.
    A NAT does not need to cover ALL uses of a particular address.

    Say you wanted to monitor 3 hosts using telnet (port 23) connections.

    192.168.0.1
    192.168.0.2
    192.168.0.3

    Outside address 1.1.1.1

    choose 3 random ports 10123, 10223, 10323


    You could then NAT as follows

    1.1.1.1 10123 --> 192.168.0.1 23
    1.1.1.1 10223 --> 192.168.0.2 23
    1.1.1.1 10323 --> 192.168.0.3 23

    I have not considerd all possible implications/pitfalls however I think
    that this could be configured on a router and maybe
    on a pix. (I have less pix experience)

    Let us know if it works!!
     
    , Oct 12, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthew Melbourne
    Replies:
    2
    Views:
    7,361
    Matthew Melbourne
    Feb 12, 2005
  2. spec
    Replies:
    2
    Views:
    1,451
    Walter Roberson
    May 25, 2006
  3. Hoffa
    Replies:
    0
    Views:
    707
    Hoffa
    Oct 25, 2006
  4. Hoffa
    Replies:
    1
    Views:
    1,538
    Walter Roberson
    Oct 25, 2006
  5. Amadej

    Cisco 1812 subnet to subnet NAT

    Amadej, Sep 3, 2007, in forum: Cisco
    Replies:
    1
    Views:
    3,285
Loading...

Share This Page