NAT translation question for experts

Discussion in 'Cisco' started by Rob, Feb 3, 2008.

  1. Rob

    Rob Guest

    I've got years of experience using NAT on Cisco IOS routers, but I
    have a need to do something out of the norm. Is it possible to use
    NAT in this manner?

    I have a network in my company that already uses 10.100.x.x/16. I've
    built an Extranet to a company which has the same network. I would
    like to hit their hosts (usually we start the traffic - telnet and
    SSH) by having our PC's telnet to a 10.150.x.x range and have it
    correlate/NAT directly to their 10.100.x.x range. In other words, I
    want the destination IP address changed in the packets so that 10.150
    to me looks like 10.100 to them.

    Is this possible?
    Bob
    Rob, Feb 3, 2008
    #1
    1. Advertising

  2. Rob

    Brian V Guest

    "Rob" <> wrote in message
    news:eek:...
    > I've got years of experience using NAT on Cisco IOS routers, but I
    > have a need to do something out of the norm. Is it possible to use
    > NAT in this manner?
    >
    > I have a network in my company that already uses 10.100.x.x/16. I've
    > built an Extranet to a company which has the same network. I would
    > like to hit their hosts (usually we start the traffic - telnet and
    > SSH) by having our PC's telnet to a 10.150.x.x range and have it
    > correlate/NAT directly to their 10.100.x.x range. In other words, I
    > want the destination IP address changed in the packets so that 10.150
    > to me looks like 10.100 to them.
    >
    > Is this possible?
    > Bob


    Absolutely, just change the mask. Your use to one to one nat's with a /32
    mask. Change the mask to a /16 and you'll get what your after. 10.150.3.3
    will be 10.100.3.3
    Brian V, Feb 3, 2008
    #2
    1. Advertising

  3. Rob

    Rob Guest

    On Sat, 2 Feb 2008 21:16:40 -0500, "Brian V" <>
    wrote:

    >
    >"Rob" <> wrote in message
    >news:eek:...
    >> I've got years of experience using NAT on Cisco IOS routers, but I
    >> have a need to do something out of the norm. Is it possible to use
    >> NAT in this manner?
    >>
    >> I have a network in my company that already uses 10.100.x.x/16. I've
    >> built an Extranet to a company which has the same network. I would
    >> like to hit their hosts (usually we start the traffic - telnet and
    >> SSH) by having our PC's telnet to a 10.150.x.x range and have it
    >> correlate/NAT directly to their 10.100.x.x range. In other words, I
    >> want the destination IP address changed in the packets so that 10.150
    >> to me looks like 10.100 to them.
    >>
    >> Is this possible?
    >> Bob

    >
    >Absolutely, just change the mask. Your use to one to one nat's with a /32
    >mask. Change the mask to a /16 and you'll get what your after. 10.150.3.3
    >will be 10.100.3.3


    I'm not sure you understand. I don't want to change my source IP
    range (which is 172.26.x.x in this instance for this particular
    segment). I want to change the destination range.
    Rob, Feb 3, 2008
    #3
  4. Rob

    Rob Guest

    On Sat, 02 Feb 2008 21:58:29 -0500, Rob <> wrote:

    >On Sat, 2 Feb 2008 21:16:40 -0500, "Brian V" <>
    >wrote:
    >
    >>
    >>"Rob" <> wrote in message
    >>news:eek:...
    >>> I've got years of experience using NAT on Cisco IOS routers, but I
    >>> have a need to do something out of the norm. Is it possible to use
    >>> NAT in this manner?
    >>>
    >>> I have a network in my company that already uses 10.100.x.x/16. I've
    >>> built an Extranet to a company which has the same network. I would
    >>> like to hit their hosts (usually we start the traffic - telnet and
    >>> SSH) by having our PC's telnet to a 10.150.x.x range and have it
    >>> correlate/NAT directly to their 10.100.x.x range. In other words, I
    >>> want the destination IP address changed in the packets so that 10.150
    >>> to me looks like 10.100 to them.
    >>>
    >>> Is this possible?
    >>> Bob

    >>
    >>Absolutely, just change the mask. Your use to one to one nat's with a /32
    >>mask. Change the mask to a /16 and you'll get what your after. 10.150.3.3
    >>will be 10.100.3.3

    >
    >I'm not sure you understand. I don't want to change my source IP
    >range (which is 172.26.x.x in this instance for this particular
    >segment). I want to change the destination range.




    Here is what I need:

    My LAN segment is 172.26.12.0 /24

    I have a 10.100.0.0 /16 elsewhere in my network (across a WAN, and
    it's in my OSPF routing table so it is "off limits")

    I have a T1 to a company which we need to access - they also have
    10.100.0.0 /16 addresses. We cannot access them directly because I
    would route the wrong way.

    This other company does *not* have a problem with our internal
    172.26.12.0 range. We can come from that. However, I cannot have my
    PC's look for their 10.100.x.x range because it'll route the wrong
    way. I would rather put in an alias network range and let my PC's try
    to hit 10.150.x.x, with that translating to 10.100.x.x once it gets
    past my router on their T1 (where I would prefer to do the NAT)

    I've looked at ip nat inside, outside, destination, etc variants but
    am not sure which one, if any, will accomplish what I need. I don't
    want to NAT my own source IP's, I want to NAT their destination IP's.

    -Bob
    Rob, Feb 3, 2008
    #4
  5. Rob

    Thrill5 Guest

    If you have "years of experience using NAT on Cisco IOS routers", why do you
    need to even ask this question. The problem you describe is exactly how NAT
    works.

    "Rob" <> wrote in message
    news:eek:...
    > I've got years of experience using NAT on Cisco IOS routers, but I
    > have a need to do something out of the norm. Is it possible to use
    > NAT in this manner?
    >
    > I have a network in my company that already uses 10.100.x.x/16. I've
    > built an Extranet to a company which has the same network. I would
    > like to hit their hosts (usually we start the traffic - telnet and
    > SSH) by having our PC's telnet to a 10.150.x.x range and have it
    > correlate/NAT directly to their 10.100.x.x range. In other words, I
    > want the destination IP address changed in the packets so that 10.150
    > to me looks like 10.100 to them.
    >
    > Is this possible?
    > Bob
    Thrill5, Feb 3, 2008
    #5
  6. In article <>,
    Rob <> wrote:

    > I've got years of experience using NAT on Cisco IOS routers, but I
    > have a need to do something out of the norm. Is it possible to use
    > NAT in this manner?
    >
    > I have a network in my company that already uses 10.100.x.x/16. I've
    > built an Extranet to a company which has the same network. I would
    > like to hit their hosts (usually we start the traffic - telnet and
    > SSH) by having our PC's telnet to a 10.150.x.x range and have it
    > correlate/NAT directly to their 10.100.x.x range. In other words, I
    > want the destination IP address changed in the packets so that 10.150
    > to me looks like 10.100 to them.
    >
    > Is this possible?
    > Bob


    What you need to do is have the other company configure a static
    translation from 10.150/16 to 10.100/16. Then on your router you route
    10.150/16 through the Extranet to their router.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Feb 3, 2008
    #6
  7. Rob

    Brian V Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <>,
    > Rob <> wrote:
    >
    >> I've got years of experience using NAT on Cisco IOS routers, but I
    >> have a need to do something out of the norm. Is it possible to use
    >> NAT in this manner?
    >>
    >> I have a network in my company that already uses 10.100.x.x/16. I've
    >> built an Extranet to a company which has the same network. I would
    >> like to hit their hosts (usually we start the traffic - telnet and
    >> SSH) by having our PC's telnet to a 10.150.x.x range and have it
    >> correlate/NAT directly to their 10.100.x.x range. In other words, I
    >> want the destination IP address changed in the packets so that 10.150
    >> to me looks like 10.100 to them.
    >>
    >> Is this possible?
    >> Bob

    >
    > What you need to do is have the other company configure a static
    > translation from 10.150/16 to 10.100/16. Then on your router you route
    > 10.150/16 through the Extranet to their router.
    >
    > --


    Thats one of doing it. I prefer to keep everything controlled in the local
    customers environment rather than relying on another companies IT
    department.

    To the OP. There is absolutely no difference to your years of NAT experience
    with the exception of it's reversed since your trying to manipulate a
    destination network.

    Ethernet (your local lan)
    ip nat outside
    serial (customer with 10.100net)
    ip nat inside

    ip nat inside source static network 10.100.0.0 10.150.0.0 /16

    Place a core route for 10.150/16 pointing to your T1 router and your done.
    The other side obviously needs a route to your 172 network.
    Brian V, Feb 3, 2008
    #7
  8. Rob

    Rob Guest

    On Sun, 3 Feb 2008 01:25:54 -0500, "Brian V" <>
    wrote:
    >
    >To the OP. There is absolutely no difference to your years of NAT experience
    >with the exception of it's reversed since your trying to manipulate a
    >destination network.
    >
    >Ethernet (your local lan)
    >ip nat outside
    >serial (customer with 10.100net)
    >ip nat inside
    >
    >ip nat inside source static network 10.100.0.0 10.150.0.0 /16
    >
    >Place a core route for 10.150/16 pointing to your T1 router and your done.
    >The other side obviously needs a route to your 172 network.


    That's what I missed - reversing the ip nat inside and outside
    statements on the interfaces. That just reinforces my need of a
    separate router. I'll give that a shot. Thanks.

    -Bob
    Rob, Feb 3, 2008
    #8
  9. Rob

    Brian V Guest

    "Rob" <> wrote in message
    news:...
    > On Sun, 3 Feb 2008 01:25:54 -0500, "Brian V" <>
    > wrote:
    >>
    >>To the OP. There is absolutely no difference to your years of NAT
    >>experience
    >>with the exception of it's reversed since your trying to manipulate a
    >>destination network.
    >>
    >>Ethernet (your local lan)
    >>ip nat outside
    >>serial (customer with 10.100net)
    >>ip nat inside
    >>
    >>ip nat inside source static network 10.100.0.0 10.150.0.0 /16
    >>
    >>Place a core route for 10.150/16 pointing to your T1 router and your done.
    >>The other side obviously needs a route to your 172 network.

    >
    > That's what I missed - reversing the ip nat inside and outside
    > statements on the interfaces. That just reinforces my need of a
    > separate router. I'll give that a shot. Thanks.
    >
    > -Bob


    The only reason you would need a seperate router is if the 2 different
    10.100net's are off of it. If thats the case rather than buying new hardware
    you could have the end company (as Barry suggested) do the NAT.
    Brian V, Feb 3, 2008
    #9
  10. In article <>,
    "Brian V" <> wrote:

    > "Rob" <> wrote in message
    > news:...
    > > On Sun, 3 Feb 2008 01:25:54 -0500, "Brian V" <>
    > > wrote:
    > >>
    > >>To the OP. There is absolutely no difference to your years of NAT
    > >>experience
    > >>with the exception of it's reversed since your trying to manipulate a
    > >>destination network.
    > >>
    > >>Ethernet (your local lan)
    > >>ip nat outside
    > >>serial (customer with 10.100net)
    > >>ip nat inside
    > >>
    > >>ip nat inside source static network 10.100.0.0 10.150.0.0 /16
    > >>
    > >>Place a core route for 10.150/16 pointing to your T1 router and your done.
    > >>The other side obviously needs a route to your 172 network.

    > >
    > > That's what I missed - reversing the ip nat inside and outside
    > > statements on the interfaces. That just reinforces my need of a
    > > separate router. I'll give that a shot. Thanks.
    > >
    > > -Bob

    >
    > The only reason you would need a seperate router is if the 2 different
    > 10.100net's are off of it. If thats the case rather than buying new hardware
    > you could have the end company (as Barry suggested) do the NAT.


    Doesn't have have the problem that his LAN would be considered "inside"
    with respect to the Internet, but "outside" when NATting to the other
    company? You can't have both "ip nat inside" and "ip nat outside" on
    the same interface, can you?

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Feb 4, 2008
    #10
  11. Rob

    Brian V Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <>,
    > "Brian V" <> wrote:
    >
    >> "Rob" <> wrote in message
    >> news:...
    >> > On Sun, 3 Feb 2008 01:25:54 -0500, "Brian V" <>
    >> > wrote:
    >> >>
    >> >>To the OP. There is absolutely no difference to your years of NAT
    >> >>experience
    >> >>with the exception of it's reversed since your trying to manipulate a
    >> >>destination network.
    >> >>
    >> >>Ethernet (your local lan)
    >> >>ip nat outside
    >> >>serial (customer with 10.100net)
    >> >>ip nat inside
    >> >>
    >> >>ip nat inside source static network 10.100.0.0 10.150.0.0 /16
    >> >>
    >> >>Place a core route for 10.150/16 pointing to your T1 router and your
    >> >>done.
    >> >>The other side obviously needs a route to your 172 network.
    >> >
    >> > That's what I missed - reversing the ip nat inside and outside
    >> > statements on the interfaces. That just reinforces my need of a
    >> > separate router. I'll give that a shot. Thanks.
    >> >
    >> > -Bob

    >>
    >> The only reason you would need a seperate router is if the 2 different
    >> 10.100net's are off of it. If thats the case rather than buying new
    >> hardware
    >> you could have the end company (as Barry suggested) do the NAT.

    >
    > Doesn't have have the problem that his LAN would be considered "inside"
    > with respect to the Internet, but "outside" when NATting to the other
    > company? You can't have both "ip nat inside" and "ip nat outside" on
    > the same interface, can you?
    >
    > --


    If he has a customer/partner/vendor/whatever p2p T1 coming in to his
    internet router then there is more problems than just NAT! You are correct
    that if it were his internet router that it would be an issue since the
    inside interface can't be both nat inside and nat outside.
    Brian V, Feb 4, 2008
    #11
  12. Rob

    Guest

    On 4 Feb, 12:46, "Brian V" <> wrote:
    > "Barry Margolin" <> wrote in message
    >
    > news:...
    >
    >
    >
    >
    >
    > > In article <>,
    > > "Brian V" <> wrote:

    >
    > >> "Rob" <> wrote in message
    > >>news:...
    > >> > On Sun, 3 Feb 2008 01:25:54 -0500, "Brian V" <>
    > >> > wrote:

    >
    > >> >>To the OP. There is absolutely no difference to your years of NAT
    > >> >>experience
    > >> >>with the exception of it's reversed since your trying to manipulate a
    > >> >>destination network.

    >
    > >> >>Ethernet (your local lan)
    > >> >>ip nat outside
    > >> >>serial (customer with 10.100net)
    > >> >>ip nat inside

    >
    > >> >>ip nat inside source static network 10.100.0.0 10.150.0.0 /16

    >
    > >> >>Place a core route for 10.150/16 pointing to your T1 router and your
    > >> >>done.
    > >> >>The other side obviously needs a route to your 172 network.

    >
    > >> > That's what I missed - reversing the ip nat inside and outside
    > >> > statements on the interfaces.  That just reinforces my need of a
    > >> > separate router.  I'll give that a shot.  Thanks.

    >
    > >> > -Bob

    >
    > >> The only reason you would need a seperate router is if the 2 different
    > >> 10.100net's are off of it. If thats the case rather than buying new
    > >> hardware
    > >> you could have the end company (as Barry suggested) do the NAT.

    >
    > > Doesn't have have the problem that his LAN would be considered "inside"
    > > with respect to the Internet, but "outside" when NATting to the other
    > > company?  You can't have both "ip nat inside" and "ip nat outside" on
    > > the same interface, can you?
    > >

    > If he has a customer/partner/vendor/whatever p2p T1 coming in to his
    > internet router then there is more problems than just NAT! You are correct
    > that if it were his internet router that it would be an issue since the
    > inside interface can't be both nat inside and nat outside.- Hide quoted text -



    Looks like this may be what you are looking for:-

    Use the normal
    ip nat inside
    ip nat outside
    on the interfaces

    http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatxip.html

    ip nat outside source static network 10.100.0.0 10.150.0.0/16

    I may try for a play later today.

    I would imagine that there is an equivalent
    ip nat inside dest
    form of the above
    , Feb 4, 2008
    #12
  13. Rob

    Bob Guest

    On Mon, 4 Feb 2008 07:46:37 -0500, "Brian V" <>
    wrote:

    >
    >"Barry Margolin" <> wrote in message
    >news:...
    >> In article <>,
    >> "Brian V" <> wrote:
    >>
    >>> "Rob" <> wrote in message
    >>> news:...
    >>> > On Sun, 3 Feb 2008 01:25:54 -0500, "Brian V" <>
    >>> > wrote:
    >>> >>
    >>> >>To the OP. There is absolutely no difference to your years of NAT
    >>> >>experience
    >>> >>with the exception of it's reversed since your trying to manipulate a
    >>> >>destination network.
    >>> >>
    >>> >>Ethernet (your local lan)
    >>> >>ip nat outside
    >>> >>serial (customer with 10.100net)
    >>> >>ip nat inside
    >>> >>
    >>> >>ip nat inside source static network 10.100.0.0 10.150.0.0 /16
    >>> >>
    >>> >>Place a core route for 10.150/16 pointing to your T1 router and your
    >>> >>done.
    >>> >>The other side obviously needs a route to your 172 network.
    >>> >
    >>> > That's what I missed - reversing the ip nat inside and outside
    >>> > statements on the interfaces. That just reinforces my need of a
    >>> > separate router. I'll give that a shot. Thanks.
    >>> >
    >>> > -Bob
    >>>
    >>> The only reason you would need a seperate router is if the 2 different
    >>> 10.100net's are off of it. If thats the case rather than buying new
    >>> hardware
    >>> you could have the end company (as Barry suggested) do the NAT.

    >>
    >> Doesn't have have the problem that his LAN would be considered "inside"
    >> with respect to the Internet, but "outside" when NATting to the other
    >> company? You can't have both "ip nat inside" and "ip nat outside" on
    >> the same interface, can you?
    >>
    >> --

    >
    >If he has a customer/partner/vendor/whatever p2p T1 coming in to his
    >internet router then there is more problems than just NAT! You are correct
    >that if it were his internet router that it would be an issue since the
    >inside interface can't be both nat inside and nat outside.



    Since I am using NAT, and backwards as you might say, I don't have a
    problem using a separate 2811 for this customer. We don't usually
    have IP conflicts like this. Switching the ip nat inside/outside
    statements would mess up my current vendor router.

    -bob
    Bob, Feb 4, 2008
    #13
  14. In article <>,
    "Brian V" <> wrote:

    > If he has a customer/partner/vendor/whatever p2p T1 coming in to his
    > internet router then there is more problems than just NAT! You are correct
    > that if it were his internet router that it would be an issue since the
    > inside interface can't be both nat inside and nat outside.


    Why would it be a big problem to have the partner T1 come into the same
    router that handles their Internet connection? With proper ACLs or NAT
    configurations you should be able to prevent them from using your router
    as a way to get to the Internet.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Feb 5, 2008
    #14
  15. Rob

    Guest

    On 5 Feb, 03:16, Barry Margolin <> wrote:
    > In article <>,
    >  "Brian V" <> wrote:
    >
    > > If he has a customer/partner/vendor/whatever p2p T1 coming in to his
    > > internet router then there is more problems than just NAT! You are correct
    > > that if it were his internet router that it would be an issue since the
    > > inside interface can't be both nat inside and nat outside.

    >
    > Why would it be a big problem to have the partner T1 come into the same
    > router that handles their Internet connection?  With proper ACLs or NAT
    > configurations you should be able to prevent them from using your router
    > as a way to get to the Internet.


    As mentioned I was interested in this and had a look:-

    The guess that I made above seems to be the right thing.

    Use the normal
    ip nat inside
    ip nat outside
    on the interfaces

    ip nat outside source static network 10.100.0.0 10.150.0.0/16

    10.100.0.0 on inside side
    10.150.0.0 on outside side


    I have verified that the translations get created irrespective of
    the direction of the initial traffic - expected for static NATs.

    Good to go.

    R2#sh ip nat tr
    Pro Inside global Inside local Outside local Outside
    global
    --- --- --- 10.150.1.1
    10.100.1.1
    --- --- --- 10.150.1.2
    10.100.1.2
    --- --- --- 10.150.0.0
    10.100.0.0
    icmp 172.26.12.1:4 172.26.12.1:4 10.150.1.1:4
    10.100.1.1:4
    icmp 172.26.12.1:10 172.26.12.1:10 10.150.1.2:10
    10.100.1.2:10
    R2#


    Dynamips to the fore:)

    A warning is that I have not read ANY documentation that describes
    "ip nat outside source static network"

    I ASSUME that it will create correct

    10.100.a.b <--> 10.150.c.d mapping always.

    where a == c and b == d

    You may need to exclude the 10.100.0.0 --> 10.150.0.0
    traffic from any Internet NATs that you have configured.

    Good luck.
    , Feb 5, 2008
    #15
  16. Rob

    Bob Guest

    I tried this today too and it works fine. I just never used 'ip nat
    OUTSIDE' before. As you say, good to go.

    -Bob


    On Tue, 5 Feb 2008 11:28:20 -0800 (PST), wrote:

    >
    >As mentioned I was interested in this and had a look:-
    >
    >The guess that I made above seems to be the right thing.
    >
    >Use the normal
    > ip nat inside
    > ip nat outside
    >on the interfaces
    >
    >ip nat outside source static network 10.100.0.0 10.150.0.0/16
    >
    >10.100.0.0 on inside side
    >10.150.0.0 on outside side
    >
    >
    >I have verified that the translations get created irrespective of
    >the direction of the initial traffic - expected for static NATs.
    >
    >Good to go.
    >
    >R2#sh ip nat tr
    >Pro Inside global Inside local Outside local Outside
    >global
    >--- --- --- 10.150.1.1
    >10.100.1.1
    >--- --- --- 10.150.1.2
    >10.100.1.2
    >--- --- --- 10.150.0.0
    >10.100.0.0
    >icmp 172.26.12.1:4 172.26.12.1:4 10.150.1.1:4
    >10.100.1.1:4
    >icmp 172.26.12.1:10 172.26.12.1:10 10.150.1.2:10
    >10.100.1.2:10
    >R2#
    >
    >
    >Dynamips to the fore:)
    >
    >A warning is that I have not read ANY documentation that describes
    >"ip nat outside source static network"
    >
    >I ASSUME that it will create correct
    >
    >10.100.a.b <--> 10.150.c.d mapping always.
    >
    >where a == c and b == d
    >
    >You may need to exclude the 10.100.0.0 --> 10.150.0.0
    >traffic from any Internet NATs that you have configured.
    >
    >Good luck.
    Bob, Feb 5, 2008
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oliver Schlosser

    Re: processing show ip nat translation

    Oliver Schlosser, Jul 24, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,937
    someone
    Jul 25, 2003
  2. BitBucket
    Replies:
    4
    Views:
    3,829
    BitBucket
    Nov 3, 2003
  3. JCVD
    Replies:
    1
    Views:
    447
    Martin Gallagher
    Feb 13, 2004
  4. Giuen
    Replies:
    0
    Views:
    837
    Giuen
    Sep 12, 2008
  5. Replies:
    2
    Views:
    518
    Robert
    Nov 3, 2008
Loading...

Share This Page