Source and destination NAT

Discussion in 'Cisco' started by 1388-2/HB, Jun 26, 2007.

  1. 1388-2/HB

    1388-2/HB Guest

    I have a 2621 router with FE0 attached to the Internet and FE1 attached to
    the LAN.

    FE0 X.X.X.1/29 (part of public IP block, 'outside' NAT interface)
    FE1 a.a.a.1/24 (private, 'inside' NAT interface)

    I have two goals here, both of which I can do, I just want a better way to
    do them.

    The first goal is to simply "port forward" public IP X.X.X.2 to LAN IP
    a.a.a.2, which is simple enough with destination NAT:

    [source <?>][dest X.X.X.2] DestNAT-> [source <?>][dest a.a.a.2]

    The second goal is where I started making stuff up. Because in addition to
    being destination NATed to "b.b.b.6", public IP X.X.X.3 must also be source
    NATed to appear to have originated on the b.b.b.0 subnet. So for lack of a
    better idea, I did this:

    First I destination NAT it to the appropriate LAN address:

    [source <?>][dest X.X.X.3] DestNAT-> [source <?>][dest b.b.b.6]

    My hack solution is to then route it to a second 2621 router:

    ip route b.b.b.0/24 -> a.a.a.5

    And the second 2621 looks like this:

    2621 #2
    FE0 a.a.a.5/24 (inside)
    FE1 b.b.b.1/24 (outside)

    And using a traditional internet connection sharing routine, I nat the

    [source <?>][dest b.b.b.6] SourceNAT -> [source b.b.b.1][dest b.b.b.6]
    ip route -> a.a.a.1

    So, from the perspective of the server at b.b.b.6, all the requests it's
    getting appear to be coming from LAN source b.b.b.1 (rather than WAN source
    <?>). Which accomplishes "the goal".

    This works, but my question is, is it possible to do this with 1 router?
    Could I put, say, an NM-4E module into a single 2621 and route packets to
    "myself" so that I can destination NAT them as well as source NAT them?

    I have to reproduce this at another location with the same goals, but at the
    other location there's only one 2621 router to play with.
    1388-2/HB, Jun 26, 2007
    1. Advertisements

  2. Google for "nat on a stick". You don't need another module, you use a
    loopback interface for this.
    Barry Margolin, Jun 26, 2007
    1. Advertisements

  3. 1388-2/HB

    1388-2/HB Guest

    Thanks for the hint.

    I've got it "almost" working, I think, in my 1720 sandbox, but I'm not
    seeing what I'm missing... the 1720 has 2 interfaces and a loopback, like

    WIC-1ENET (e0) outside NAT (faces WAN)
    FastEther (f0) inside NAT (faces LAN)
    Loopback (l0) inside

    A packet shows up on e0 from the InternetGuy for my Public IP X.X.X.2

    00:05:31: NAT: o: tcp ([InternetGuy], 3157) -> (X.X.X.2, 80) [18160]

    An ip nat inside dest rule is in place to turn X.X.X.2 into,
    which happens:

    00:05:31: NAT: s=[InternetGuy], d=X.X.X.2-> [18160]

    Now before the device at receives this packet I need to make
    the source change from [InternetGuy] to I have a policy route
    (on e0) to loopback when this is the case, which happens:

    00:05:31: IP: s=[InternetGuy] (Ethernet0), d=, len 48, policy
    00:05:31: IP: route map DoubleNAT, item 10, permit
    00:05:31: IP: s=[InternetGuy] (Ethernet0), d= (Loopback0), len
    48, policy routed
    00:05:31: IP: Ethernet0 to Loopback0

    An ip nat inside source rule is in palce to turn [InternetGuy] into, which does not happen. Now the packet is apparently routed to, because the next debug line appears to be my device (web
    server) responding:

    00:05:31: NAT: i: tcp (, 80) -> ([InternetGuy], 3157) [51052]
    00:05:31: NAT: s=>X.X.X.2, d=([InternetGuy] [51052]

    Without the second NAT occuring, my loopback is pointless overhead so far.

    This is what I thought might happen (what I want to happen):

    00:05:31: NAT: o: tcp ([InternetGuy], 3157) -> (X.X.X.2, 80) [18160]
    00:05:31: NAT: s=[InternetGuy], d=X.X.X.2-> [18160]
    00:05:31: IP: s=[InternetGuy] (Ethernet0), d=, len 48, policy
    00:05:31: IP: route map DoubleNAT, item 10, permit
    00:05:31: IP: s=[InternetGuy] (Ethernet0), d= (Loopback0), len
    48, policy routed
    00:05:31: IP: Ethernet0 to Loopback0
    00:05:31: NAT: i: tcp ([InternetGuy], 3157) -> (, 80)
    00:05:31: NAT: s=[InternetGuy]->, d=

    The last 2 lines never happen, even though there is an inside source NAT
    rule in place that fits the criteria of what gets sent to loopback.
    1388-2/HB, Jun 28, 2007
  4. 1388-2/HB

    brink Guest

    brink, Jun 29, 2007
  5. 1388-2/HB

    usenet Guest

    I had to implement nat on a stick, with multiple Loopback interfaces &
    policy routes, etc. similar to the examples in document 6505. I had to fill
    some gaps in my NAT knowledge to really get it, but I got it working
    eventually. Thanks for the help guys.
    usenet, Jul 4, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.