How to NAT broadcast packets?? 2

[Myrion]

I'm experiencing a bit of an issue here. I am using static NAT to convert 172.20.0.0/24 into 172.21.0.0/24 on a Cisco 2811 router through FE0/0. On FE0/1, I have 192.168.0.0/24 subnetwork attached.

Here's what the objective is: A host on 172.20.0.0/24 (say, 172.20.0.5) is sending broadcast packets via UDP port 6000. The mainframe is on FE0/1 with an IP address of 192.168.0.35/24. This mainframe needs to receive the broadcast packets from the 172.20.0.5 host, but NAT needs to occur *first* on 172.20.0.5 so that it looks like the source address of the broadcast packet is really coming from 172.21.0.5/24. This is because the mainframe already has another interface on another 172.20.0.0/24 subnet (i.e., we're dealing with overlapping subnets here).

So far, I'm able to forward the broadcast packets to the 192.168.0.0/24 subnet by using ip forward-protocol udp 6000 (globally) and ip directed-broadcast (on the FE interfaces). I've also added an ip helper-address 192.168.0.255 statement to the FE0/0 interface.

Again, I can get the UDP:6000 packets to forward, but the source address is showing up as the original 172.20.0.5 instead of the NAT'ed address of 172.21.0.5.

Any suggestions would be very helpful. Even if I have to deploy additional hardware to make it work, that's OK too. I just can't use the original subnet, I have to NAT it somehow.

 

[Minue]

Hello
It would be a lot easier on us if you post a scrub conf.Also post the NAT translation.
You said that "the source address is showing up as the original 172.20.0.5 instead...".But where's this info coming from?Are you seeing this info with the command "show ip nat translation" or from the mainframe side?

Regards

 

[Myrion]

Thanks so much for such a quick response.

Yes, when I said the source address was showing up as the original, pre-NAT address, this was from "show ip nat translation". It also was showing up at layer-7 within my application, as it received the un-NAT'ed broadcast packets.

As requested, here's my config:

Current configuration : 3745 bytes
!
! Last configuration change at 08:23:37 PST Tue Feb 23 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXXXXXXXXXX/
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name domain.com
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1010101010
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1010101010
 revocation-check none
 rsakeypair TP-self-signed-1010101010
!
!
crypto pki certificate chain TP-self-signed-1010101010
 certificate self-signed 01
<...certificate...>

  quit
license udi pid CISCO2901/K9 sn XXXXXXXXX
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
!
interface GigabitEthernet0/0
 description Interface-1
 ip address 172.20.0.1 255.255.255.0
 ip helper-address 192.168.0.255
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Interface-2
 ip address 192.168.0.1 255.255.255.0
 ip helper-address 172.20.0.255
 ip directed-broadcast
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip forward-protocol udp 6000
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static network 172.20.0.0 172.21.0.0 /24
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip route 172.20.0.0 255.255.255.0 GigabitEthernet0/0
ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/0
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication local_auth
line aux 0
line vty 0 4
 privilege level 15
 login authentication local_auth
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login authentication local_auth
 transport input telnet ssh
line vty 16 1114
 login authentication local_auth
!
scheduler allocate 20000 1000
end

Thanks again! Anxious to hear what you guys think!

 

[Myrion]

Oops. I forgot to show the debug output for "show ip nat translation"

here ya go:

*Feb 27 17:48:59.346: UDP: rcvd src=172.20.0.5(1037), dst=172.20.0.255(6000), length=80
*Feb 27 17:48:59.346: UDP: forwarding packet 255.255.255.255(1037) to 192.168.0.255(6000)
*Feb 27 17:48:59.346: UDP: forwarded broadcast 6000 from 172.20.0.5 to 255.255.255.255 on GigabitEthernet0/1

Again, as you can see, my NAT statements aren't taking place on these packets. The 172.20.0.0/24 subnet should be NAT'ed to 172.21.0.0/24 before exiting GE0/1.

Desperate for help

 

[burtsbees]

I wonder if you can set a loopback address (to 172.21.0.0/24, or /32, whatever), change the static route to cover both subnets (ip route 172.20.0.0 255.254.0.0 ge0/0), and NAT to the loopback interface...

I could lab it Monday...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Minue]

Hello
I just lab your setup and everything is working as it should,the simulated mainframe is recieving the UDP broadcast with the NATted source.Maybe your'e missing out on something or your network is design different to what you state.In my testing,I made the ip helper address command point to the host and not the subnet,I didn't put the "helper" under interface no.2,also I have notice that the "ip directed-broadcast" command didn't make a difference.Below is the output from the test:

Wireshark output on the mainframe with Netbios port 137
3 16.949796 172.21.0.5 28.244.81.221 NBNS Registration NB FTO-AMD2600<00>
6 19.199820 172.21.0.5 28.244.81.221 NBNS Registration NB WORKGROUP<00>

The router receiving the UDP broadcast and sending them to the HOST with the NATted address

*Mar 1 02:55:40.630: UDP: rcvd src=172.20.0.5(137), dst=172.20.0.255(137), length=76
*Mar 1 02:55:40.630: UDP: forwarding packet 255.255.255.255(137) to 28.244.81.221(137)
*Mar 1 02:55:40.634: UDP: forwarding packet 255.255.255.255(137) to 28.244.81.221(137)
*Mar 1 02:55:40.634: UDP: forwarded broadcast 137 from 172.21.0.5 to 28.244.81.221 on Ethernet0/1

Please try the test as I did,and also post a "show ip nat translation".So I can see if the router is natting the 172.20.0.0 subnet.

Regards

 

[Myrion]

Minue,

You, my friend, are an absolute life-saver!! Your suggestions completely resolved my issue.

As it turns out, for some strange reason, if you use "ip helper-address <subnet broadcast address>", it will not use NAT. However, using your suggestion, I used the mainframe address, instead of the mainframe's subnet broadcast address, and it worked great.

Again, thank you so much for your time and assistance. It truly is appreciated!

 

[burtsbees]

Star the man!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!