NAT between two private IP networks with some namespace conflicts

[jmkelly]

I'm trying to link two networks that grew separately. One is addressed 10.[1-9].x.x, the other 10.[0,1,4].x.x. There's overlap in two networks (10.1.0.0 and 10.4.0.0).

I haven't done much with NATting, and here it seems like it has to be quasi-symmetrical: e.g., if a host on NetA's 10.1.0.0 is trying to get to NetB's 10.1.x.y, we have DNS tell it to address packets to 10.17.x.y, route those to NetB's router, and have it NAT them: 10.17.x.y => 10.1.x.y. Conversely, on the way back, we have our host on NetB 10.1.0.0 address its replies to 10.17.x.y, route them to NetA's router, and have that router NAT them similarly and hand them off to NetA's 10.1.0.0.

My question is, do I need two routers to do this? Cisco seems to see this in terms of "inside" and "outside", and in this case I've got an "inside" on both ends and an "outside" in the middle.

TIA!

 

[imbadatthis]

yes, you do .. and each network i believe must have a perimeter edge that you could use?


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[burtsbees]

So overlap in two discontiguous networks then? Draw me a better pic, not wrapping my head around things too well today...

Nothing /28, /29 or whatever your schema is would resolve in the NAT acl permits and deny the entire subnet in the last statement, or even a route map would resolve, is it?

10 ? "TIMMAY!!!"
20 goto 10
run
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!

 

[jmkelly]

My boss said, "Don't worry about it, we're going to renumber them anyway." Which is nice, because it was starting to look nasty. For the curious, here's how it was going to look, approximately (addresses have been mangled to protect the innocent):

[tt]
NetA (inside)...............NAT (outside)..........NetB (inside)
[no such network]..............[none].............172.16.0.0/16
172.16.1.0/24................172.16.17.0..........172.16.1.0/16
172.16.3.0/16..................[none]..........[no such network]
172.16.4.0/24................172.16.20.0..........172.16.4.0/16
172.16.5.0/24..................[none]..........[no such network]
etc...[/tt]

The cool thing (or maybe the horrible thing) about this setup is that which host belongs to a translated address depends on which network is looking at it. 172.16.17.123, for example, could stand for NetA.172.16.1.123 or NetB.172.16.1.123, or NetA.172.16.1.101 or NetB.172.16.1.155. There would have to be some static NATs in there too, for domain controllers, printers, etc. And maintaining it would be a PITA. So, as I said, consider it an exercise, and thanks for all your input.