We are using 1605 router with 2 ethernet ports. Ethernet0 (ip address 10.10.20.30 255.255.0.0)and Eth1 (192.0.2.4 255.255.255.0) On the 192 net there are 2 boxes with ip addresses 192.0.2.2 and 192.0.2.3 that I want to nat translate to 10.10.5.2 to 10.10.5.3 on the 10 net. How is this done? How do I verify its working? I done nat before numerous times but only the internal clients going out to the internet. I basically want if a request goes to 192.0.2.2 translate to 10.10.5.2. Do i need to place the ip route command for the 192.0.2.0 subnet to reach the 10.10.5.0 subnet for the transalation? please help, thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Static NAT mappings
- Thread starter 12122053
- Start date
- Thread starter
- #2
So far I this is my config:
Ethernet 0:Nat inside
Ethernet 1:Nat outside
ip nat inside source static 10.10.5.2 192.0.2.3
Before i place the ip nat inside command i was able to ping both ip addresses from the router. Now i can ping only the 10.10.5.2. But if i remove the command i can ping both ip's. Any suggestions, thank you.
Ethernet 0:Nat inside
Ethernet 1:Nat outside
ip nat inside source static 10.10.5.2 192.0.2.3
Before i place the ip nat inside command i was able to ping both ip addresses from the router. Now i can ping only the 10.10.5.2. But if i remove the command i can ping both ip's. Any suggestions, thank you.
- Thread starter
- #3
ok i will take a shot at this?
First what is it that your really trying to do?
If you want a specific internal lan ip to route to another ip why dont you just setup a route ( that is unless its not the next hop than you cannot ). Jeter@LasVegas.com
J.Fisher CCNA
First what is it that your really trying to do?
If you want a specific internal lan ip to route to another ip why dont you just setup a route ( that is unless its not the next hop than you cannot ). Jeter@LasVegas.com
J.Fisher CCNA
- Thread starter
- #5
We have these two hard-coded C class pbx's boxes(192.0.2.3 and 192.0.2.4 255.255.255.0). Since we can't change the ip addresses on these machines to match our own internal ip scheme so we are trying to do NAT. My desire goal is to translate the two pbx's ip addresses to (10.10.5.2 and 10.10.5.3 255.255.0.0)Im sure this can be done.
NAT static mappings:
192.0.2.3 to 10.10.5.3
192.0.2.4 to 10.10.5.4
Im using a 1605 router with 2 ethernet ports. Ethernet1 going to the pbx's net 192.0.2.0 255.255.255.0 and ethernet0 going to our net 10.10.0.0 255.255.0.0. Will this cause a problem in nat because of the different subnets? Can anybody help, thanks.
NAT static mappings:
192.0.2.3 to 10.10.5.3
192.0.2.4 to 10.10.5.4
Im using a 1605 router with 2 ethernet ports. Ethernet1 going to the pbx's net 192.0.2.0 255.255.255.0 and ethernet0 going to our net 10.10.0.0 255.255.0.0. Will this cause a problem in nat because of the different subnets? Can anybody help, thanks.
!
interface Ethernet0 ; LAN side
ip address 192.168.50.1 255.255.255.0
no ip directed-broadcast
ip nat inside ; provides NAT on INSIDE interface
no cdp enable
!
interface Ethernet1 ; WAN side - points to a DMZ
ip address 192.168.1.2 255.255.255.0
ip access-group 107 in ; provides last resort filtering
no ip directed-broadcast
ip nat outside ; enables NAT on the outside interface
no cdp enable
!
!
ip nat inside source list 1 interface Ethernet1 overload ; overloads the single OUTSIDE IP address to provide IPs for all inside connections
!
ip nat inside source static tcp 192.168.50.4 80 192.168.1.2 80 extendable ; static map that takes ALL port 80 traffic on OUTSIDE ip address and redirects to a certain INSIDE IP
!
ip nat inside source static tcp 192.168.50.3 49 192.168.1.2 49 extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254 ; You must have a route for the outside.. in this case I have a default gateway that says EVERYTHING that the router does not know about will go to .254 which will know where to send it
soooooo
--WAN--192.168.1.2 E1 --2514-- E0 192.168.50.1--LAN
I would do the config for you but then you would not learn it ;-)
Also, drop by my site.. at the bottom on the left is two links for NAT information and troubleshooting
MikeS Find me at
"The trouble with giving up civil rights is that you never get them back"
interface Ethernet0 ; LAN side
ip address 192.168.50.1 255.255.255.0
no ip directed-broadcast
ip nat inside ; provides NAT on INSIDE interface
no cdp enable
!
interface Ethernet1 ; WAN side - points to a DMZ
ip address 192.168.1.2 255.255.255.0
ip access-group 107 in ; provides last resort filtering
no ip directed-broadcast
ip nat outside ; enables NAT on the outside interface
no cdp enable
!
!
ip nat inside source list 1 interface Ethernet1 overload ; overloads the single OUTSIDE IP address to provide IPs for all inside connections
!
ip nat inside source static tcp 192.168.50.4 80 192.168.1.2 80 extendable ; static map that takes ALL port 80 traffic on OUTSIDE ip address and redirects to a certain INSIDE IP
!
ip nat inside source static tcp 192.168.50.3 49 192.168.1.2 49 extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254 ; You must have a route for the outside.. in this case I have a default gateway that says EVERYTHING that the router does not know about will go to .254 which will know where to send it
soooooo
--WAN--192.168.1.2 E1 --2514-- E0 192.168.50.1--LAN
I would do the config for you but then you would not learn it ;-)
Also, drop by my site.. at the bottom on the left is two links for NAT information and troubleshooting
MikeS Find me at
"The trouble with giving up civil rights is that you never get them back"
The hard coded IP addresses that are on your PBX boxes, those are public addresses. You need to have those address changed to a non-internet routed class address. ie: 192.168.X.X, otherwise your firewall will have issues. Does this make any sense?
Your firewalls should try and route any traffic destined for 192.0.X.X network out to your ISP. Unless you change this to route to your 1605.
Your firewalls should try and route any traffic destined for 192.0.X.X network out to your ISP. Unless you change this to route to your 1605.
- Thread starter
- #8
Thanks for the information wybnormal, but I have a few questions. If i place the statement inside source list 1, do i need to place a access-list to correspond with it?(HOW) I don't think our default gateway knows how to reach the 192.0.2.0 network because the pbx boxes are connected to a single hub to ethernet1 on the router. Does the default gateway need to have the statement nat outside? The 1605 is not routing our internal LAN clients just doing NAT for this project. Im lost plese, help. Thanks so far
I did not include the access list in the print out...
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.1.1.0 0.0.0.255
!
this list just keeps allowed IPs on the router's interface.
You do not have to do global overloading.. you can just do a one to one NAT. And that fact you have a "public" ip on the PBX is not of consquence.. this is precisely why you want to use NAT. Once the IP is nat'ted, the firewall could care less since it will see the NAT IP you set up. Many companies do just this when companies merge and changing IP schemes is not an option.
The 1605 is most certainly routing..even with NAT.. it must know about the networks on either side and how to get there from here. In other words, on the PBX side, you need to have a default gateway for the PBX to send their packets to. This would be the 1605.. the 1605 needs to know where to send these packets.. This is a seperate function then NAT. It's only when the packet is routed to the interface that anybody can get somewhere. There is a way to bridge it but this is not the place for that. Accordingly, the network on the outside of the 1605 needs to know where the default gateway is for the PBX network. So at the LAN's normal default gateway.. there would be a route statement that says any packet destined for the PBX network IP number XXX would go to XXXX(1605) as the next hop. Packet goes to default gateway.. router looks up route and then forwards the packet to the 1605.. 1605 gets it and says "I have this IP range as a local connection therefore I know where to send it"
Again.. read the papers I suggested.. Cisco has nice sample configs of NAT where you only need to static map from one interface to the other.
Here is a sample from their site:
interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside
!-- Defines Ethernet 0 with an IP address and as a NAT outside interface.
interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside
!-- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0
ip address 200.200.200.5 255.255.255.252
!-- Defines serial 0 with an IP address. This interface is not
!-- participating in NAT.
ip nat inside source static 172.16.50.8 172.16.10.8
!-- States that any packet received on the inside interface with a
!-- source address of 172.16.50.8 will be translated to 172.16.10.8.
Again.. READ!!!!! the answers are there in plain sight,
MikeS Find me at
"The trouble with giving up civil rights is that you never get them back"
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.1.1.0 0.0.0.255
!
this list just keeps allowed IPs on the router's interface.
You do not have to do global overloading.. you can just do a one to one NAT. And that fact you have a "public" ip on the PBX is not of consquence.. this is precisely why you want to use NAT. Once the IP is nat'ted, the firewall could care less since it will see the NAT IP you set up. Many companies do just this when companies merge and changing IP schemes is not an option.
The 1605 is most certainly routing..even with NAT.. it must know about the networks on either side and how to get there from here. In other words, on the PBX side, you need to have a default gateway for the PBX to send their packets to. This would be the 1605.. the 1605 needs to know where to send these packets.. This is a seperate function then NAT. It's only when the packet is routed to the interface that anybody can get somewhere. There is a way to bridge it but this is not the place for that. Accordingly, the network on the outside of the 1605 needs to know where the default gateway is for the PBX network. So at the LAN's normal default gateway.. there would be a route statement that says any packet destined for the PBX network IP number XXX would go to XXXX(1605) as the next hop. Packet goes to default gateway.. router looks up route and then forwards the packet to the 1605.. 1605 gets it and says "I have this IP range as a local connection therefore I know where to send it"
Again.. read the papers I suggested.. Cisco has nice sample configs of NAT where you only need to static map from one interface to the other.
Here is a sample from their site:
interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside
!-- Defines Ethernet 0 with an IP address and as a NAT outside interface.
interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside
!-- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0
ip address 200.200.200.5 255.255.255.252
!-- Defines serial 0 with an IP address. This interface is not
!-- participating in NAT.
ip nat inside source static 172.16.50.8 172.16.10.8
!-- States that any packet received on the inside interface with a
!-- source address of 172.16.50.8 will be translated to 172.16.10.8.
Again.. READ!!!!! the answers are there in plain sight,
MikeS Find me at
"The trouble with giving up civil rights is that you never get them back"
- Thread starter
- #10
Again thanks wybnormal for your advice. My internal LAN default gateway is a 3com router so I would need to place a route statement on the 3com stating any packet destined for the PBX network IP number 192.0.2.0 would go to (1605) as the next hop? I did use the sample configuration provided by cisco about NAT transtition but didn't work. I do suspect a routing problem though. I'll try what you said, Im starting to understand more, thanks.
- Status