It is currently Tue Dec 12, 2017 6:08 pm


All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Static NAT (conditional NAT for 2 differents destinations)
PostPosted: Wed Jul 17, 2013 3:17 pm 
Offline

Joined: Tue Mar 06, 2012 8:48 am
Posts: 12
Hi,

I would share this lab that have implement on cisco ios router.

On the left, a server (172.16.0.1 GW 172.16.0.254) behind R1 router.
The server must be reacheable with two differents IP address
10.249.0.1 (C2 on the right) must use 10.20.0.1 in destination for reach 172.16.0.1
10.18.0.1 (C3 on the right) must use 10.30.0.1 in destination for reach 172.16.0.1

Attachment:
Dst_NAT.png
Dst_NAT.png [ 53.54 KiB | Viewed 7138 times ]


I've used a GRE tunnel between R1<=>R2 but it's not essential (it was for test a real topology)


On R1

Code:
interface Tunnel1
ip address 192.168.21.1 255.255.255.252
ip virtual-reassembly
tunnel source 192.168.12.1
tunnel destination 192.168.12.2
!
interface FastEthernet0/0
ip address 172.16.0.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
!
ip route 10.18.0.0 255.255.255.0 192.168.21.2
ip route 10.249.0.0 255.255.255.0 192.168.21.2


Destinations 10.18.0.0/24 and 10.249.0.0/24 are routed through the GRE tunnel.

On R2

Code:
interface Tunnel1
ip address 192.168.21.2 255.255.255.252
tunnel source 192.168.12.2
tunnel destination 192.168.12.1
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 10.249.0.254 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 10.18.0.254 255.255.255.0
no snmp trap link-status
!
ip route 10.20.0.0 255.255.255.0 192.168.21.1
ip route 10.30.0.0 255.255.255.0 192.168.21.1


Same thing about R2, trafic to natted address (10.20.0.1 and 10.30.0.1) are routed through the tunnel

let's begin for the NAT on R1

Code:
interface FastEthernet0/0
ip nat inside

interface Tunnel1
ip nat outside


I create 2 extended access-lists

Code:
access-list 102 permit ip host 172.16.0.1 host 10.249.0.1
access-list 103 permit ip host 172.16.0.1 host 10.18.0.1


access-list 102 to identify communication between C1 and C2
access-list 103 to identify communcation between C1 and C3

I'll use route-map for match these trafic

Code:
route-map NAT-103 permit 10
match ip address 103
!
route-map NAT-102 permit 10
match ip address 102


I create my static nat rules using my route-map

Code:
ip nat inside source static 172.16.0.1 10.20.0.1 route-map NAT-102
ip nat inside source static 172.16.0.1 10.30.0.1 route-map NAT-103


Let's try from C2 (10.249.0.1) to C1 (10.20.0.1)

Code:
VPCS[2]> ping 10.20.0.1
10.20.0.1 icmp_seq=1 ttl=62 time=61.000 ms
10.20.0.1 icmp_seq=2 ttl=62 time=52.000 ms
10.20.0.1 icmp_seq=3 ttl=62 time=108.000 ms
10.20.0.1 icmp_seq=4 ttl=62 time=50.000 ms
10.20.0.1 icmp_seq=5 ttl=62 time=52.000 ms


On R1, let me show the debug

Code:
R1#debug ip nat
IP NAT debugging is on
R1#
*Jul 17 17:04:27.095: NAT*: s=10.249.0.1, d=10.20.0.1->172.16.0.1 [45691]
*Jul 17 17:04:27.139: NAT*: s=172.16.0.1->10.20.0.1, d=10.249.0.1 [45691]
R1#
*Jul 17 17:04:28.151: NAT*: s=10.249.0.1, d=10.20.0.1->172.16.0.1 [45692]
*Jul 17 17:04:28.191: NAT*: s=172.16.0.1->10.20.0.1, d=10.249.0.1 [45692]
R1#
*Jul 17 17:04:29.235: NAT*: s=10.249.0.1, d=10.20.0.1->172.16.0.1 [45693]
*Jul 17 17:04:29.275: NAT*: s=172.16.0.1->10.20.0.1, d=10.249.0.1 [45693]
R1#
*Jul 17 17:04:30.315: NAT*: s=10.249.0.1, d=10.20.0.1->172.16.0.1 [45694]
*Jul 17 17:04:30.355: NAT*: s=172.16.0.1->10.20.0.1, d=10.249.0.1 [45694]
R1#
*Jul 17 17:04:31.359: NAT*: s=10.249.0.1, d=10.20.0.1->172.16.0.1 [45695]
*Jul 17 17:04:31.407: NAT*: s=172.16.0.1->10.20.0.1, d=10.249.0.1 [45695]


Same test but from C3 (10.18.0.1) to C1 (10.30.0.1)

Code:
VPCS[2]> 3
VPCS[3]> ping 10.30.0.1
10.30.0.1 icmp_seq=1 ttl=62 time=79.000 ms
10.30.0.1 icmp_seq=2 ttl=62 time=51.000 ms
10.30.0.1 icmp_seq=3 ttl=62 time=58.000 ms
10.30.0.1 icmp_seq=4 ttl=62 time=41.000 ms
10.30.0.1 icmp_seq=5 ttl=62 time=48.000 ms


Code:
*Jul 17 17:06:29.691: NAT*: s=10.18.0.1, d=10.30.0.1->172.16.0.1 [45813]
*Jul 17 17:06:29.735: NAT*: s=172.16.0.1->10.30.0.1, d=10.18.0.1 [45813]
R1#
*Jul 17 17:06:30.787: NAT*: s=10.18.0.1, d=10.30.0.1->172.16.0.1 [45814]
*Jul 17 17:06:30.819: NAT*: s=172.16.0.1->10.30.0.1, d=10.18.0.1 [45814]
R1#
*Jul 17 17:06:31.831: NAT*: s=10.18.0.1, d=10.30.0.1->172.16.0.1 [45815]
*Jul 17 17:06:31.835: NAT*: s=172.16.0.1->10.30.0.1, d=10.18.0.1 [45815]
R1#
*Jul 17 17:06:32.903: NAT*: s=10.18.0.1, d=10.30.0.1->172.16.0.1 [45816]
*Jul 17 17:06:32.919: NAT*: s=172.16.0.1->10.30.0.1, d=10.18.0.1 [45816]
R1#
*Jul 17 17:06:33.943: NAT*: s=10.18.0.1, d=10.30.0.1->172.16.0.1 [45817]
*Jul 17 17:06:33.971: NAT*: s=172.16.0.1->10.30.0.1, d=10.18.0.1 [45817]


It works !

I hope that's usefull for you.



_________________
Mario
Network Admin

CCNA certified.
Cisco SNAF courses studied (Securing Networks With ASA Foundation)
Cisco CCNP route courses in April 2012.


Top
 Profile  
 
 Post subject: Re: Static NAT (conditional NAT for 2 differents destinatio
PostPosted: Fri Dec 20, 2013 2:06 am 
Offline

Joined: Wed Aug 21, 2013 3:29 am
Posts: 5
Hi Mario

I recreated your lab, is so good, so interesting.

I think, maybe is a solution to a few scenarios with servers behind a load balance.

In the next days I will send messages.

Cheers!


Top
 Profile  
 
 Post subject: Re: Static NAT (conditional NAT for 2 differents destinatio
PostPosted: Thu Jan 02, 2014 8:44 am 
Offline

Joined: Thu Jan 02, 2014 8:25 am
Posts: 1
Dear,

I have created a lab setup to test the conditional NAT with route-map on GNS3. Please refer below for the setup details:

I took three routers to test this setup.
R1 has three connectivity to R2, R3 and R1cloud.
Loopback (IP Address:20.20.10.1) configured on R2 router.
Loopback (IP Address:30.30.10.1) configured on R3 router.

NAT is configured on R1 router:

1. created extended access-list to match the traffic.

Extended IP access list R2-LP1
10 permit ip host 10.10.10.10 host 20.20.10.1
Extended IP access list R2-LP2
10 permit ip host 10.10.10.10 host 30.30.10.1


2. Created route-map to match the access-list.
R1#sh route-map
route-map FROM-LOOP2, permit, sequence 10
Match clauses:
ip address (access-lists): R2-LP2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map FROM-LOOP1, permit, sequence 10
Match clauses:
ip address (access-lists): R2-LP1
Set clauses:
Policy routing matches: 0 packets, 0 bytes




3. Apply route-map with static nat

ip nat inside source static 10.10.10.10 192.168.10.1 route-map FROM-LOOP1
ip nat inside source static 10.10.10.10 192.168.10.2 route-map FROM-LOOP2


when doing the testing from R2 and R3 I am able to reach the natted ip address through loopback but not getting any hits on access list and route-map. Able to do ping with source ip address also.

Please help..


Attachments:
Conditional NAT Topology.png
Conditional NAT Topology.png [ 30.5 KiB | Viewed 6394 times ]
Top
 Profile  
 
 Post subject: Re: Static NAT (conditional NAT for 2 differents destinatio
PostPosted: Sat Apr 26, 2014 12:13 am 
Offline

Joined: Sat Apr 26, 2014 12:09 am
Posts: 1
Hello mario62223,

Do you have any idea how I would do that with NAT NVI? I need to translate de SOURCE and the DESTINATION at the same time. Could you give me a help?

PS: I am already translating the source address via dynamic NAT.


Thanks in advance.


Renato




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO