Hi peeps, hopefully someone can just confirm something for me. I am currently preparing for my BCRAN exam as part of the CCNP track that i have just started (massive gap in my knowledge here which is causing me problems in getting a new job in the Security area that i want).
Anyhow, going through the Cisco Press book at the moment (loads of typo's and mistakes in that thing, but never mind). I have come to something that i think is a mistake but it seems to be repeated through the chapter in the configs so just wanted to confirm it really.
Here is the bit out of the book
ip nat inside source static 10.1.1.1 192.168.2.2
ip address 10.1.1.1.10 255.255.255.0
ip nat inside
ip address 172.16.2.1 255.255.255.0
ip nat outside
I am a little confused as to how you can have the mapping to the outside ip address on 192.168.2.2 when the external interface has an address in a totally different subnet ? How on earth would all this route ?
Any help would be appreciated so i can move on to the next chapter
Good luck with the CCNP exams - I'm going through the same phase at the moment
Coming to your problem, there is probably one type of setup which would explain the configuration, and here it is:
The 'trick' is that you need to realise that all services for 192.168.2.2 are terminating on another device within the LAN as indicated in the diagram. Usually, this happens for VPN connections, where in real-life examples, the 192.168.2.2 would be a 'real' ip address.
The router will forward any incoming packets for 192.168.2.2 to 10.1.1.1, which is the PIX Firewall in our example. The PIX Firewall has already been configured to respond to VPN requests and will happily provide the service(s) it should.
There are much more complex scenarios, for example, a addition of a DMZ zone on the PIX Firewall, for a mail server, but we can analyse them in an future article for the site
Hi Chris, good luck with the CCNP, seems like you'll walk it though :wink:
Anyhow, you have totally lost me now. The bit of code from the book is relating to NAT occuring on the router, not with two devices as per the diagram. As far as i understand it, you specify the address ranges (or address in this case) on the inside that you want to be Address Translated to the ip address on the external interface (talking about Inside-to-Outside Static NAT)
This is whats confusing me (which you have already probably answered but i don't quite understand). Looking at the code,
Inside ip of the router is 10.1.1.10 and the inside client is 10.1.1.1
Outside ip of the router is 172.16.2.1 yet they want the 10.1.1.1 to get translater to 192.168.2.2. Dont get it
router E0 Interface : 10.1.1.10 255.255.255.0
Clients IP : 10.1.1.1
Outside IP : 192.168.2.2
Public IP : 172.16.2.1
as per the above config the IPs will be NAT as follows.
goes to E0 NAT applied
>Public face IP 192.168.2.2
This process will happen only to the packets which is coming from the sourct 10.1.1.1
Sorry guys but i am really struggling with this (something so simple).
I am not understanding if you have the following
> 10.1.1.10 (e0 *ROUTER* s0) 172.16.2.1
Where is the 192.168.2.2 coming from ? Surely you need to translate to a global pool on the Serial0 interface which would be in the 172.16.2.0/24 subnet ? Arghhh sorry everyone for being dumb on this but something just aint clicking here.
Any further assistance in clearing this thing up will be appreciated otherwise i will just go barmy
hi friend, the scenario you present will work! and the only mistake I see here is the 10.1.1.1.10 ip address (5 octets) maybe a typed mistake, but what I want to clear is that you can nat one ip address in one subnet to another ip address in another subnet without mattering that subnet is present in the configuration, it translates anyway! the link for this to works is routing.
for it to work, the provider router connected directly to the outside interface of the nat router must have a static route to host 192.168.2.2 255.255.255.255 pointing to next hop 172.16.2.1
Exactly the same config for nat MUST WORK.
to do routing at the nat router must set up a default route:
so the packet gets translated when it leaves the outside interface of the nat router, and also the 192.168.2.2 ip address is reachable by the outside, note network 192.168.2.0 is not present in the outside interface.