Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Nat question on Cisco Routers

Nat question on Cisco Routers 9 years 11 months ago #17483

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi peeps, hopefully someone can just confirm something for me. I am currently preparing for my BCRAN exam as part of the CCNP track that i have just started (massive gap in my knowledge here which is causing me problems in getting a new job in the Security area that i want).

Anyhow, going through the Cisco Press book at the moment (loads of typo's and mistakes in that thing, but never mind). I have come to something that i think is a mistake but it seems to be repeated through the chapter in the configs so just wanted to confirm it really.

Here is the bit out of the book

[code:1]
ip nat inside source static 10.1.1.1 192.168.2.2
int e0
ip address 10.1.1.1.10 255.255.255.0
ip nat inside
int s0
ip address 172.16.2.1 255.255.255.0
ip nat outside
[/code:1]

I am a little confused as to how you can have the mapping to the outside ip address on 192.168.2.2 when the external interface has an address in a totally different subnet ? How on earth would all this route ?

Any help would be appreciated so i can move on to the next chapter

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Nat question on Cisco Routers 9 years 11 months ago #17493

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Smurf,

Good luck with the CCNP exams - I'm going through the same phase at the moment :)

Coming to your problem, there is probably one type of setup which would explain the configuration, and here it is:



The 'trick' is that you need to realise that all services for 192.168.2.2 are terminating on another device within the LAN as indicated in the diagram. Usually, this happens for VPN connections, where in real-life examples, the 192.168.2.2 would be a 'real' ip address.

The router will forward any incoming packets for 192.168.2.2 to 10.1.1.1, which is the PIX Firewall in our example. The PIX Firewall has already been configured to respond to VPN requests and will happily provide the service(s) it should.


There are much more complex scenarios, for example, a addition of a DMZ zone on the PIX Firewall, for a mail server, but we can analyse them in an future article for the site :)

Hope this helps.

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Nat question on Cisco Routers 9 years 11 months ago #17498

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi Chris, good luck with the CCNP, seems like you'll walk it though :wink:

Anyhow, you have totally lost me now. The bit of code from the book is relating to NAT occuring on the router, not with two devices as per the diagram. As far as i understand it, you specify the address ranges (or address in this case) on the inside that you want to be Address Translated to the ip address on the external interface (talking about Inside-to-Outside Static NAT)

This is whats confusing me (which you have already probably answered but i don't quite understand). Looking at the code,

Inside ip of the router is 10.1.1.10 and the inside client is 10.1.1.1
Outside ip of the router is 172.16.2.1 yet they want the 10.1.1.1 to get translater to 192.168.2.2. Dont get it :(

Now, according to the command syntax its

[code:1]ip nat inside source static local-ip global-ip[/code:1]

Which, according to the definations is

local-ip - the inside local ip address (i.e. the ip of the host you want to set the static translation for)
global-ip - a legitimat ip address assigned by your ISP to translate to

I really thought that the global-ip had to be on the same subnet as the external interface otherwise routing would not work and traffic would never get to it ?

Am i missing something here or just over thinking this ?

Argh...... :wink:
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Nat question on Cisco Routers 9 years 11 months ago #17499

  • Dove
  • Dove's Avatar
  • Offline
  • Distinguished Member
  • Posts: 198
  • Thank you received: 1
  • Karma: 2
hi Smurf,
ip nat inside source static 10.1.1.1 192.168.2.2
int e0
ip address 10.1.1.1.10 255.255.255.0
ip nat inside
int s0
ip address 172.16.2.1 255.255.255.0
ip nat outside

as per the above quote, I understood that the

router E0 Interface : 10.1.1.10 255.255.255.0
Clients IP : 10.1.1.1
Outside IP : 192.168.2.2
Public IP : 172.16.2.1

as per the above config the IPs will be NAT as follows.


goes to E0 NAT applied
10.1.1.1
>10.1.1.10
>172.16.2.1
>Public face IP 192.168.2.2


This process will happen only to the packets which is coming from the sourct 10.1.1.1

Hope here no need to consider about the subnet while mapping.

Hope I cleared your doubt.

Dove
The administrator has disabled public write access.

Re: Nat question on Cisco Routers 9 years 11 months ago #17503

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
as per the above quote, I understood that the

router E0 Interface : 10.1.1.10 255.255.255.0
Clients IP : 10.1.1.1
Outside IP : 192.168.2.2
Public IP : 172.16.2.1

as per the above config the IPs will be NAT as follows.


goes to E0 NAT applied
10.1.1.1
>10.1.1.10
>172.16.2.1
>Public face IP 192.168.2.2


This process will happen only to the packets which is coming from the sourct 10.1.1.1

Sorry guys but i am really struggling with this (something so simple).

I am not understanding if you have the following

10.1.1.1
> 10.1.1.10 (e0 *ROUTER* s0) 172.16.2.1
> Internet

Where is the 192.168.2.2 coming from ? Surely you need to translate to a global pool on the Serial0 interface which would be in the 172.16.2.0/24 subnet ? Arghhh sorry everyone for being dumb on this but something just aint clicking here.

Any further assistance in clearing this thing up will be appreciated otherwise i will just go barmy :)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Nat question on Cisco Routers 9 years 11 months ago #17508

  • havohej
  • havohej's Avatar
  • Offline
  • Distinguished Member
  • Posts: 152
  • Karma: 0
hi friend, the scenario you present will work! and the only mistake I see here is the 10.1.1.1.10 ip address (5 octets) maybe a typed mistake, but what I want to clear is that you can nat one ip address in one subnet to another ip address in another subnet without mattering that subnet is present in the configuration, it translates anyway! the link for this to works is routing.

for it to work, the provider router connected directly to the outside interface of the nat router must have a static route to host 192.168.2.2 255.255.255.255 pointing to next hop 172.16.2.1

Ex:

NAT-ROUTER.....................................................PROVIDER ROUTER
E0========= S0
LINK
S0=======
inside.............outside
10.1.1.10......172.16.2.1.....................................172.16.2.2


Exactly the same config for nat MUST WORK.
to do routing at the nat router must set up a default route:

nat-router(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2

at the provider router a static default router to reach host 192.168.2.2/32

provider(config)#ip route 192.168.2.2 255.255.255.255 172.16.2.1

so the packet gets translated when it leaves the outside interface of the nat router, and also the 192.168.2.2 ip address is reachable by the outside, note network 192.168.2.0 is not present in the outside interface.
The administrator has disabled public write access.
Time to create page: 0.092 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup