- Posts: 1390
- Thank you received: 0
Nat question on Cisco Routers
19 years 1 week ago #17483
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Nat question on Cisco Routers was created by Smurf
Hi peeps, hopefully someone can just confirm something for me. I am currently preparing for my BCRAN exam as part of the CCNP track that i have just started (massive gap in my knowledge here which is causing me problems in getting a new job in the Security area that i want).
Anyhow, going through the Cisco Press book at the moment (loads of typo's and mistakes in that thing, but never mind). I have come to something that i think is a mistake but it seems to be repeated through the chapter in the configs so just wanted to confirm it really.
Here is the bit out of the book
[code:1]
ip nat inside source static 10.1.1.1 192.168.2.2
int e0
ip address 10.1.1.1.10 255.255.255.0
ip nat inside
int s0
ip address 172.16.2.1 255.255.255.0
ip nat outside
[/code:1]
I am a little confused as to how you can have the mapping to the outside ip address on 192.168.2.2 when the external interface has an address in a totally different subnet ? How on earth would all this route ?
Any help would be appreciated so i can move on to the next chapter
Cheers
Anyhow, going through the Cisco Press book at the moment (loads of typo's and mistakes in that thing, but never mind). I have come to something that i think is a mistake but it seems to be repeated through the chapter in the configs so just wanted to confirm it really.
Here is the bit out of the book
[code:1]
ip nat inside source static 10.1.1.1 192.168.2.2
int e0
ip address 10.1.1.1.10 255.255.255.0
ip nat inside
int s0
ip address 172.16.2.1 255.255.255.0
ip nat outside
[/code:1]
I am a little confused as to how you can have the mapping to the outside ip address on 192.168.2.2 when the external interface has an address in a totally different subnet ? How on earth would all this route ?
Any help would be appreciated so i can move on to the next chapter
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
19 years 1 week ago #17493
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Nat question on Cisco Routers
Smurf,
Good luck with the CCNP exams - I'm going through the same phase at the moment
Coming to your problem, there is probably one type of setup which would explain the configuration, and here it is:
The 'trick' is that you need to realise that all services for 192.168.2.2 are terminating on another device within the LAN as indicated in the diagram. Usually, this happens for VPN connections, where in real-life examples, the 192.168.2.2 would be a 'real' ip address.
The router will forward any incoming packets for 192.168.2.2 to 10.1.1.1, which is the PIX Firewall in our example. The PIX Firewall has already been configured to respond to VPN requests and will happily provide the service(s) it should.
There are much more complex scenarios, for example, a addition of a DMZ zone on the PIX Firewall, for a mail server, but we can analyse them in an future article for the site
Hope this helps.
Cheers,
Good luck with the CCNP exams - I'm going through the same phase at the moment

Coming to your problem, there is probably one type of setup which would explain the configuration, and here it is:
The 'trick' is that you need to realise that all services for 192.168.2.2 are terminating on another device within the LAN as indicated in the diagram. Usually, this happens for VPN connections, where in real-life examples, the 192.168.2.2 would be a 'real' ip address.
The router will forward any incoming packets for 192.168.2.2 to 10.1.1.1, which is the PIX Firewall in our example. The PIX Firewall has already been configured to respond to VPN requests and will happily provide the service(s) it should.
There are much more complex scenarios, for example, a addition of a DMZ zone on the PIX Firewall, for a mail server, but we can analyse them in an future article for the site

Hope this helps.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
19 years 1 week ago #17498
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Nat question on Cisco Routers
Hi Chris, good luck with the CCNP, seems like you'll walk it though 
Anyhow, you have totally lost me now. The bit of code from the book is relating to NAT occuring on the router, not with two devices as per the diagram. As far as i understand it, you specify the address ranges (or address in this case) on the inside that you want to be Address Translated to the ip address on the external interface (talking about Inside-to-Outside Static NAT)
This is whats confusing me (which you have already probably answered but i don't quite understand). Looking at the code,
Inside ip of the router is 10.1.1.10 and the inside client is 10.1.1.1
Outside ip of the router is 172.16.2.1 yet they want the 10.1.1.1 to get translater to 192.168.2.2. Dont get it
Now, according to the command syntax its
[code:1]ip nat inside source static local-ip global-ip[/code:1]
Which, according to the definations is
local-ip - the inside local ip address (i.e. the ip of the host you want to set the static translation for)
global-ip - a legitimat ip address assigned by your ISP to translate to
I really thought that the global-ip had to be on the same subnet as the external interface otherwise routing would not work and traffic would never get to it ?
Am i missing something here or just over thinking this ?
Argh......

Anyhow, you have totally lost me now. The bit of code from the book is relating to NAT occuring on the router, not with two devices as per the diagram. As far as i understand it, you specify the address ranges (or address in this case) on the inside that you want to be Address Translated to the ip address on the external interface (talking about Inside-to-Outside Static NAT)
This is whats confusing me (which you have already probably answered but i don't quite understand). Looking at the code,
Inside ip of the router is 10.1.1.10 and the inside client is 10.1.1.1
Outside ip of the router is 172.16.2.1 yet they want the 10.1.1.1 to get translater to 192.168.2.2. Dont get it

Now, according to the command syntax its
[code:1]ip nat inside source static local-ip global-ip[/code:1]
Which, according to the definations is
local-ip - the inside local ip address (i.e. the ip of the host you want to set the static translation for)
global-ip - a legitimat ip address assigned by your ISP to translate to
I really thought that the global-ip had to be on the same subnet as the external interface otherwise routing would not work and traffic would never get to it ?
Am i missing something here or just over thinking this ?
Argh......

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
19 years 1 week ago #17499
by Dove
Dove
Replied by Dove on topic Re: Nat question on Cisco Routers
hi Smurf,
as per the above quote, I understood that the
router E0 Interface : 10.1.1.10 255.255.255.0
Clients IP : 10.1.1.1
Outside IP : 192.168.2.2
Public IP : 172.16.2.1
as per the above config the IPs will be NAT as follows.
goes to E0 NAT applied
10.1.1.1
>10.1.1.10
>172.16.2.1
>Public face IP 192.168.2.2
This process will happen only to the packets which is coming from the sourct 10.1.1.1
Hope here no need to consider about the subnet while mapping.
Hope I cleared your doubt.
ip nat inside source static 10.1.1.1 192.168.2.2
int e0
ip address 10.1.1.1.10 255.255.255.0
ip nat inside
int s0
ip address 172.16.2.1 255.255.255.0
ip nat outside
as per the above quote, I understood that the
router E0 Interface : 10.1.1.10 255.255.255.0
Clients IP : 10.1.1.1
Outside IP : 192.168.2.2
Public IP : 172.16.2.1
as per the above config the IPs will be NAT as follows.
goes to E0 NAT applied
10.1.1.1
>10.1.1.10
>172.16.2.1
>Public face IP 192.168.2.2
This process will happen only to the packets which is coming from the sourct 10.1.1.1
Hope here no need to consider about the subnet while mapping.
Hope I cleared your doubt.
Dove
19 years 1 week ago #17503
by Smurf
Sorry guys but i am really struggling with this (something so simple).
I am not understanding if you have the following
10.1.1.1
> 10.1.1.10 (e0 *ROUTER* s0) 172.16.2.1
> Internet
Where is the 192.168.2.2 coming from ? Surely you need to translate to a global pool on the Serial0 interface which would be in the 172.16.2.0/24 subnet ? Arghhh sorry everyone for being dumb on this but something just aint clicking here.
Any further assistance in clearing this thing up will be appreciated otherwise i will just go barmy
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Nat question on Cisco Routers
as per the above quote, I understood that the
router E0 Interface : 10.1.1.10 255.255.255.0
Clients IP : 10.1.1.1
Outside IP : 192.168.2.2
Public IP : 172.16.2.1
as per the above config the IPs will be NAT as follows.
goes to E0 NAT applied
10.1.1.1
>10.1.1.10
>172.16.2.1
>Public face IP 192.168.2.2
This process will happen only to the packets which is coming from the sourct 10.1.1.1
Sorry guys but i am really struggling with this (something so simple).
I am not understanding if you have the following
10.1.1.1
> 10.1.1.10 (e0 *ROUTER* s0) 172.16.2.1
> Internet
Where is the 192.168.2.2 coming from ? Surely you need to translate to a global pool on the Serial0 interface which would be in the 172.16.2.0/24 subnet ? Arghhh sorry everyone for being dumb on this but something just aint clicking here.
Any further assistance in clearing this thing up will be appreciated otherwise i will just go barmy

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
19 years 6 days ago #17508
by havohej
Replied by havohej on topic Re: Nat question on Cisco Routers
hi friend, the scenario you present will work! and the only mistake I see here is the 10.1.1.1.10 ip address (5 octets) maybe a typed mistake, but what I want to clear is that you can nat one ip address in one subnet to another ip address in another subnet without mattering that subnet is present in the configuration, it translates anyway! the link for this to works is routing.
for it to work, the provider router connected directly to the outside interface of the nat router must have a static route to host 192.168.2.2 255.255.255.255 pointing to next hop 172.16.2.1
Ex:
NAT-ROUTER.....................................................PROVIDER ROUTER
E0========= S0
LINK
S0=======
inside.............outside
10.1.1.10......172.16.2.1.....................................172.16.2.2
Exactly the same config for nat MUST WORK.
to do routing at the nat router must set up a default route:
nat-router(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
at the provider router a static default router to reach host 192.168.2.2/32
provider(config)#ip route 192.168.2.2 255.255.255.255 172.16.2.1
so the packet gets translated when it leaves the outside interface of the nat router, and also the 192.168.2.2 ip address is reachable by the outside, note network 192.168.2.0 is not present in the outside interface.
for it to work, the provider router connected directly to the outside interface of the nat router must have a static route to host 192.168.2.2 255.255.255.255 pointing to next hop 172.16.2.1
Ex:
NAT-ROUTER.....................................................PROVIDER ROUTER
E0========= S0
LINK
S0=======
inside.............outside
10.1.1.10......172.16.2.1.....................................172.16.2.2
Exactly the same config for nat MUST WORK.
to do routing at the nat router must set up a default route:
nat-router(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
at the provider router a static default router to reach host 192.168.2.2/32
provider(config)#ip route 192.168.2.2 255.255.255.255 172.16.2.1
so the packet gets translated when it leaves the outside interface of the nat router, and also the 192.168.2.2 ip address is reachable by the outside, note network 192.168.2.0 is not present in the outside interface.
Time to create page: 0.093 seconds