You want to translate both internal and external addresses.
In some cases, you might need to translate IP addresses on both sides of your router:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 15 deny 192.168.1.15 Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255 Router(config)#access-list 16 deny 172.16.5.25 Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255 Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0 Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0 Router(config)#ip nat inside source list 15 pool NATPOOL overload Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10 Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5 Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0 Router(config)#interface FastEthernet 0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#interface FastEthernet 0/1 Router(config-if)#ip address 192.168.2.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#interface Ethernet0/0 Router(config-if)#ip address 172.16.1.2 255.255.255.0 Router(config-if)#ip nat outside Router(config-if)#end Router#
Sometimes you need to translate IP addresses on both the inside and the outside interfaces. This might happen, for example, when you need to connect to another network that uses an overlapping range of unregistered addresses. Cisco routers can do NAT translations of addresses on both the external and internal interfaces at the same time.
In this case, the router will rewrite external addresses in the range 172.16.0.0/16 so that they appear to be on the 192.168.15.0/24 subnet in the range specified by the INBOUNDNAT pool. And, at the same time, it will rewrite internal addresses that are part of the 192.168.0.0/16 subnet so that they will appear on the outside to be part of 172.16.1.0/24 in the range specified by the NATPOOL pool.
Note that the access lists defining which addresses should use the dynamic address pool both refer to the real addresses (inside local and outside global). So, for internal devices, the access list should refer to the real internal addresses, while the list for external devices should refer to the real external addresses.
The most significant reason for using this feature is to remove a conflict due to overlapping address ranges. The following example shows how to remove an address conflict at the router between two networks that both use the ubiquitous 10.0.0.0/8 address range. We will map the outside network to 11.0.0.0/8 and the inside network to 12.0.0.0/8. Note that these two address ranges are both registered network numbers, so doing this will cause some problems for Internet access. We recommend doing this only as a temporary measure to resolve an IP address conflict caused by merging two networks with overlapping IP address ranges:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 17 permit 10.0.0.0 0.255.255.255 Router(config)#access-list 18 permit 10.0.0.0 0.255.255.255 Router(config)#ip nat pool OUTPOOL 11.0.0.1 11.255.255.254 netmask 255.0.0.0 type match-host Router(config)#ip nat pool INPOOL 12.0.0.1 12.255.255.254 netmask 255.0.0.0 type match-host Router(config)#ip nat inside source list 17 pool INPOOL Router(config)#ip nat outside source list 18 pool OUTPOOL Router(config)#ip route 11.0.0.0 255.0.0.0 Ethernet0/0 Router(config)#ip route 12.0.0.0 255.0.0.0 FastEthernet1/0 Router(config)#interface FastEthernet1/0 Router(config-if)#ip address 10.1.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#interface Ethernet0/0 Router(config-if)#ip address 10.2.1.2 255.255.255.0 Router(config-if)#ip nat outside Router(config-if)#end Router#
Note that we have used the match-host keyword in the NAT pool definitions:
Router(config)#ip nat pool OUTPOOL 11.0.0.1 11.255.255.254 netmask 255.0.0.0 type match-host
When you use this option, the router will translate the network prefixes and leave the host portions of the address intact. So, in this example, the arbitrary IP address 10.1.2.3 would become 11.1.2.3. Only the first byte would be changed. The key advantage of this method is that the translations are always the same, so you can reliably make connections between any internal and external devices in either direction. You cannot do this with the ordinary dynamic address pools that we have discussed so far. Note that the overload option makes no sense in this configuration.
There are a few important things to watch out for when using NAT in both directions. First, the router must have routing table entries for the fictitious IP addresses. It is quite likely that the translated addresses used for external devices will not be part of a physical IP network that the router knows how to reach. This is why we have configured a static route directing traffic for this range out through the external interface:
Router(config)#ip route 11.0.0.0 255.255.255.0 Ethernet0/0
The second important thing to remember is that with dynamic NAT, the router does not create a translation for each device until it needs to. If you want to connect through the router to a particular translated address, you must make sure that the router retains the translation table information. This means that if you want any-to-any connections in either direction, you must use either static mappings or the match-host keyword. Dynamic NAT will not allow access in both directions.
The third important thing to remember is that all of the other routers must know how to reach the translated addresses. So, if the external network is translated from 10.0.0.0/8 to 11.0.0.0/8, then you need to make sure that the internal routers all know that they can reach this fictitious 11.0.0.0/8 network through the NAT router. The best way to do this is by simply redistributing the static routes for the fictitious networks through your dynamic routing protocol.
Recipe 21.6 shows a somewhat better way to solve this overlapping address problem. Instead of doing simultaneous translation in both directions on the same router, it is better to do it on two routers with a different, nonconflicting address range in the middle. One router will simply translate the prefix for one of these networks from 10.0.0.0/8 to 11.0.0.0/8. The other router will translate the addresses on the other network from 10.0.0.0/8 to 12.0.0.0/8. This is a much more stable solution, and it does not suffer from the problems of dynamic NAT mentioned earlier.
Recipe 21.1; Recipe 21.2; Recipe 21.3; Recipe 21.4; Recipe 21.6
 |
|
|
| Top |