Two different private networks sharing 1 global address using NAT

From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Fri Nov 02 2001 - 20:21:59 GMT-3

• Next message: George Hansen: "RE: OSPF over NBMA"
• Previous message: VAUTRIN Olivier: "IP Range with OSPF"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hello Group,

I've just tried out on my test lab two different networks used privately,
sharing one global IP Address using NAT. Here are the relevant configs using
loopbacks rather than LAN interfaces. Basically, the two private networks
are 10.1.1.0/24 and 100.100.100/24 sharing the global 212.1.22.3/32 address.

The config seems to work fine, and the translations look fine as well.
However, is there any chance of any security breaches between the two
networks as they are not suppose to know about each other? It's suppose to
work as though the 2 networks are on their own separate router, having their
own global ip address to share only for their own network.

Do I require extended ACLs or route-maps to make finer specification of the
NAT translations?

Thanks

Albert

interface Loopback1
 ip address 10.1.1.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
!
interface Loopback2
 ip address 100.100.100.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
!
interface Serial1
 ip address 212.1.22.3 255.255.255.240
 no ip directed-broadcast
 ip nat outside
!
ip nat inside source list 10 interface Serial1 overload
ip nat inside source list 11 interface Serial1 overload

access-list 10 permit 10.1.1.0 0.0.0.255
access-list 11 permit 100.100.100.0 0.0.0.255

R3#sh ip nat t
Pro Inside global Inside local Outside local Outside global
icmp 212.1.22.3:9949 10.1.1.1:9949 20.1.1.1:9949 20.1.1.1:9949
icmp 212.1.22.3:9950 10.1.1.1:9950 20.1.1.1:9950 20.1.1.1:9950
icmp 212.1.22.3:9951 10.1.1.1:9951 20.1.1.1:9951 20.1.1.1:9951
icmp 212.1.22.3:9952 10.1.1.1:9952 20.1.1.1:9952 20.1.1.1:9952
icmp 212.1.22.3:9953 10.1.1.1:9953 20.1.1.1:9953 20.1.1.1:9953
icmp 212.1.22.3:828 100.100.100.1:828 20.1.1.1:828 20.1.1.1:828
icmp 212.1.22.3:829 100.100.100.1:829 20.1.1.1:829 20.1.1.1:829
icmp 212.1.22.3:830 100.100.100.1:830 20.1.1.1:830 20.1.1.1:830
icmp 212.1.22.3:831 100.100.100.1:831 20.1.1.1:831 20.1.1.1:831
icmp 212.1.22.3:832 100.100.100.1:832 20.1.1.1:832 20.1.1.1:832
R3#

• Next message: George Hansen: "RE: OSPF over NBMA"
• Previous message: VAUTRIN Olivier: "IP Range with OSPF"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:02 GMT-3