From: simonkc@netsol.co.in
Date: Wed Jul 23 2003 - 06:46:38 GMT-3
Problem description:
Problem when NATing both source and destination addresses based on an
route-map
Diagram:
_________
| R1 |
| |
-----------------
| |
Fa0/0.1 Fa0/0.2
| |
| |
______________________ 1.1.1.0/24 LAN
| | 2.2.2.0/24 LAN
| |
| |
----- -----
| | | |
----- -----
PC1:1.1.1.10 PC2:2.2.2.10
Actual Physical Actual Physical
ip address ip address
Setup description:
Cisco 2600 router connected to a Cisco 2950 switch using Fa0/0 port. We have
created subinterface on F0/0.
The subinterface F0/0.1 connects to 1.1.1.0/24 LAN. The subinterface F0/0.2
connects to 2.2.2.0/24 LAN.
The router routes traffic between these subnets.Int f0/0.1 is the "nat
inside" interface.Int f0/0.2 is the "nat outside" interface.
Requirement:
1) When telnet traffic(identified by a route-map) from 1.1.1.0/24 LAN needs
to flow to the 2.2.2.0/24 LAN (which actually appears as 11.11.10.0/24 LAN
to the 1.1.1.0 network) , the source address should be NATed as
1.1.1.0/24<-> 172.16.1.0/24 and the destination should be NATed as
11.11.10.0/24<->2.2.2.0/24.
2) When certain other type of traffic from 1.1.1.0/24 LAN needs to flow to
the 2.2.2.0/24 LAN , the source address and destination address should not
be NATed.
Problem:
Requirement no.2 is working fine.
For Requirement no.1 :
The source IP address of the Inside-to-outside packets is being NATed. But
not the destination address.
Below is the expected sequence.
i.e. 1)PC1 sends a telnet packet to PC2. src ip: 1.1.1.10 ,dst ip:11.11.2.10
2)R1 nats the source ip properly. ie. src ip :1.1.1.10<-> 172.16.1.10 . I
also want R1 to NAT the destination ip address . i.e i want dst
ip:11.11.2.10<->2.2.2.10. The packet should then hit PC2.
Similar reverse translation is need on the reverse path for the return
packet.
Below is the sh runn for R1
R1#sh run
!
interface FastEthernet0/0.1
encapsulation dot1Q 4
ip address 1.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.2
encapsulation dot1Q 5
ip address 2.2.2.1 255.255.255.0
ip nat outside
!
ip nat pool IN2OUTNATPOOL 172.16.1.1 172.16.1.254 prefix-length 24 type
match-host
ip nat pool OUT2INNATPOOL 10.10.0.1 10.10.0.254 prefix-length 16 type
match-host
ip nat inside source route-map IN2OUT pool IN2OUTNATPOOL
ip nat outside source route-map OUT2IN pool OUT2INNATPOOL
ip classless
ip route 11.11.2.0 255.255.255.0 FastEthernet0/0.2
ip route 172.16.1.0 255.255.255.0 FastEthernet0/0.1
!
access-list 188 permit tcp any any eq telnet
access-list 188 permit tcp any eq telnet any
access-list 188 deny ip any any
!
route-map IN2OUT permit 10
match ip address 188
!
route-map OUT2IN permit 10
match ip address 188
!
Thanks and Regards
Simon K. Carvalho
RMC Support Engineer (Senior Member)
Network Solutions Ltd. , Bangalore
Email : :simonkc@netsol.co.in
Web : www.netsol.co.in
Phone : +91 80 5535228 ext 433
Mobile : +91 9845349843
"Tomorrow's Networks.Today."
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:50 GMT-3