Re: NAT Help, router on a stick with NAT

From: Ivan (ivan@iip.net)
Date: Mon Feb 05 2007 - 07:14:27 ART

• Next message: BitGossip: "Diff between exec-timout and session-timeout"
• Previous message: Ivan: "Re: Class-map match"
• Maybe in reply to: Malcolm Price: "NAT Help, router on a stick with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

On Monday 05 February 2007 11:34, Sasa Milic wrote:
> It does look that it is not supported with ios you have. Then it gets
> little more complicated. Also, by reading again your post, I see that you
> actually don't want to translate 10.10.10.10 into 172.1.1.1, although
> that's what can be seen from nat statement. What you want is to PAT source
> address into 10.10.10.10, when traffic goes to destination 172.1.1.1, and
> send it over the same input interface, right ?
>
> So this should have policy-based routing that will match destination, set
> next hop interface to loopback, configure loopback as nat inside interface,
> and then translate source ip into pool consisting of just one address.
>
> I'll lab it in a few minutes, and see how it works.
>
> Regards,
> Sasa
>
>
> ----- Original Message -----
> From: "Malcolm Price" <malcolm.price@lanbase.com>
> To: "'Sasa Milic'" <smilic2@pexim.co.yu>
> Sent: Monday, February 05, 2007 9:26 AM
> Subject: RE: NAT Help, router on a stick with NAT
>
> > Hi Sasa,
> >
> > I'm not quiet sure, I don't think the command ip nat source static is
> > supported..
> >
> > i.e.
> > LAB_A(config)#ip nat source static ?
> > % Unrecognized command
> > LAB_A(config)#ip nat source ?
> > % Unrecognized command
> > LAB_A(config)#ip nat ?
> > Stateful Stateful NAT configuration commands
> > inside Inside address translation
> > log NAT Logging
> > outside Outside address translation
> > pool Define pool of addresses
> > service Special translation for application using non-standard port
> > translation NAT translation entry configuration
> >
> >
> > ....
> >
> > -----Original Message-----
> > From: Sasa Milic [mailto:smilic2@pexim.co.yu]
> > Sent: 05 February 2007 07:50
> > To: Malcolm Price
> > Cc: ccielab@groupstudy.com
> > Subject: Re: NAT Help, router on a stick with NAT
> >
> >
> > Malcolm,
> >
> > AFAIK, this should be done with NVI (NAT Virtual Interface), like:
> >
> > interface FastEthernet0/0.1
> > ip nat enable
> > ...
> > !
> > ip nat source static 10.10.10.10 172.1.1.1
> > !
> >
> > * Notice that there is no "inside" in nat static command!
> >
> > There shouldn't be any "ip nat inside" and "ip nat outside" commands.
> >
> >
> > HTH,
> > Sasa
> >
> > ----- Original Message -----
> > From: "Malcolm Price" <malcolm.price@lanbase.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Sunday, February 04, 2007 1:37 PM
> > Subject: NAT Help, router on a stick with NAT
> >
> >> Hi Group,
> >>
> >>
> >>
> >> Has anyone ever setup NAT thorugh a router on a stick configuration.
> >>
> >>
> >>
> >> I have a Cisco 2621 with a dot1q trunk supporting two VLANS, 1 and 10.
> >>
> >>
> >>
> >> i.e.
> >>
> >>
> >>
> >> interface FastEthernet0/0
> >>
> >> no ip address
> >>
> >> speed 100
> >>
> >> full-duplex
> >>
> >> !
> >>
> >> interface FastEthernet0/0.1
> >>
> >> encapsulation dot1Q 1 native
> >>
> >> ip address 1.1.1.254 255.255.255.0
> >>
> >> ip nat outside
> >>
> >> !
> >>
> >> interface FastEthernet0/0.10
> >>
> >> encapsulation dot1Q 10
> >>
> >> ip address 10.10.10.1 255.255.255.0
> >>
> >> ip nat inside
> >>
> >> no ip redirects
> >>
> >>
> >>
> >> Traffic entering the router via vlan 10 gets checked for a destination
> >> address of 172.1.1.1. If this matches it gets translated to 10.10.10.10
> >> and
> >> it should then go back out of the trunk via vlan 10.
> >>
> >>
> >>
> >> I.e.
> >>
> >>
> >>
> >> Ip nat inside source static 10.10.10.10 172.1.1.1
> >>
> >>
> >>
> >> It gets transled ok, i.e.
> >>
> >>
> >>
> >> *Mar 1 23:16:45.426: %SYS-5-CONFIG_I: Configured from console by
> >> console
> >>
> >> *Mar 1 23:16:52.222: NAT: o: tcp (1.1.1.1, 11021) -> (172.1.1.1, 23)
> >> [0]
> >>
> >> *Mar 1 23:16:52.222: NAT: s=1.1.1.1, d=172.1.1.1->10.10.10.10 [0]
> >>
> >>
> >>
> >> But the traffic does not go via fa0/0.10.
> >>
> >>
> >>
> >> If I simply move the ip nat inside statement from fa0/0.10 onto the
> >> serial
> >> port s0/0 then it works a treat. It's an issue going back out of the
> >> Ethernet, even though it's two vlans.
> >>
> >>
> >>
> >> Any comments would be most welcomed :-)
> >>
> >>
> >>
> >> M
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: BitGossip: "Diff between exec-timout and session-timeout"
• Previous message: Ivan: "Re: Class-map match"
• Maybe in reply to: Malcolm Price: "NAT Help, router on a stick with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:46 ART