From: Jan Ballasch (haniz@ok.cvut.cz)
Date: Tue Jan 20 2009 - 08:40:52 ARST
Now I am in situation when private to private packet from 192.168.1.1 to
192.168.2.2 doesn't work well, because router translates 192.168.2.2 to
10.0.0.2 all time.
here is my config:
interface Loopback32
ip address 10.32.32.32 255.255.255.255
ip nat inside
interface Ethernet0/0
description LOCAL_SEG
ip address 192.168.1.9 255.255.255.0
ip nat outside
ip policy route-map FROM_LOCAL_SEGMENT
interface Ethernet2/0
description SERVERY
ip address 192.168.2.9 255.255.255.0
ip nat outside
ip policy route-map FROM_SERVERS
interface Ethernet3/0
description INTERNET
ip address 172.16.3.9 255.255.255.0
ip nat outside
ip nat pool FOR_LU 10.0.0.128 10.0.0.254 netmask 255.255.255.0
ip nat inside source list LOCAL_SEGMENT pool FOR_LU
ip nat inside source static 192.168.2.2 10.0.0.2
ip route 0.0.0.0 0.0.0.0 172.16.3.3
!
!
ip access-list standard LOCAL_SEGMENT
permit 192.168.1.0 0.0.0.255
!
ip access-list extended FROM_LOCAL_TO_GLOBAL_SERVER
permit ip 192.168.1.0 0.0.0.255 host 150.0.0.2
ip access-list extended FROM_LS_PRIV_TO_SERVERS_PRIV
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended FROM_LS_TO_INTERNET
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended FROM_SERVERS_TO_INTERNET
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended FROM_SERVERS_TO_LS_GLOBAL
permit ip host 192.168.2.2 10.0.0.128 0.0.0.127
route-map FROM_LOCAL_SEGMENT permit 10
match ip address FROM_LOCAL_TO_GLOBAL_SERVER
set interface Loopback32
!
route-map FROM_LOCAL_SEGMENT deny 15
match ip address FROM_LS_PRIV_TO_SERVERS_PRIV
!
route-map FROM_LOCAL_SEGMENT permit 20
match ip address FROM_LS_TO_INTERNET
set interface Loopback32
!
route-map FROM_SERVERS permit 10
match ip address FROM_SERVERS_TO_LS_GLOBAL
set interface Loopback32
!
route-map FROM_SERVERS permit 20
match ip address FROM_SERVERS_TO_INTERNET
set interface Loopback32
!
Jan Ballasch wrote:
> Hello Experts,
> I have problem with which i fighting for more then two days...
> I need to find out how to make NAT inside to inside translation.
> I have 3 interfaces.
> FA0/2 to ISP (ip nat outside) (172.16.3.9/24)
> FA0/1 to server segment (ip nat inside) (192.168.2.9/24)
> FA0/0 to local users (ip nat inside) (192.168.1.9/24)
>
> ip nat pool FOR_LU 10.0.0.128 10.0.0.254 netmask 255.255.255.0
> ip nat inside source list LOCAL_SEGMENT pool FOR_LU
> ip nat inside source static 192.168.2.2 10.0.0.2
>
> I need to connect from 192.168.1.0/24 segment to server inside global
> address (10.0.0.2).
> But inside to inside translation doesn't works.
> I tried to use interface loopback (ip nat outside) and use ip policy
> route-map on fa0/0 to send traffic sourced from 192.168.1.0 to
> destination 10.0.0.2 to loopback. But it doesn't works it translates
> only source address not destination. Then packets are forwarded to
> 10.0.0.2 no to 192.168.2.2 :-(
>
> Then I tried to have all interfaces outside and loopback inside and do
> ip policy route-map on all interfaces. It relatively do what I want,
> but. When is packet going from 192.168.1.0/24 segment to server inside
> global address (10.0.0.2) it works fine, router translates 192.168.1.0
> to 10.0.0.128 and 10.0.0.2 to 192.168.2.2. But backwards is problem. I
> can't use route map to send only traffic to dest to 10.0.0.128 and
> sourced from 192.168.2.2 to loopback because it translates first
> 10.0.0.128 to 192.168.1.1 and then is policy routing applied. Then I
> can't distinguish traffic 192.168.1.1 to 192.168.2.2 from 192.168.1.1
> to 10.0.0.2 and translation (10.0.0.128 to 192.168.2.2 and backwards).
>
> Is there any IOS solution for this two-way NAT?
> Two inside interfaces and NAT between it?
>
> thanx
> haniz
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST