Re: NAT to change destination IP?

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Fri Feb 20 2009 - 09:15:00 ARST

Hi,

I manage to get this:

######################################################################################
Rack1R1# sh ip access-lists 121
Extended IP access list 121
    10 permit ip host 150.1.2.2 host 192.168.50.121 (4 matches)
Rack1R1#
######################################################################################

It means that when I want to get to 192.168.50.121 it should be translated
for instance to 183.1.19.9, let me put all thing together. For inside and
outside:

######################################################################################
Rack1R1#sh run int gi0/0
Building configuration...

Current configuration : 206 bytes
!
interface GigabitEthernet0/0
 description Connected-to-SW1-Fa0/1
 ip address 183.1.19.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication-key CISCO
 duplex auto
 speed auto
end

Rack1R1#sh run int Serial0/3/0.123
Building configuration...

Current configuration : 231 bytes
!
interface Serial0/3/0.123 point-to-point
 ip address 183.1.123.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip ospf authentication-key CISCO
 ip ospf network point-to-multipoint
 frame-relay interface-dlci 102
end

Rack1R1#

Rack1R1#sh run | sec ip nat
ip nat pool pool121 183.1.19.9 183.1.19.9 prefix-length 24 type rotary
ip nat inside destination list 121 pool pool121
Rack1R1#
######################################################################################

Now the testing part of it, the most interesting:

######################################################################################
Rack1R2#telnet 192.168.50.121 /source-interface loopback 0
Trying 192.168.50.121 ... Open
User Access Verification

Password:
Type help or '?' for a list of available commands.
Rack1PIX> lo

Logoff

[Connection to 192.168.50.121 closed by foreign host]
Rack1R2#
######################################################################################

And on R1 you will see that the destination address is being translated:

######################################################################################
Rack1R1#
*Feb 20 11:59:02.632: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [0]
*Feb 20 11:59:02.632: NAT*: s=183.1.19.9->192.168.50.121, d=150.1.2.2
[45232]
*Feb 20 11:59:02.632: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [1]
*Feb 20 11:59:02.636: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [2]
*Feb 20 11:59:02.636: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [3]
*Feb 20 11:59:02.636: NAT*: s=183.1.19.9->192.168.50.121, d=150.1.2.2
[32013]
*Feb 20 11:59:02.636: NAT*: s=183.1.19.9->192.168.50.121, d=150.1.2.2 [7212]
*Feb 20 11:59:02.636: NAT*: s=183.1.19.9->192.168.50.121, d=150.1.2.2
[32532]
*Feb 20 11:59:02.636: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [4]
*Feb 20 11:59:02.636: NAT*: s=183.1.19.9->192.168.50.121, d=150.1.2.2 [9440]
*Feb 20 11:59:02.636: NAT*: s=183.1.19.9->192.168.50.121, d=150.1.2.2
[24594]
*Feb 20 11:59:02.640: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [5]
*Feb 20 11:59:02.640: NAT*: s=150.1.2.2, d=192.168.50.121->183.1.19.9 [6]
######################################################################################

Now, The important thing to remember is that it applies only for tcp traffic
and to traffic initiated from the OUTSIDE to the INSIDE, and not the other
way around. Of course, the source of the return traffic from the inside to
the outside will get translated, but the initiation from outside to inside
is required to happen first, so that the dynamic NAT table entry is created.
The other key thing is that there's no "static" version of this command, but
only "list" version, hence it happens dynamically.

I hope that helps,

Regards

----- Original Message -----
From: "Hotmail" <hussamkibbi@hotmail.com>
To: "'Edouard Zorrilla'" <ezorrilla@tsf.com.pe>; <ccielab@groupstudy.com>
Sent: Thursday, February 19, 2009 6:41 PM
Subject: RE: NAT to change destination IP?

> Hi Edouard,
>
> I have to do source list as I want to put ACL to allow (permit host x to
> host y)
>
> So I tried it with source list, but the destination address doesn't change
> what change is the source...
>
> Or I am getting it wrong way...
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Friday, February 20, 2009 4:37 AM
> To: Hussam EL Kebbi; ccielab@groupstudy.com
> Subject: Re: NAT to change destination IP?
>
> You can use:
>
> ip nat outside source static ---> if host X comes from the inside
>
> or
>
> ip nat inside source static ---> if host X comes from the ouside
>
> Regards
>
> ----- Original Message -----
> From: "Hussam EL Kebbi" <hussamkibbi@hotmail.com>
> To: <ccielab@groupstudy.com>
> Sent: Thursday, February 19, 2009 5:31 PM
> Subject: NAT to change destination IP?
>
>
>> Hi Experts,
>>
>>
>>
>> Is there a way I can change destination IP address
>>
>>
>>
>> - ( IF only host X ---> host y) then change host Y IP address by natting
>> ?
>>
>>
>>
>> Thanks,
>>
>> Hussam
>>
>>
>>
>>
>>
>> _________________________________________________________________
>> See how Windows connects the people, information, and fun that are part
>> of
>> your life.
>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST