Two locations with same LAN subnet

mzinz

I have two locations (soon to be) connected via private WAN. They both connect to a head-end, so they are not connected directly.

Location A and Location B both use the 192.168.10.0/24 subnet locally.

Location A is already connected.

Location B is going to be connected sometime soon.

Location A and the Head-End will only need to access a single device at Location B, which I plan on creating a static NAT for. My question, though, is can I NAT all outgoing traffic (from Location B towards the head-end), to an IP that is not on the Location B router? For example, if it's T1 interface to the head-end has some IP, could I actually NAT all connections to 192.168.11.1 instead?

Thanks in advance!

networker050184

Yes, you can do source NAT, but I have to ask why not re IP and get rid of this big headache?

mzinz

networker050184 wrote: »

Yes, you can do source NAT, but I have to ask why not re IP and get rid of this big headache?

That definitely would be ideal We actually have done that in the past.

We do managed services and are constantly taking on new customers. Some of these customers have extremely large LANs, and re-IP'ing would be a major headache. It still SHOULD be done, but the sales guys never mention that when they are bringing on the big customers, so getting that done would be a major hassle for customers that we are trying to avoid.

mzinz

networker050184 wrote: »

Yes, you can do source NAT, but I have to ask why not re IP and get rid of this big headache?

So - Just to be straight - should this work, even though I'm trying to NAT to an IP not local to the device? It's just a random private IP that I picked.

int fa0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside

int s0/0 (head-end facing interface)
ip address X.X.X.X 255.255.255.252
ip nat outside
no shut

ip route 0.0.0.0 0.0.0.0 X.X.X.Y (all non-local traffic goes to head-end)

ip nat inside source list NAT_OUT pool NAT_OUT_POOL overload

ip access-list extended NAT_OUT
permit ip 192.168.10.0 0.0.0.255 any

ip nat pool NAT_OUT_POOL 172.16.99.99 172.16.99.99 netmask 255.255.255.255

PS: What is the difference between "ip nat inside source list" and "ip nat outside source list"?

Monkerz

mzinz wrote: »

PS: What is the difference between "ip nat inside source list" and "ip nat outside source list"?

"ip nat inside" means you are nat'ing from the inside out. With your config it would be from Fa0/0 --> S0/0

"ip nat outside" means the exact opposite. From the outside in. With your config it would be S0/0 --> Fa0/0

mzinz

Monkerz wrote: »

"ip nat inside" means you are nat'ing from the inside out. With your config it would be from Fa0/0 --> S0/0

"ip nat outside" means the exact opposite. From the outside in. With your config it would be S0/0 --> Fa0/0

Makes sense.

Does the config above seem like it will work? I'll lab it out this weekend.

Monkerz

The netmask on your pool wont work, needs to be atleast a /30. Also, you'll need to add a route on the head end for return traffic. "ip route 172.16.99.99 255.255.255.252 X.X.X.X"

If you are only worried about traffic being able to leave this location then return, it should work. But if you are wanting the head end to be able to contact a PC within location B, without a prior connection established, you will need to use static nat for all the hosts in location B. And I believe if you want Location B to be able to contact location A you will need to use static nat on both location A and Location B routers.

I could be wrong...

mzinz

Monkerz wrote: »

The netmask on your pool wont work, needs to be atleast a /30. Also, you'll need to add a route on the head end for return traffic. "ip route 172.16.99.99 255.255.255.252 X.X.X.X"

If you are only worried about traffic being able to leave this location then return, it should work. But if you are wanting the head end to be able to contact a PC within location B, without a prior connection established, you will need to use static nat for all the hosts in location B. And I believe if you want Location B to be able to contact location A you will need to use static nat on both location A and Location B routers.

I could be wrong...

I see. How do you NAT all inside IP's to a single outside IP then?

And good point on the static route - I'll add that.

We won't need to have access to each PC. Probably only a server or two, so I do plan on creating static NAT entries for those. Location B will not need to talk to Location A luckily.

Monkerz

mzinz wrote: »

I see. How do you NAT all inside IP's to a single outside IP then?

Router(config)# ip nat inside source static tcp 192.168.10.5 <port> 172.16.99.99 <port>

But, I would suggest using a Class C subnet for the statics though, so you don't have to worry with the ports. Are you just limited with space? Only allowed to use 172.16.99.99 and not 172.16.99.0/24?

mzinz

Monkerz wrote: »

Router(config)# ip nat inside source static tcp 192.168.10.5 <port> 172.16.99.99 <port>

But, I would suggest using a Class C subnet for the statics though, so you don't have to worry with the ports. Are you just limited with space? Only allowed to use 172.16.99.99 and not 172.16.99.0/24?

Shouldn't the fact that NAT uses a random source port mitigate that? Or does that sometimes become an issue when too many hosts share a single IP? How many hosts does Cisco recommend you NAT to a single IP before starting to use a pool?

networker050184

You can use a single IP in the pool, just use the overload keyword. If you want the main site reaching devices on the inside then you will need to add the static NATs.

mzinz

networker050184 wrote: »

You can use a single IP in the pool, just use the overload keyword. If you want the main site reaching devices on the inside then you will need to add the static NATs.

Ok - cool. Thanks.

chmorin

networker050184 wrote: »

You can use a single IP in the pool, just use the overload keyword. If you want the main site reaching devices on the inside then you will need to add the static NATs.

I think the CCNA books refereed to this method as PAT, since you are taking one IP and making the sessions unique via ports. I could be mistaken.

networker050184

Yep, many to one is Port Address Translation. One to one is Network Address Translation. People usually just say NAT no matter what though.

jamesp1983

networker050184 wrote: »

Yes, you can do source NAT, but I have to ask why not re IP and get rid of this big headache?

x2. this means more work.

mzinz

jimmypizzle83 wrote: »

x2. this means more work.

Not an option in this case, unfortunately

mzinz

I didn't mention this previously, but I'm actually using an Adtran Router, not Cisco (I know, I know).

I was looking up how to configure Static NAT in a whitepaper, and noticed that they do "Static NAT Pools". It allows NAT'ing the destination, just like a 1:1 NAT, but for an entire pool.

eg:
Pinging 192.168.50.20 - When traffic hits the Adtran on the WAN interface, the IP is NAT'd to 192.168.0.20.

To accomplish this you create a global-to-local IP pool and apply it to the NAT statement.

Does Cisco offer a feature similar to this, or do you need to create several 1:1 NAT's?

chmorin

mzinz wrote: »

I didn't mention this previously, but I'm actually using an Adtran Router, not Cisco (I know, I know).

I was looking up how to configure Static NAT in a whitepaper, and noticed that they do "Static NAT Pools". It allows NAT'ing the destination, just like a 1:1 NAT, but for an entire pool.

eg:
Pinging 192.168.50.20 - When traffic hits the Adtran on the WAN interface, the IP is NAT'd to 192.168.0.20.

To accomplish this you create a global-to-local IP pool and apply it to the NAT statement.

Does Cisco offer a feature similar to this, or do you need to create several 1:1 NAT's?

What do you want to do? NAT one IP Address to one, or NAT one IP Address to a pool of many? Either way, it is possible.

If you want the ladder, you configure a pool for the NAT to pull addresses from. When an address hits, it will NAT to an address in the pool.

If you want the former, you use the overload command to configure PAT.

mzinz

chmorin wrote: »

What do you want to do? NAT one IP Address to one, or NAT one IP Address to a pool of many? Either way, it is possible.

If you want the ladder, you configure a pool for the NAT to pull addresses from. When an address hits, it will NAT to an address in the pool.

If you want the former, you use the overload command to configure PAT.

If 192.168.0.20 pings out, I want the IP to be NAT'd to 192.168.50.20
If 192.168.0.44 tries to RDP out, I want the IP to be NAT'd to 192.168.50.44.

If inbound SSH traffic is sent to 192.168.50.25, I want it to be NAT'd to inside IP 192.168.0.25
If inbound FTP traffic is sent inbound toward 192.168.50.95, I want it to be NAT'd to inside IP 192.168.0.95.

Essentially I want 1:1 NAT in both directions for every IP in the /24 LAN. This is possible with Adtran by creating a "local to global" NAT pool and assigning it to both the inbound NAT and outbound NAT policies. I was wondering if the same is possible with Cisco.

Monkerz

mzinz wrote: »

Essentially I want 1:1 NAT in both directions for every IP in the /24 LAN. This is possible with Adtran by creating a "local to global" NAT pool and assigning it to both the inbound NAT and outbound NAT policies. I was wondering if the same is possible with Cisco.

Both prefix lengths must be the same, but yes using the match-host option will match the host bits when translating.

ip nat pool EXAMPLE <start> <end> prefix-length <length> type match-host

billyr

Why bother using the pool of addresses with your NAT statement?

just link the inside addresses to your outside interface with the overload statement. (PAT)

e.g

conf t
ip access-list standard NAT_Translation
permit 192.168.10.0 0.0.0.255

ip nat inside source list NAT_Translation int s0/0 overload

int fa0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside

int s0/0
ip add x.x.x.x x.x.x.x
ip nat outside

Monkerz

billyr wrote: »

Why bother using the pool of addresses with your NAT statement?

just link the inside addresses to your outside interface with the overload statement. (PAT)

e.g

conf t
ip access-list standard NAT_Translation
permit 192.168.10.0 0.0.0.255

ip nat inside source list NAT_Translation int s0/0 overload

int fa0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside

int s0/0
ip add x.x.x.x x.x.x.x
ip nat outside

Because he wants a 1:1 translation.

Essentially I want 1:1 NAT in both directions for every IP in the /24 LAN. This is possible with Adtran by creating a "local to global" NAT pool and assigning it to both the inbound NAT and outbound NAT policies. I was wondering if the same is possible with Cisco.

mzinz

Monkerz wrote: »

Because he wants a 1:1 translation.

Thanks Monkers. Didn't know it was possible.

vinbuck

What kind of Adtran router? I'm assuming it's a NetVanta model. I work with Adran gear a good bit and may be able to point you in the right direction.

mzinz

MississippiGuardsman wrote: »

What kind of Adtran router? I'm assuming it's a NetVanta model. I work with Adran gear a good bit and may be able to point you in the right direction.

NetVanta 3448, although it is working now.

I had the config right, but had to add the entire NAT"d range to a loopback address range (Adtran support told me this, and they were correct).