NAT and PAT: Destination and Source both together?

raghavme · 2011-04-14T01:26:20+00:00

Hi All, I need some help here. * NAT 172.x.x.x/24 user group of internal users need to access two servers on an external hosting provider. * OSPF is running in internal network for 172.x segment * NAT and PAT both has to be performed on the edge router * static NAT for providing access SERVER1 * PAT modifying source and…

raghavme

Hi All,

I need some help here.

NAT 172.x.x.x/24 user group of internal users need to access two servers on an external hosting provider.
OSPF is running in internal network for 172.x segment
NAT and PAT both has to be performed on the edge router
static NAT for providing access SERVER1
PAT modifying source and destination both of traffic going from INTERNAL to EXTERNAL.
Issue is that random set of people from 172.x have to access both SERVER1 and SERVER2.
SERVER1 should be accessed without modifying the source IP of the user.
SERVER2 should be accessed such that the HOSTING should see requests as sourced from 10.186.1.1

Topology: http://i55.tinypic.com/hwhefp.jpg
GNS3 topology and configs: NATraghavme.zip

[FONT=&quot]So, far I have tried the following different ways of doing this:[/FONT]

[FONT=&quot]1. [FONT=&quot]PAT with a pool using standard ACL.[/FONT][/FONT]
[FONT=&quot]2. [FONT=&quot]PAT with a pool using extended ACL.[/FONT][/FONT]
[FONT=&quot]3. [FONT=&quot]PAT with pool using Route-map matching a extended ACL (matching destination IP AND/OR port)

Another (desperate)idea was to connect one more link (back to back cable) between my router and their L3 switch and:[/FONT][/FONT]
[FONT=&quot]4. [FONT=&quot]PAT using ip policy + Router-map applied at my side interface to set the next-hop of interesting traffic destined to 172.16.16.6 to the another new interface (lying in series of 10.186.1.0/24) and then NAT it here.[/FONT][/FONT]
[FONT=&quot]5. [FONT=&quot]PAT using method similar to item no. 4 but setting [/FONT][FONT=&quot]next-hop ip[/FONT][FONT=&quot] interface.[/FONT][/FONT]
[FONT=&quot]6. [FONT=&quot]Also tried item no. 3 and tried setting next-hop ip and also tried [/FONT][FONT=&quot]next-hop out interface[/FONT][FONT=&quot], as well.[/FONT][/FONT]

[FONT=&quot]Last thing I will try is to ditch the whole [FONT=&quot]ip nat inside/outside[/FONT][FONT=&quot] statements under the interfaces and using NVIs ([/FONT][FONT=&quot]ip nat enabled[/FONT][FONT=&quot]). Hoping to make benefit of situations mentioned in[/FONT][/FONT]
· [FONT=&quot]The Inside and Outside of NAT | CCIE Blog (different order of NAT processing than the [FONT=&quot]inside/outside[/FONT][FONT=&quot] ideology)[/FONT][/FONT]
· [FONT=&quot]A Curious NAT Scenario | CCIE Blog[/FONT]

Find more posts tagged with

Comments

raghavme

Let me know if any more details are required.

Forsaken_GA

K, so let me see if I have this straight -

Anything going to sever1 internally will be addressed to 172.16.16.16, and that needs to have the destination addressed to 10.254.254.10 without changing the source

Anything destined for server 2 will be sent internally to 172.16.16.6, which needs to be translated to 10.254.254.6, and additional needs to appear as though it's been sourced from 10.186.1.1

Anything else that's bound from internal to external should appear as though it's been sourced from 172.16.16.1

Does that about sum it up?

raghavme

Hi Forsaken_GA, you've got it down exactly.

One more gotcha is that, my side interface is ip nat outside... the interface facing them is ip nat inside. Thats how the production routers are set up presently and I wanna make it work on the same set up.