Nat

Hey guys,

working on the topology attached. I have added static NAT mappings to the router and added ip nat inside/outside to the relevant interfaces but if I ping from 172.168.0.1 to 192.168.0.1 the routers aren't using the NAT mappings? Am I missing something here?

ip nat inside source static 172.168.0.1 10.0.0.2
ip nat inside source static 172.168.0.2 10.0.0.2
ip nat inside source static 172.168.0.3 10.0.0.2

untitled.jpg

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

fsanyee

I don't think you can map one global address to more than one local address. Use dynamic nat with more global address or nat overload.

Roguetadhg

Nevermind, I just read the commands you put in. You'd need to give each static mapping an individual ip address.

ip nat inside source static 172.168.0.1 10.0.0.1
ip nat inside source static 172.168.0.2 10.0.0.2
ip nat inside source static 172.168.0.3 10.0.0.3

although, im making a quick lab to test

R1(config)#ip nat inside source static 172.168.0.1 10.0.0.1
R1(config)#ip nat inside source static 172.168.0.2 10.0.0.1
% similar static entry (172.168.0.1 -> 10.0.0.1) already exists

There we go. tested within GNS3.

You'd either need a new inside global address per inside local address. Or run PAT.

fsanyee

Roguetadhg wrote: »

You can use more than 1
"ip nat inside source static x y" commands

Really? And how is this work? when I type 10.0.0.2 in my browser from outside, which host will answer?

Roguetadhg

you can map more than 1 inside global to 1 inside local.

R1(config)#ip nat inside source static 172.168.0.1 10.0.0.1
R1(config)#ip nat inside source static 172.168.0.2 10.0.0.1
% similar static entry (172.168.0.1 -> 10.0.0.1) already exists
R1(config)#ip nat inside source static 172.168.0.2 10.0.0.2

I didn't catch that the commands alliaseno was trying to statically map 1 inside global address to 3 inside local addresses.

SteveO86

Do you have a routing protocol going between the 2 routers so they are aware of the other network?

alliasneo

ahh right ok. I thought u would statically assign multiple private ip addresses to just one public address but I'm thinking of PAT and getting them confused I think? PAT would use one public ip address and multiple private addresses but change the port numbers?

it's annoying that packet tracer didn't throw up that error message, I will have to try this on my real gear instead.

How does this work though? in terms of NAT, you would need say a hundred public ip addresses in order to get hundred PC's to communicate out on the net? I thought NAT was supposed to reserve address:

172.168.0.1 - 10.0.0.1
172.168.0.2 - 10.0.0.2
etc
etc
172.168.0.100 - 10.0.0.100

alliasneo

SteveO86 wrote: »

Do you have a routing protocol going between the 2 routers so they are aware of the other network?

Hi SteveO86, yes I have OSPF configured.

I just had a huge eureka moment though, I have vlans going on and a sub interface on my router. I added IP nat inside to the physical interface and not the sub interface so now I've done that and made the changes that Roguetadhg and everyone else said about it works:

R2#sh ip nat stat
Total translations: 10 (3 static, 7 dynamic, 7 extended)
Outside Interfaces: Serial2/0
Inside Interfaces: FastEthernet0/0 , FastEthernet0/0.20
Hits: 7 Misses: 0
Expired translations: 0
Dynamic mappings:

dustinmurphy

alliasneo wrote: »

ahh right ok. I thought u would statically assign multiple private ip addresses to just one public address but I'm thinking of PAT and getting them confused I think? PAT would use one public ip address and multiple private addresses but change the port numbers?

it's annoying that packet tracer didn't throw up that error message, I will have to try this on my real gear instead.

How does this work though? in terms of NAT, you would need say a hundred public ip addresses in order to get hundred PC's to communicate out on the net? I thought NAT was supposed to reserve address:

172.168.0.1 - 10.0.0.1
172.168.0.2 - 10.0.0.2
etc
etc
172.168.0.100 - 10.0.0.100

That's when you use NAT Overload instead of static NAT.

It's much easier to configure and administer, anyways... using a single global address as the NAT address for multiple internal hosts.

I've only used static NAT when I want to allow outside users to access services on an internal host (i.e. web server, ftp server, etc). I've seen a NAT pool used, but I've never used one.

alliasneo

thanks for the clarification