Neat! NAT can be an interesting area. MarkO tipped me off to a life saver here: pad pad http://www.cisco.com/warp/public/707/static.html
The scenario uses NAT. One or more of the inside hosts have a static NAT translation. There is a VPN tunnel terminating on the "ip nat outside" interface. How to make the inside host visable to both outside hosts and hosts on the other end of the tunnel? Traffic bound for the tunnel uses a route-map to "bounce off" i.e. use a loopback interface as an ip next-hop. > -----Original Message----- > From: Chuck [mailto:[EMAIL PROTECTED]] > Sent: Saturday, June 01, 2002 7:58 PM > To: [EMAIL PROTECTED] > Subject: NAT - something new ( to me ) [7:45602] > > > OK, this has been a fun day in the lab! Truly! > > To emulate a customer network so I can solve a particular > customer problem, > I have to emulate a multiport PIX on one of my routers. How to do so? > > That is, how to have multiple outside NAT pools, such that a > translation out > one interface is different than a translation out another interface? > > The problem - to simulate such that there is The Internet out > one interface, > and a Business Partner Extranet out another. Obviously, internet bound > traffic has to have public ip addresses, and the extranet > traffic has to > appear as a certain private subnet. > > the other problem is that the inside network consists of a > number of "branch > offices", each connected to the central site via frame relay > point to point > subinterfaces. ( well, the customer's real network is ATM, > but the principal > is the same ) > > Can it be done? > > Start with a search of CCO. Lots of hits using the term > "nat", but one hit > in particular looks promising: > > http://www.cisco.com/warp/public/556/index.shtml > > scroll down the page and see this link: > > http://www.cisco.com/warp/public/105/nat_routemap.html > > read it a while, think about it, draw up a plan, test it out. > had to do a > bit of tweaking, but damn! it works exactly the way I need it to work! > > Neat!!!!! > > interface Ethernet0 > ip address 129.1.1.4 255.255.255.0 > ip nat outside > ! > interface TokenRing0 > ip address 10.1.1.254 255.255.255.252 > ip nat outside > ring-speed 4 > ! > !!!!! NOTE the two interfaces identified as NAT outside !!!!!!! > ! > interface Serial0 > no ip address > encapsulation frame-relay > no fair-queue > ! > interface Serial0.1 point-to-point > description SOMHC > ip address 172.31.250.29 255.255.255.252 > ip nat inside > frame-relay interface-dlci 201 > ! > interface Serial0.2 point-to-point > description NAHC > ip address 172.31.250.1 255.255.255.252 > ip nat inside > frame-relay interface-dlci 202 > ! > interface Serial0.3 point-to-point > description SAFMC > ip address 172.31.250.9 255.255.255.252 > ip nat inside > frame-relay interface-dlci 203 > ! > interface Loopback0 > ip address 172.31.1.1 255.255.255.255 > ip nat inside > ! > ! > !!!!!!!!!!! Note the four interfaces identified as NAT inside !!!!!!! > ! > ! > interface Serial1 > no ip address > shutdown > ! > router eigrp 999 > passive-interface Ethernet0 > passive-interface Loopback0 > passive-interface TokenRing0 > network 172.31.0.0 > no auto-summary > no eigrp log-neighbor-changes > ! > ip nat pool 2internet 75.1.1.65 75.1.1.94 netmask 255.255.255.224 > ip nat pool 2extranet 10.1.2.10 10.1.2.50 netmask 255.255.255.0 > ip nat inside source route-map intointernet pool 2internet > ip nat inside source route-map intoextranet pool 2extranet > ip classless > ip route 0.0.0.0 0.0.0.0 Ethernet0 > ip route 10.1.1.1 255.255.255.255 TokenRing0 > ip route 172.31.3.0 255.255.255.0 Serial0.2 > ip route 172.31.5.0 255.255.255.0 Serial0.3 > ip route 172.31.10.0 255.255.255.0 Serial0.1 > no ip http server > ! > access-list 171 deny ip 172.31.0.0 0.0.255.255 host 10.1.1.1 > access-list 171 permit ip 172.31.0.0 0.0.255.255 any > access-list 172 permit ip 172.31.0.0 0.0.255.255 host 10.1.1.1 > route-map intointernet permit 10 > match ip address 171 > ! > route-map intoextranet permit 10 > match ip address 172 > ! > check out the two different outputs of the show ip nat trans > command: have > to use extended ping to get the source addresses for the > various interfaces. > > to the internet: > > SFCCC_Central#ping > Protocol [ip]: > Target IP address: 65.20.35.1 > Repeat count [5]: > Datagram size [100]: > Timeout in seconds [2]: > Extended commands [n]: y > Source address or interface: loop 0 > Type of service [0]: > Set DF bit in IP header? [no]: > Validate reply data? [no]: > Data pattern [0xABCD]: > Loose, Strict, Record, Timestamp, Verbose[none]: > Sweep range of sizes [n]: > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 65.20.35.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = > 12/14/16 ms > > SFCCC_Central#sh ip nat trans > Pro Inside global Inside local Outside local > Outside global > icmp 75.1.1.65:9704 172.31.1.1:9704 65.20.35.1:9704 > 65.20.35.1:9704 > icmp 75.1.1.65:9705 172.31.1.1:9705 65.20.35.1:9705 > 65.20.35.1:9705 > icmp 75.1.1.65:9706 172.31.1.1:9706 65.20.35.1:9706 > 65.20.35.1:9706 > icmp 75.1.1.65:9707 172.31.1.1:9707 65.20.35.1:9707 > 65.20.35.1:9707 > icmp 75.1.1.65:9708 172.31.1.1:9708 65.20.35.1:9708 > 65.20.35.1:9708 > > to the business partner extranet: > > SFCCC_Central#ping > Protocol [ip]: > Target IP address: 10.1.1.1 > Repeat count [5]: > Datagram size [100]: > Timeout in seconds [2]: > Extended commands [n]: y > Source address or interface: loop 0 > Type of service [0]: > Set DF bit in IP header? [no]: > Validate reply data? [no]: > Data pattern [0xABCD]: > Loose, Strict, Record, Timestamp, Verbose[none]: > Sweep range of sizes [n]: > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms > > SFCCC_Central#sh ip nat trans > Pro Inside global Inside local Outside local > Outside global > icmp 10.1.2.10:9102 172.31.1.1:9102 10.1.1.1:9102 > 10.1.1.1:9102 > icmp 10.1.2.10:9103 172.31.1.1:9103 10.1.1.1:9103 > 10.1.1.1:9103 > icmp 10.1.2.10:9104 172.31.1.1:9104 10.1.1.1:9104 > 10.1.1.1:9104 > icmp 10.1.2.10:9105 172.31.1.1:9105 10.1.1.1:9105 > 10.1.1.1:9105 > icmp 10.1.2.10:9106 172.31.1.1:9106 10.1.1.1:9106 > 10.1.1.1:9106 > > in the customer network I won't have the issue because 1) > multiple NATs can > be set up on multiple PIX interfaces and 2) the policy > routing will set the > ip next hops to the correct vlan trunk interface. > > Damn it is so much fun to research, find a hint, and work through the > problem! > > Chuck > 183 and counting down Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45606&t=45602 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
