Using NAT in Overlapping Networks

Similar documents
Table of Contents. Cisco NAT Order of Operation

NAT Support for Multiple Pools Using Route Maps

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

Context Based Access Control (CBAC): Introduction and Configuration

Three interface Router without NAT Cisco IOS Firewall Configuration

VPN Connection through Zone based Firewall Router Configuration Example

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Configuring Commonly Used IP ACLs

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

This document provides a sample configuration for X25 Over TCP.

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

IPv6 Tunnel through an IPv4 Network

Troubleshooting High CPU Utilization Due to the IP Input Process

Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x

L2TP IPsec Support for NAT and PAT Windows Clients

cable modem dhcp proxy nat on Cisco Cable Modems

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Implementing Authentication Proxy

Configuring a Cisco 827 Router Using PPPoA With CHAP and PAP

Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode

co Configuring PIX to Router Dynamic to Static IPSec with

Configuring IP SLAs TCP Connect Operations

OSPF Routers Connected by a Point to Multipoint Link

Configuring IDS TCP Reset Using VMS IDS MC

Configuring Modem Transport Support for VoIP

Communication Media Module IP Connectivity

Implementing NAT-PT for IPv6

Configuring a Terminal/Comm Server

Configuring IP SLAs ICMP Echo Operations

Access Control Lists and IP Fragments

Configuring Redundant Routing on the VPN 3000 Concentrator

Configuring IP SLAs ICMP Echo Operations

Understanding and Troubleshooting Idle Timeouts

Cisco Configuring Hub and Spoke Frame Relay

Secure ACS Database Replication Configuration Example

Stateful Network Address Translation 64

WCCPv2 and WCCP Enhancements

Configure the ASA for Dual Internal Networks

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Cisco IOS NAT Feature Matrix

ACS 5.x: LDAP Server Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Configuring IOS to IOS IPSec Using AES Encryption

Lab Configuring Static Routes Instructor Version 2500

Lab Configuring and Verifying Extended ACLs Topology

Firewall Stateful Inspection of ICMP

Configuring IP SLAs TCP Connect Operations

How BGP Routers Use the Multi Exit Discriminator for Best Path Selection

Lab 9.6.2: Challenge EIGRP Configuration Lab

Lab Establishing and Verifying a Telnet Connection Instructor Version 2500

Configuring IS IS for IP on Cisco Routers

H3C SecPath Series High-End Firewalls

Configuring Secure (Router) Mode on the Content Switching Module

IP MultiLayer Switching Sample Configuration

Configuring PPP over Ethernet with NAT

Wireless LAN Controller (WLC) Mobility Groups FAQ

Lab: RIP v2 with VLSM

Mapping of Address and Port Using Translation

I Commands. iping, page 2 iping6, page 4 itraceroute, page 5 itraceroute6 vrf, page 6. itraceroute vrf encap vxlan, page 12

Sample Business Ready Branch Configuration Listings

Lock and Key: Dynamic Access Lists

Troubleshooting Cisco Express Forwarding Routing Loops

Lab : Challenge OSPF Configuration Lab. Topology Diagram. Addressing Table. Default Gateway. Device Interface IP Address Subnet Mask

IP Addressing: IPv4 Addressing Configuration Guide, Cisco IOS Release 15S

Firewall Stateful Inspection of ICMP

Configuring Network Address Translation

Lab 5.6.2: Challenge RIP Configuration

Configuring NAT for IP Address Conservation

Configuring Basic AAA on an Access Server

Finding Feature Information

Lab Guide 1 - Basic Configuration and Interface Configuration

Lab VTY Restriction Instructor Version 2500

Permitting PPTP Connections Through the PIX/ASA

Basic Router Configuration using SDM

Route Leaking in MPLS/VPN Networks

Configuring IP SLAs UDP Echo Operations

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

AAA Support for IPv6

Configuring Static and Dynamic NAT Translation

Lecture 16: Network Layer Overview, Internet Protocol

Lab b Standard ACLs Instructor Version 2500

IPsec Anti-Replay Window: Expanding and Disabling

Configuring Static and Dynamic NAT Translation

CCNA Course Access Control Lists

Basic Router Configuration

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Lab b Simple DMZ Extended Access Lists Instructor Version 2500

Configuring Hookflash Relay on FXS/FXO Voice Ports

Lab Troubleshooting Using traceroute Instructor Version 2500

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

IPsec Anti-Replay Window Expanding and Disabling

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Cisco - Connecting Routers Back-to-Back Through the AUX Ports using a Rollover Cable

Configuring IP Multicast over Unidirectional Links

Transcription:

Using NAT in Overlapping Networks Document ID: 13774 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot Related Information Introduction This document demonstrates how you can use Network Address Translation (NAT) for overlapping networks. Overlapping networks result when you assign an IP address to a device on your network that is already legally owned and assigned to a different device on the Internet or outside network. Overlapping networks also result when two companies, both of whom use RFC 1918 IP addresses in their networks, merge. These two networks need to communicate, preferably without having to readdress all their devices. Prerequisites Requirements A basic understanding of IP addressing, IP routing, and Domain Name System (DNS) is helpful for understanding the contents of this document. Components Used Support for NAT began in Cisco IOS software version 11.2. For more information on platform support see NAT Frequently Asked Questions. Conventions For more information on document conventions, refer to Cisco Technical Tips Conventions. Configure In this section, you are presented with the information to configure the features described in this document. Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only).

Network Diagram This document uses the network setup shown in the diagram below. Notice that the inside device has the same IP address as the outside device with which it wishes to communicate. Configurations Router A is configured for NAT, such that it translates the inside device to an address from the pool "test loop" and the outside device to an address from the pool "test dns." An explanation of how this configuration helps with overlapping follows the configuration table below. Router A version 11.2 no service udp small servers no service tcp small servers hostname Router A ip domain name cisco.com ip name server 171.69.2.132 interface Loopback0 ip address 1.1.1.1 255.0.0.0 interface Ethernet0 ip address 135.135.1.2 255.255.255.0 shutdown interface Serial0 ip address 171.68.200.49 255.255.255.0 ip nat inside no fair queue interface Serial1

ip address 172.16.47.146 255.255.255.240 ip nat outside ip nat pool test loop 172.16.47.161 172.16.47.165 prefix length 28 ip nat pool test dns 172.16.47.177 172.16.47.180 prefix length 28 ip nat inside source list 7 pool test loop ip nat outside source list 7 pool test dns ip classless ip route 0.0.0.0 0.0.0.0 172.16.47.145 access list 7 permit 171.68.200.0 0.0.0.255 line con 0 exec timeout 0 0 line aux 0 line vty 0 4 login end In order for the above configuration to help with overlapping when the inside device communicates with the outside device, it must use the outside device's domain name. The inside device cannot use the IP address of the outside device because it is the same as the address assigned to itself (the inside device). Therefore, the inside device will send a DNS query for the outside device's domain name. The inside device's IP address will be the source of this query, and that address will be translated to an address from the "test loop" pool because the ip nat inside source list command is configured. The DNS server replies to the address which came from the pool "test loop" with the IP address associated with the outside device's domain name in the payload of the packet. The destination address of the reply packet is translated back to the inside device's address, and the address in the payload of the reply packet is then translated to an address from the pool "test dns" because of the ip nat outside source list command. Therefore the inside device learns that the IP address for the outside device is one of the addresses from the "test dns" pool, and it will use this address when communicating with the outside device. The router running NAT takes care of the translations at this point. This process can be seen in detail in the Troubleshoot section. Devices using overlapping addresses can communicate with each other without the use of DNS, but in this case, static NAT would have to be configured. An example of how this might be done follows. version 11.2 no service udp small servers no service tcp small servers hostname Router A ip domain name cisco.com ip name server 171.69.2.132 interface Loopback0 ip address 1.1.1.1 255.0.0.0 Router A

interface Ethernet0 ip address 135.135.1.2 255.255.255.0 shutdown interface Serial0 ip address 171.68.200.49 255.255.255.0 ip nat inside no fair queue interface Serial1 ip address 172.16.47.146 255.255.255.240 ip nat outside ip nat pool test loop 172.16.47.161 172.16.47.165 prefix length 28 ip nat inside source list 7 pool test loop ip nat outside source static 171.68.200.48 172.16.47.177 ip classless ip route 0.0.0.0 0.0.0.0 172.16.47.145 ip route 172.16.47.160 255.255.255.240 Serial0 This line is necessary to make NAT work for return traffic. The router needs to have a route for the pool to the inside NAT interface so it knows that a translation is needed. access list 7 permit 171.68.200.0 0.0.0.255 line con 0 exec timeout 0 0 line aux 0 line vty 0 4 login end With the above configuration, when the inside device wants to communicate with the outside device it can now use IP address 172.16.47.177, and DNS in not necessary. As shown above, translation of the inside device's address is still done dynamically, which means that the router must get packets from the inside device before a translation is created. For this reason, the inside device must initiate all connections in order for the inside device and outside device to communicate. If it were required that the outside device initiate connections to the inside device, then the address for the inside device must also be statically configured. Verify There is currently no verification procedure available for this configuration. Troubleshoot This section provides information you can use to troubleshoot your configuration. The process by which the inside device used DNS to communicate with the outside device, as described above, can be viewed in detail with the following troubleshooting process. Currently there are no translations in the translation table that can be seen with the show ip nat translations command. The examples below use the debug ip packet and debug ip nat commands instead.

Note: The debug commands generate a significant amount of output. Use it only when traffic on the IP network is low, so other activity on the system is not adversely affected. Router A# show ip nat translations Router A# show debug Generic IP: IP packet debugging is on (detailed) IP NAT debugging is on When the inside device sends its DNS query to the DNS server, which resides outside the NAT domain, the source address of the DNS query (the address of the inside device) gets translated due to the ip nat inside commands. This can be seen in the debug output below. NAT: s=171.68.200.48 >172.16.47.161, d=171.69.2.132 [0] IP: s=172.16.47.161 (Serial0), d=171.69.2.132 (Serial1), g=172.16.47.145, len 66, forward UDP src=6988, dst=53 When the DNS server sends a DNS reply, the payload of the DNS reply gets translated due to the ip nat outside commands. Note: NAT does not look at the payload of the DNS reply unless translation occurs on the IP header of the reply packet. See the ip nat outside source list 7 pool command in the router configuration above. The first NAT message in the debug output below shows that the router recognizes the DNS reply and translates the IP address within the payload to 172.16.47.177. The second NAT message shows the router translating the destination of the DNS reply so that it can forward a reply back to the inside device that performed the initial DNS query. The destination portion of the header, the inside global address, is translated to the inside local address. The payload of the DNS reply is translated: NAT: DNS resource record 171.68.200.48 > 172.16.47.177 The destination portion of the IP header in the DNS reply packet is translated: NAT: s=171.69.2.132, d=172.16.47.161 >171.68.200.48 [65371] IP: s=171.69.2.132 (Serial1), d=171.68.200.48 (Serial0), g=171.68.200.48, len 315, forward UDP src=53, dst=6988 Let us look at another DNS query and reply: NAT: s=171.68.200.48 >172.16.47.161, d=171.69.2.132 [0] IP: s=172.16.47.161 (Serial0), d=171.69.2.132 (Serial1), g=172.16.47.145, len 66, forward UDP src=7419, dst=53 NAT: DNS resource record 171.68.200.48 > 172.16.47.177 NAT: s=171.69.2.132, d=172.16.47.161 >171.68.200.48 [65388] IP: s=171.69.2.132 (Serial1), d=171.68.200.48 (Serial0), g=171.68.200.48, len 315, forward UDP src=53, dst=7419 Now that the payload of the DNS has been translated, our translation table has an entry for the outside local and global addresses of the outside device. With these entries in the table, we can now fully translate the header of the ICMP packets exchanged between the inside device and outside device. Let's look at this exchange in the debug output below. The following output shows the source address (inside device's address) being translated. NAT: s=171.68.200.48 >172.16.47.161, d=172.16.47.177 [406]

Here, the destination address (outside device's outside local address) is translated. NAT: s=172.16.47.161, d=172.16.47.177 >171.68.200.48 [406] After translation, the IP packet looks like this: The following output shows the source address (outside device's address) being translated on the return packet. NAT*: s=171.68.200.48 >172.16.47.177, d=172.16.47.161 [16259] Now the destination address (inside device's global address) of the return packet is translated. NAT*: s=172.16.47.177, d=172.16.47.161 >171.68.200.48 [16259] After translation, the return packet looks like this: The exchange of packets continues between the inside device and the outside device. NAT: s=171.68.200.48 >172.16.47.161, d=172.16.47.177 [407] NAT: s=172.16.47.161, d=172.16.47.177 >171.68.200.48 [407] NAT*: s=171.68.200.48 >172.16.47.177, d=172.16.47.161 [16262] NAT*: s=172.16.47.177, d=172.16.47.161 >171.68.200.48 [16262] NAT: s=171.68.200.48 >172.16.47.161, d=172.16.47.177 [408] NAT: s=172.16.47.161, d=172.16.47.177 >171.68.200.48 [408] NAT*: s=171.68.200.48 >172.16.47.177, d=172.16.47.161 [16267] NAT*: s=172.16.47.177, d=172.16.47.161 >171.68.200.48 [16267] NAT: s=171.68.200.48 >172.16.47.161, d=172.16.47.177 [409] NAT: s=172.16.47.161, d=172.16.47.177 >171.68.200.48 [409] NAT*: s=171.68.200.48 >172.16.47.177, d=172.16.47.161 [16273] NAT*: s=172.16.47.177, d=172.16.47.161 >171.68.200.48 [16273] NAT: s=171.68.200.48 >172.16.47.161, d=172.16.47.177 [410] NAT: s=172.16.47.161, d=172.16.47.177 >171.68.200.48 [410] NAT*: s=171.68.200.48 >172.16.47.177, d=172.16.47.161 [16277] NAT*: s=172.16.47.177, d=172.16.47.161 >171.68.200.48 [16277] Once the exchange of packets between outside and inside is complete, we can look at the translation table, which has three entries. The first entry was created when the inside device sent a DNS query. The second entry was created when the payload of the DNS reply was translated. The third entry was created when the

ping was exchanged between the inside device and the outside device. The third entry is a summary of the first two entries, and is used for more efficient translations. Router A# show ip nat translations Pro Inside global Inside local Outside local Outside global 172.16.47.161 171.68.200.48 172.16.47.177 171.68.200.48 172.16.47.161 171.68.200.48 172.16.47.177 171.68.200.48 It is important to note when you are trying to establish connectivity between two overlapping networks by running dynamic NAT on a single Cisco router, you must use DNS to create an outside local to outside global translation. If you do not use DNS, connectivity can be established with static NAT, but it is more difficult to manage. Related Information NAT Support Page Technical Support Cisco Systems Contacts & Feedback Help Site Map 2014 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Aug 10, 2005 Document ID: 13774

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback