How To Configure Double NAT On IOS

How to configure double NAT on
IOS
This question is Not Answered.
Ian Cresswell Jan 12, 2015 8:40 AM
Hi All
I have a requirement where I need to redirect a request to an external IP to our DMZ, so we have
a web site in our DMZ but when a user accesses it he receives the external IP from DNS. So on
an ASA we can simply redirect him to the internal IP with NAT:
nat (inside,dmz) source static net-global-10.0.0.0_8 net-global-10.0.0.0_8 destination static
70.165.151.130 10.44.99.130
so from this we see that when an internal host in the 10.0.0.0/8 subnet tries to access the web
server at 70.165.151.130 they are redirected to the web server in the DMZ on 10.44.99.130.
now my question is how is this done on an IOS ISR router?
Thanks in advance
Ian
Daniel Dib CCIE #37149 Jan 12, 2015 11:32 AM (in response to Ian Cresswell)
IOS is not as flexible as the ASA in regards to NAT but it should still be possible. Do you have a
router configuration already? Can you post the config?
It should be possible to do it with ip nat outside statement but the challenge is to do it only for
10.0.0.0/8 if that's your goal. Might be possible in combination with a route-map but it would be
easier if you post more information first.
Hi Daniel
This is my config and config, it is working as I can do the NAT in two places as the external NAT is
done at the HUB site and I can do the NAT redirection at the Spoke. I was curious if it was possible to
do a similar NAT config as you can on an ASA as if the users in the Hub site try access the external IP
they will first go out to come back in.
config below:
R1
!
interface FastEthernet0/0
description External Conn
ip address 70.165.151.135 255.255.255.0
ip nat outside
!
description Trunk to remote site
switchport trunk native vlan 8
switchport trunk allowed vlan 1,2,8,400,1002-1005
switchport mode trunk
!
interface Vlan8
description Data Link
ip address 10.46.48.1 255.255.255.252
ip nat inside
!
interface Vlan400
description DMZ
ip address 10.44.99.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 70.165.151.131
!
ip nat inside source static 10.44.99.130 70.165.151.130
!
R3
!
ip address 70.165.151.131 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 70.165.151.135
!
R2
!
ip address 10.46.248.1 255.255.255.0
!
!
switchport access vlan 400
!
interface Vlan8
ip address 10.46.48.2 255.255.255.252
!
interface Vlan400
ip address 10.44.99.2 255.255.255.0
ip policy route-map DMZ-OUT
!
ip route 0.0.0.0 0.0.0.0 10.46.48.1
!
!
ip access-list standard DMZ-Outbound
permit 10.44.99.0 0.0.0.255
!
route-map DMZ-OUT permit 10
match ip address DMZ-Outbound
set ip next-hop 10.44.99.1
!
R5
!
ip address 10.46.248.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.46.248.1
!
R4
!
ip address 10.44.99.130 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.44.99.2
!
R1
!
description External Conn
ip address 70.165.151.135 255.255.255.0
ip nat outside
!
description Trunk to remote site
!
interface Vlan8
description Data Link
ip address 10.46.48.1 255.255.255.252
ip nat inside
!
interface Vlan400
description DMZ
ip address 10.44.99.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 70.165.151.131
!
!
R3
!
ip address 70.165.151.131 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 70.165.151.135
!
R2
!
ip address 10.46.248.1 255.255.255.0
!
!
switchport access vlan 400
!
interface Vlan8
ip address 10.46.48.2 255.255.255.252
!
interface Vlan400
ip address 10.44.99.2 255.255.255.0
ip policy route-map DMZ-OUT
!
ip route 0.0.0.0 0.0.0.0 10.46.48.1
!
!
ip access-list standard DMZ-Outbound
permit 10.44.99.0 0.0.0.255
!
route-map DMZ-OUT permit 10
match ip address DMZ-Outbound
set ip next-hop 10.44.99.1
!
R5
!
ip address 10.46.248.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.46.248.1
!
R4
!
ip address 10.44.99.130 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.44.99.2

!
Working config below:

However if I was to hang another router off R1 with an internal IP how would I redirect that
directly to the DMZ IP 10.44.99.130 if I was to try access the external IP 70.165.151.130. I will try
that tomorrow though.....
R1
!
ip address 70.165.151.135 255.255.255.0
ip nat outside
!
ip address 10.46.48.1 255.255.255.252
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 70.165.151.131
ip route 10.44.99.0 255.255.255.0 10.46.48.2
!
R2
!
ip address 10.46.248.1 255.255.255.0
ip nat outside
!
ip address 10.46.48.2 255.255.255.252
!
ip address 10.44.99.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.46.48.1
!
R3
!
ip address 70.165.151.131 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 70.165.151.135
R4
!
ip address 10.44.99.130 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.44.99.2
!
R5
!
ip address 10.46.248.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.46.248.
R1
!
ip address 70.165.151.135 255.255.255.0
ip nat outside
!
ip address 10.46.48.1 255.255.255.252
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 70.165.151.131
ip route 10.44.99.0 255.255.255.0 10.46.48.2
!
R2
!
ip address 10.46.248.1 255.255.255.0
ip nat outside
!
ip address 10.46.48.2 255.255.255.252
!
ip address 10.44.99.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.46.48.1
!
R3
!
ip address 70.165.151.131 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 70.165.151.135
R4
!
ip address 10.44.99.130 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.44.99.2
!
R5
!
ip address 10.46.248.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.46.248.1

How To Configure Double NAT On IOS

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

How To Configure Double NAT On IOS

Diunggah oleh

Hak Cipta:

Format Tersedia

How to configure double NAT on

Ian Cresswell Jan 12, 2015 8:40 AM

ip route 0.0.0.0 0.0.0.0 10.44.99.2

Working config below:

Anda mungkin juga menyukai