Double NAT scenario to overcome overlapping subnets

August 2, 2008 at 2:39 pm | Posted in Blogroll | 1 Comment

If there’re overlabpping subnets in the network, we need to assign unique addresses (prefered to be public) as translated address (post NAT), and configure both source and destination translation (double-nat).

For instance, if R4 and R5 both have a subnet of 10.0.0.0/24, then one of the router e.g. R4 have to do double-nat translation.

(10.0.0.0/24) R4 —— R5 (10.0.0.0/24)

|

R1

INSIDE NAT TRANSLATION

– Source 10.0.0.0/24 should be translated to 44.44.44.0 as inside global

OUTSIDE NAT TRANSLATION

– As traffic comming back from R5, source global outside address of 10.0.0.0/24 should be translated to outside global address of 55.55.55.0/24

From perspetive of devices in the local LAN of R4 (e.g. R1), the local LAN of R5 should be viewed as 55.55.55.0/24 (outside global) address.

From perspective of device outside R4 (e.g. R5), the R4 LAN subnet should be viewed as 44.44.44.0/24 (inside global) address.

R4#sh run | in interface|address|nat

interface Loopback0
ip address 150.1.4.4 255.255.255.0

interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside

interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
ip nat outside
frame-relay interface-dlci 405
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
ip nat outside

ip nat inside source static network 10.0.0.0 44.44.44.0 /24
ip nat outside source static network 10.0.0.0 55.55.55.0 /24

R1#ping 55.55.55.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/52 ms

R4#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
— —                —                55.55.55.5         10.0.0.5
— —                —                55.55.55.0         10.0.0.0
icmp 44.44.44.1:3      10.0.0.1:3         55.55.55.5:3       10.0.0.5:3
— 44.44.44.1         10.0.0.1           —                —
— 44.44.44.0         10.0.0.0           —                —

R4#debug ip nat detailed

*Mar  2 01:21:25.475: NAT: Create outside host entry from network translation:
*Mar  2 01:21:25.475:   55.55.55.5 -> 10.0.0.5 (55.55.55.0 -> 10.0.0.0)
*Mar  2 01:21:25.475: NAT: Create inside host entry from network translation:
*Mar  2 01:21:25.475:   10.0.0.1 -> 44.44.44.1 (10.0.0.0 -> 44.44.44.0)
*Mar  2 01:21:25.475: NAT*: i: icmp (10.0.0.1, 2) -> (55.55.55.5, 2) [10]
*Mar  2 01:21:25.475: NAT*: i: icmp (10.0.0.1, 2) -> (55.55.55.5, 2) [10]
*Mar  2 01:21:25.479: NAT*: s=10.0.0.1->44.44.44.1, d=55.55.55.5 [10]
*Mar  2 01:21:25.479: NAT*: s=44.44.44.1, d=55.55.55.5->10.0.0.5 [10]
*Mar  2 01:21:25.523: NAT*: o: icmp (10.0.0.5, 2) -> (44.44.44.1, 2) [10]
*Mar  2 01:21:25.523: NAT*: s=10.0.0.5->55.55.55.5, d=44.44.44.1 [10]
*Mar  2 01:21:25.523: NAT*: s=55.55.55.5, d=44.44.44.1->10.0.0.1 [10]

R5#sh run | in ip route
ip route 44.44.44.0 255.255.255.0 150.1.4.4

R5#debug ip icmp
*Dec 15 08:09:02.175: ICMP: echo reply sent, src 10.0.0.5, dst 44.44.44.1
*Dec 15 08:09:02.223: ICMP: echo reply sent, src 10.0.0.5, dst 44.44.44.1
*Dec 15 08:09:02.271: ICMP: echo reply sent, src 10.0.0.5, dst 44.44.44.1
*Dec 15 08:09:02.323: ICMP: echo reply sent, src 10.0.0.5, dst 44.44.44.1
*Dec 15 08:09:02.371: ICMP: echo reply sent, src 10.0.0.5, dst 44.44.44.1

Advertisements

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. Can you please explain me the flow of packet when you initiate the ping from R1 to 55.55.55.5.

    Ok since the packet would be coming on Fa0/0 and the interface being configured as ip nat inside, so the source ip would be natted to 44.44.44.1 which i can see in the debug capture.

    So now the SA:44.44.44.1 and DA: 55.55.55.5

    This packet would now be routed through serial interface configured to be ip nat outside.

    This where i do not understand how does the DA is natted to 10.0.0.5

    My understanding is ip nat outside translate the source address.

    So is there NAT configured on R5

    Can you please explain this to me..

    thanks in advance


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: