Return to Level1Techs.com

Cisco IOS 2-way nat

Hey guys,

Wondering if someone can confirm (e.g., they have done it before) whether or not this is possible with NAT in CISCO IOS (specifically, pretty sure i’ve done it with an ASA before) in Cisco land. Its doing my head in.

Scenario:

I have a network device that is hard-coded from the vendor with an IP address of 192.168.9.1.

As my global IP scheme is 10.0.0.0/8, I want to stick it on a VLAN, then map its subnet (192.168.9.0/24) to a dedicated subnet I’ve allocated on my internal IP space for this specific site (lets say, 10.52.192.0/24 - site 52, vlan 192), so that machines in my 10.0.0.0/8 WAN can access it via say, 10.52.192.1 IP address.

The reason is that i’m going to have a bunch of these hard-coded 192.168.9.1 machines in my environment at different sites. So one might be mapped back to the WAN as 10.52.192.1, another 10.53.192.1, etc. but they all have 192.168.9.1 configured locally.

As the device in question will not let me assign a default route on this management interface, any requests hitting it must “look like” they’re arriving from the local 192.168.9.0/24 subnet (via NAT on my router or switch). i.e., the device can’t route back to 10.x.y.z/8 as it has another default route to the internet on another interface on the device and i can’t configure static routes on it. I can’t configure anything on it pretty much, on this management interface. This, if it needs to be aware of 10.x.y.z in any way it won’t work. So the regular way you’d deal with say port forwarding on an inside/outside NAT overload (e.g., internal server on the “internet” behind PAT) won’t work.

I can get nat working in one direction or the other (with ip nat insde/ip nat outside on 2 interfaces and then setting up either a static mapping or an overload pool) but not both and its driving me nuts. Can this be done in IOS (i don’t generally do much NAT with IOS and the tutorials/documentation are all seemingly basic scenario based for nat overload/PAT), or am i wasting my time :smiley: ?

edit:
i really want to avoid having a jump-host to involved to run a browser from (i.e., a machine that is multi-homed on this machine’s VLAN), or a reverse proxy. if i have to i will… but…

Hey @thro can you print out current config you did on the router ?
What version of IOS are you running ?

Hey there,

Was in a lab environment (GNS3+Official Cisco VIRL images), unfortunately i ditched it.

I’m not sure but i think i was dealing with an IOS-V bug (which pretty much made me rage quit as i’d just spent $290 aussie for VIRL in the hope to have a bug-free simulation experience), apparently NAT is broken in the IOS-V image i had and i’ve run out of time to deal with it further.

But thanks for offering to take a look at it… maybe when i get time to get back to it i’ll revive the thread with some diagrams and configs.

@thro sure thing.
Maybe next time.

1 Like