Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2 way nat?

Status
Not open for further replies.
StaplesMan

StaplesMan

Technical User
Mar 8, 2006
123
US
This is the problem I have....

I have an access point that only has configuration settings available for IP address and subnet mask. It does not allow me to set a default gateway. As you would know this causes problem if I wish to administer this access point from a remote location on a different network.

I'm trying to take my router and perform some fancy NAT features to get this to work. Yes I know it would be cheaper to go out and get a new access point. But I thought it would be fun to see if this was possible.

Basically I need to take an available IP address on the outside interface. And translate this to my access point then I need to take my source IP address and translate this to an inside ip address on my router.

[tt]
(ap)--------------------(router)--------------(test_pc)
192.168.2.1 192.168.2.2 10.0.0.1 10.0.0.5


attempt to connect from pc to access point:
10.0.0.2 <---- 10.0.0.5
translates to...
192.168.2.1 <--- 192.168.2.5

And then back...
192.168.2.1 ----> 192.168.2.5

translates back to...
10.0.0.2 ----> 10.0.0.5
[/tt]

Note: That all IP address above are static except for 10.0.0.5. This IP address is dynamic and would changed based on the system being used to administer the access point.


I have enabled the following debug:
Router#show debug
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
IP NAT detailed debugging is on


When I issue a ping 10.0.0.2 from my pc this is what I get on the router:

Jun 17 08:29:07.225: NAT*: o: icmp (10.0.0.5, 512) -> (10.0.0.2, 512) [57742]
Jun 17 08:29:07.225: NAT*: s=10.0.0.5->192.168.2.5, d=10.0.0.2 [57742]
Jun 17 08:29:07.225: NAT*: s=192.168.2.5, d=10.0.0.2->192.168.2.1 [57742]
Jun 17 08:29:07.229: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.5

It seems that the translation one direction works fine. And you even see the ping responding back from the access point. BUT it seems like this not translating back over to the outside interface.

Here is a show ip nat tran
[tt]
Pro Inside global Inside local Outside local Outside global
--- 10.0.0.2 192.168.2.1 --- ---
--- --- --- 192.168.2.5 10.0.0.5
--- 10.0.0.2 192.168.2.1 192.168.2.5 10.0.0.5
[/tt]
I have played around for this for some time hope someone else can help out... Here is my full running config...

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface Ethernet0
ip address 192.168.2.2 255.255.255.0
ip nat inside
full-duplex
!
interface FastEthernet0
ip address 10.0.0.2 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
ip nat outside
speed auto
!
interface Async1
no ip address
encapsulation slip
!
ip nat pool test2 192.168.2.5 192.168.2.5 netmask 255.255.255.0
ip nat pool wanip 10.0.0.1 10.0.0.4 netmask 255.255.255.0
ip nat inside source list 100 pool wanip overload
ip nat inside source static 192.168.2.1 10.0.0.2
ip nat outside source list 101 pool test2 add-route
ip classless
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip any any
access-list 101 permit ip any host 10.0.0.2
!
!
!
line con 0
line 1
modem InOut
modem autoconfigure discovery
transport input all
transport output pad udptn telnet rlogin ssh
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
line vty 5 15
login local
!
end


CCNA, A+, HP Certified Professional
 
Sort by date Sort by votes
if the device does not give you the ability to assign a gateway, then how can you expect it to know where to send return traffic??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
because the reply will be back to an ip on its local network subnet

theory is sound , the fact that the access point has no gateway is what i struggle to believe
 
Upvote 0 Downvote
Yea it took me a long time to figure out why I was not able to access it remotely. Then as I was verifying settings I happened to notice that there was no default gateway.

And in response to unclerico you will notice in my debug above that the packet that is going to the access point has a source IP on the same network that the AP it's self is on. Because of this there would be no need for it to have a default gateway set.

I know it's working because we can also see the response coming back from the access point. I just don't understand why this does not get NATed back on over to the WAN side.

CCNA, A+, HP Certified Professional
 
Upvote 0 Downvote
Well problem resolved. I ended up not getting a new unit but installing dd-wrt.com onto the router. Then I had my default gateway settings I could set.

By the way the unit that gave me so much problems with a Belkin F5D7230 and 7130 you can see in the PDF below there is no setting for a default gateway.


Then when I installed the dd-wrt image I could not get the access point to work. I had to use the beta version and it worked.


If anyone is able to figure out what was wrong with my config above I would still like to know.

Thanks for all help!


CCNA, A+, HP Certified Professional
 
Upvote 0 Downvote
What's with the secondary address on fa0?

ip nat inside source tcp 80 10.0.0.5 int e0 80

ip route 0.0.0.0 0.0.0.0 10.0.0.1

Backwards NAT, static...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
The thought was I was wanting to pass all ports not just port 80. So I was simply trying to make my AP look like 10.0.0.5 on the outside network. Now as I look back I was way over complicating the matter. The only way I could get the nat to start working and to get the debug information that I got was to add 10.0.0.5 as the secondary interface. If this secondary interface is removed then I would not be able to do what I did.

And to add to the complexity of it the outside interface was going to be a public IP address. Because of this one would not be able to http directly into 192.168.2.1 because it would not be rout-able over the WAN.

ip nat inside source tcp 80 10.0.0.5 int e0 80

If I'm correct for this to work I would have place "192.168.2.1" into my browser instead of 10.0.0.5 in an attempt to access my AP.

I tried this once but could not get it to work. I will try again, and post back... I'm bound and determined to get this to work.

CCNA, A+, HP Certified Professional
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
522
CPM86
CPM86
inlsp05
  • Locked
  • Question
2811&amp;2960 48 volts wiring diagram
Replies
1
Views
582
BOKA
BOKA
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
323
DTGMI
DTGMI
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
252
NavinNet
NavinNet
mikey789
  • Locked
  • Question
Is There a Way to Calculate the Memorty Req'd for An IOS ?
Replies
1
Views
356
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top