Range nat translation

[raphaelmontcho]

Hi,
Can someone help me for this ?
How to get nat translation for range of IP address on cisco 2600 router ?

Thanks for your help

 

[IllegalOperation]

A range of IP addresses? You can use a NAT pool, unless of course you are thinking of something different.

Can you be more specific? Are you talking about a local or global range?

 

[lgarner]

I probably have the same issue, relating to Pix, but in any case:

I'd like to have a static nat for several networks behind a router (firewall).

i.e.:
172.16.0.0/24 nat's to outside 192.168.0.0/24
172.16.1.0/24 nat's to outside 192.168.1.0/24
10.1.1.0/24 nat's to outside 192.168.3.0/24
...etc.

Many static nat's would work, but is there a way to NAT an entire network? My understanding is that NAT pools won't work since the addresses might not be nat'd the same every time.

Lee.

 

[raphaelmontcho]

Hi IllegalOperation,

It is true that I'm thinking of something different.
Here is my problem ...
I have a sequence of IP adresses like
10.1.10.1
10.1.10.2
10.1.10.3
-- - - -
- - - - -
10.1.10.30

I want to use range process (10.1.10.1-10.1.10.30) to nat
these address to the unique address 130.1.1.1 using overload Cisco command. It is something like

ip nat pool sortie 130.1.1.1 130.1.1.1 netmask 255.255.0.0
ip nat inside source list 1 pool sortie overload
access-list 1 permit 10.1.10.x 0.0.0.255

But as you see I don't know how to write the correct access-list line for the range 10.1.10.1-10.1.10.30

Thanks for your help

 

[IllegalOperation]

lgarner, wouldnt policy-based routing work in your case?


raphaelmontcho - 27 network bits give you 30 hosts, so the netmask will be 255.255.255.224. The wildcard mask for your access list would be 0.0.0.31.

 

[raphaelmontcho]

Hello Igarner,

I think that for the PIX, the range nat process is solved by object-group and network-object command. You can define
object-group network XXXXX
network-object host 12.x.y.z
netwok-object 2.0.91.0 255.255.255.0
--- -------- ---
---- ---- ------

and apply the access-list

access-list inside_in permit ip object-group XXXXX 45.0.0.0 255.0.0.0

Raphaelmontcho

 

[raphaelmontcho]

Hello IllegalOperation,

Ok Im agree with you but my example is not good.
Take the range 10.1.10.1 to 10.1.10.11
Do you think that there is a good wildcard mask for this range ?

Thank

 

[lgarner]

0.0.0.64 gives 16 addresses, 14 useable hosts.

Also, I have learned (but not tested) of the solution to network-NAT. It seems that the Pix is smart enough to handle networks as well as hosts in the static nat statements, and will keep the last octet constant (which is the main thing).

That's what I was looking for and figured would be the answer, but haven't found information on.

Thanks.
Lee.

 

[lgarner]

D'oh! Make that "0.0.0.16". Need more coffee.

 

[lgarner]

Jeez.

"0.0.0.15".

I picked the wrong day to think about wildcards. I'll go back to my corner now.