Translating in Both Directions Simultaneously

Problem

Solution

In some cases, you might need to translate IP addresses on both sides of your router:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 15 deny 192.168.1.15
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#access-list 16 deny 172.16.5.25
Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255
Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0
Router(config)#ip nat inside source list 15 pool NATPOOL overload
Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload
Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5
Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#interface Ethernet0/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#

Discussion

Sometimes you need to translate IP addresses on both the inside and the outside interfaces. This might happen, for example, when you need to connect to another network that uses an overlapping range of unregistered addresses. Cisco routers can do NAT translations of address on both the external and internal interfaces at the same time.

In this case, the router rewrites external addresses that are in the range 172.16.0.0/16 so that they appear to be on the 192.168.15.0/24 subnet in the range specified by the INBOUNDNAT pool. And, at the same time, it rewrites internal addresses that are part of the 192.168.0.0/16 subnet so that they appear on the outside to be part of 172.16.1.0/24 in the range specified by the NATPOOL pool.

Note that the access-lists that define which addresses should use the dynamic address pool both refer to the real addresses (inside local and outside global). So, for internal devices, the access-list should refer to the real internal addresses, while the list for external devices refers to the real external addresses.

The most significant reason for using this feature is to remove a conflict due to overlapping address ranges. The following example shows how to remove an address conflict at the router between two networks that are both using the ubiquitous 10.0.0.0/8 address range. We will map the outside network to 11.0.0.0/8 and the inside to 12.0.0.0/8. Note that these two address ranges are both registered network numbers, so doing this will cause some problems for Internet access. We would only recommend doing this as a temporary measure to resolve an IP address conflict caused by merging two networks with overlapping IP address ranges:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 17 permit 10.0.0.0 0.255.255.255
Router(config)#access-list 18 permit 10.0.0.0 0.255.255.255
Router(config)#ip nat pool OUTPOOL 11.0.0.1 11.255.255.254 netmask 255.0.0.0 type match-host
Router(config)#ip nat pool INPOOL 12.0.0.1 12.255.255.254 netmask 255.0.0.0 type match-host
Router(config)#ip nat inside source list 17 pool INPOOL
Router(config)#ip nat outside source list 18 pool OUTPOOL
Router(config)#ip route 11.0.0.0 255.0.0.0 Ethernet0/0
Router(config)#ip route 12.0.0.0 255.0.0.0 FastEthernet1/0
Router(config)#interface FastEthernet1/0
Router(config-if)#ip address 10.1.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 10.2.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#

Notice that we have used the match-host keyword in the NAT pool definitions:

Router(config)#ip nat pool OUTPOOL 11.0.0.1 11.255.255.254 netmask 255.0.0.0 type match-host

When you use this option, the router will translate the network prefixes and leave the host portions of the address intact. So, in this example, an arbitrary IP address 10.1.2.3 would become 11.1.2.3, changing only the first byte. This has the advantage that the translations are always the same, so you can reliably make connections between any internal and external devices in either direction. You cannot do this with the ordinary dynamic address pools that we have discussed so far in this chapter. Note also that the overload option makes no sense in this configuration.

There are a few important things to watch out for when using NAT in both directions. First, the router must have routing table entries for the fictitious IP addresses. It is quite likely that the translated addresses used for external devices will not be part of a physical IP network that the router knows how to reach. This is why we have configured a static route directing traffic for this range out through the external interface:

Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0

The second important thing to remember is that with dynamic NAT, the router does not create a translation for each device until it needs to. So if you want to connect through the router to a particular translated address, you have to make sure that the router retains the translation table information. This means that if you want any-to-any connections in either direction, you must either use static mappings or the match-host keyword. Dynamic NAT will not allow access in both directions.

And the third important thing to remember is that all of the other routers must know how to reach the translated addresses. So, if the external network is translated from 10.0.0.0/8 to 11.0.0.0/8, then you need to make sure that the internal routers all know that they can reach this fictitious 11.0.0.0/8 network through the NAT router. The best way to do this is to simply redistribute the static routes for the fictitious networks through your dynamic routing protocol.