Cisco Routing (NAT Questions)

[SaigonK]

Here is the scenario:

Network A: 10.1.2.x (Network that lives on both sides of router)
Network B. 10.232.152.x (NAT network)
Network C: 10.232.248.x (Local network here)
Network D: 10.232.192.x

Network A lives on another attached network, so Network B is our nat network.


We are having issues with clients using citrix behind the NAT'd router. Rathert han have to change everyones ICA client to use "alternate address".

We want to do is if a client from network C makes a request for Network a, then it should not get NAT'd, we will point users on network C to Netwok B to get to Network A.

But if you come from Network D, we want you to go to the NAT network B. that is form some hosts.

So basically what i am trying to get accomplished is that I want some clients to be NAT'd and others to not be NAT'd. on my Cisco 3640 router.

 

[nweaver]

you can't have Network A live on 2 sides of a router....

design this properly, it's looking like a cluster....

 

[SaigonK]

I can have network A on both sides of the cluster, and i dont have a choice, we are connecting to a remote party, which is the norm. If you have never had to do this, then i am shocked...


What i need to do is figure out how to not NAt for one network, but NAt for another on the same router

 

[nweaver]

you have the exact same subnet on 2 ports of a router? or is it 2 subnets, that both happen to share that portion of network ID?

 

[p0lar]

Originally posted by: SaigonK
So basically what i am trying to get accomplished is that I want some clients to be NAT'd and others to not be NAT'd. on my Cisco 3640 router.

Use an access list to define interesting traffic as you see fit. With the exception of some extremely special situations, which you won't be approaching in this topology, you can't have the same networks attached to different interfaces on the same router. IOS just won't let you.

This being said, you can do 'cross-NAT' between routers against the same subnet on opposing ends of the interconnect, but that will be a rat's nest to detangle in the future.

 

[SaigonK]

Two networks that share the same subnet range, one in the customer, one in our Data center.

 

[sactwnguy]

As was said before IOS wont let you route to two different physical networks using the same subnet. If your client wont nat the ip addresses before it hits your router with the overlapping subnet you will need to put another nat router in front of your main router to handle the customer nat and then nat your addresses on your router that are going to your customer. As for NATing specific address ranges you would just need to assign a access list to your nat pool. This example is directly from Cisco.


CONFIGURATION EXAMPLES

The following sample configuration translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network.
ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
ip nat inside source list 1 pool net-20
!
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface Ethernet1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
The next sample configuration translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network. Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24.
ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0
ip nat inside source list 1 pool net-20
ip nat outside source list 1 pool net-10
!
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface Ethernet1
ip address 9.114.11.39 255.255.255.0
ip nat inside
!
access-list 1 permit 9.114.11.0 0.0.0.255