HPE Community
Switches, Hubs, and Modems
1751707 Members
5085 Online
108781 Solutions
New Discussion юеВ

Re: Help with In Bound 1:1 NAT

 
Dave Costello
Advisor

тАО06-09-2008 12:05 PM

тАО06-09-2008 12:05 PM

Help with In Bound 1:1 NAT

I have a 7203dl that I'm going to use to replace an old Intel Router. I setup the HP just like the Intel, or at least I thought so, but in bound traffic doesn't come in. My outbound NAT works fine. I can browse and send mail. In bound I get nothing. I'm sure it has to do with NAT and ACL's as this is something configured quite differently than my old intel.

My config file is attached. My setup is pretty simple. I use many:1 outbound NAT for my users and 1:1 inbound NAT for my servers. I'm feeling like I either missed something simple or I totally misunderstood the concept. Any help would be appreciated.
0 Kudos
6 REPLIES 6
Matt Hobbs
Honored Contributor

тАО06-09-2008 04:31 PM

тАО06-09-2008 04:31 PM

Re: Help with In Bound 1:1 NAT

I think the problem lies with the destination address you've set on your inbound ACL's:

!
ip access-list extended web-acl-7
remark Forward to x.x.0.34
permit tcp any host x.x.x.34 eq domain log
permit udp any host x.x.x.34 eq domain log
!

What you need to do is change the destination address to that of your ppp 1 interface:

!
interface ppp 1
ip address x.x.x.33 255.255.255.224

Since you're NATing, the outside world thinks of everything as belonging to that IP address, therefore the incoming packet will be sent to it and will then match the ACL, which in turn will trigger your NAT rule to forward it to your internal server.


!
ip access-list extended web-acl-7
remark Forward to x.x.0.34
permit tcp any host x.x.x.33 eq domain log
permit udp any host x.x.x.33 eq domain log
!
0 Kudos
Dave Costello
Advisor

тАО06-10-2008 05:47 AM

тАО06-10-2008 05:47 AM

Re: Help with In Bound 1:1 NAT

I guess I wasn't clear enough describing my situation. What I'm currently doing now and what I want to do is 1:1 NAT for Inbound traffic. The 1:1 part is the key. What you're proposing is not 1:1 NAT, it puts everything on the address of the router. I have 16 servers - 3 MX's, 3 DNS's, 3 www servers and several other boxes that have/require outside access. All these boxes have their own public IP address which I NAT to their own private IP - 1:1 NAT or Static NAT. If I do it your way, how am I supposed to send www traffic to 3 different servers? Or dns, mx or any thing else?

Contrary to your statement, the outside world doesn't know what my router is doing and doesn't care. The outside world looks up the ip address for one of my particular services by querying my DNS. My DNS is going to give them a different IP address depending on what service they're looking for. My ISP is going to forward traffic for my entire Class C to my router. My router knows, or should know, that it's on a Class C subnet and the address range that falls within that subnet. Based on that subnet, my router should accept packets for ANY address in the subnet that I've told it to accept packets for. It should then NAT the destination address, the public addres, to an internal address and deliver the packet.

If you're telling me that my brand new, "state of the art" router from HP can't do what my beaten up, 10+yr old router from Intel can, well, I guess I need to send the HP back.
0 Kudos
Dave Costello
Advisor

тАО06-10-2008 06:04 AM

тАО06-10-2008 06:04 AM

Re: Help with In Bound 1:1 NAT

I just found this referenced in another post about 1:1 NAT.

>> For your question #2: Yes, you have to >>configure your 13 addresses as secondary on >>the outside facing interface.

Is this true? Do I need to setup all my public IP addresses as secondaries on my public interface? It would seems to solve my problem but it also seems unnecessary. If I address my router with a subnet, shouldn't the router know what all the public spaces is based on the subnet?
0 Kudos
Dave Costello
Advisor

тАО06-10-2008 07:33 AM

тАО06-10-2008 07:33 AM

Re: Help with In Bound 1:1 NAT

I just added all 30 of my public addresses as secondaries on my public interface. Again, I must insist that this is just dumb. The router should already know all these addresses by it's address/subnet combo. I'll know tonight whether this makes the router work or not. As much as I'd like the router to work, I really hope it doesn't because this is just dumb. What if I had a Class B mask, or worse, a Class A? Would I have to enter 65,000 secondaries on my public interface??
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-10-2008 01:44 PM

тАО06-10-2008 01:44 PM

Re: Help with In Bound 1:1 NAT

Wow I really didn't read that right the first time, 1:1 being the key point I missed. So yes, I believe you will need to set them up as Secondary addresses for this to work.

0 Kudos
Dave Costello
Advisor

тАО06-11-2008 06:24 AM

тАО06-11-2008 06:24 AM

Re: Help with In Bound 1:1 NAT

I've added them but haven't had a chance to change the router over, this is a live working circuit with services so I need to do it off hours. I'll probably end up doing it tomorrow night, 12-Jun-08. We'll find out then.

I still think the idea is silly. And if it works, this is the first router I've ever heard of needing such a thing.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.