0

We are attempting to test a One To One NAT configuration on a Cisco RV180 router, Cisco SMB support says that this setup below would not work. (they seem to be right) I know it has something to do with ARP entries.

ISP Gateway
    |
    | (public IP block)
    |
   WAN
  NAT Router
   LAN
    |
    +----Computers connecting to the internet (192.168.1.*)
    |
   WAN
  NAT Router (this one with the One To One NAT rules)
   LAN
    |
   Computers that run webservers (192.168.2.*), each needing their own (192.168.1.*) IP address on the WAN of their router.

This alternative is said to be the layout we should use if we need a lab test:

   LAN
  NAT Router (for simulation purposes only)
   WAN
    |
   WAN
  NAT Router (this one with the One To One NAT rules.)
   LAN
    |
   Computers that run webservers (192.168.2.*), each needing their own IP address on the WAN of their router.

That layout is not guaranteed to work.

But they do say that the following is a safe bet:

  ISP Router
    |
    | (public IP block)
    |
   WAN
  NAT Router (this one with the One To One NAT rules.)
   LAN
    |
   Computers that run webservers (192.168.2.*), each needing their own (public) IP address on the WAN of their router.

My Question

Please explain what the requirements are to have a working One To One NAT setup, and how to get the ARP entries to work properly.

If you have more information on how ARP is preserved in a One To One NAT situation, that would be most helpful.

700 Software
  • 2,233
  • 10
  • 49
  • 77
  • If I get it coorectly: you make 1:1 NAT of IP 192.168.1.X to IP 192.168.2.Y on the bottom NAT router, but computers from 192.168.1.0/24 network complain that "destination host is unreachable"? (If this is correct, solution is pretty simple -- add the 192.168.1.X address to WAN interface of the NATting router, which should create ARP entries correctly.) – exa Jul 19 '12 at 18:36
  • @exa, I think you understand correctly. However, In the RV180, the WAN interface can only claim a single IP address at a one time. Which ***seems*** to make 1:1 NAT all but useless. I must be missing something. – 700 Software Jul 19 '12 at 21:47
  • okay, answering with possible solution. – exa Jul 20 '12 at 09:57

1 Answers1

1

Your problem is following:

  • Computer 192.168.1.A tries to ping 192.168.1.B. A is physically on the network, B is meant to be 1:1 natted to 192.168.2.C
  • Kernel determines that the 192.168.1.B IP should be on the same ethernet segment, therefore it uses "direct delivery" (without gateway routers). It sends ARP request "Who has 192.168.1.B"?
  • as there's actually no computer that would possess 192.168.1.B, reply doesn't come, and the request ends as "Destination host unreachable".

There are some possible solutions:

  • put the 192.168.1.B IP on the NATting router's WAN interface (which would direct the traffic on it, and it could get NATted/forwarded correctly). It should be possible on any decent configurable router (if you have problems with Cisco, try using Linux as a router, or check other solutions (like Mikrotik) which usually offer WAY better price/features ratio)
  • Bridge the networks together and add the 192.168.1.B IP to the ethernet interface of 192.168.2.C computer -- that is clean&easy, I'd recommend this solution.
  • If you can miss the requirement that the NATted address MUST be from 192.168.1.0/24 range, you can also create a completely virtual address space (say 192.168.3.0/24). On the main (upper) router, put a route that directs all 192.168.3.0/24 traffic to the internal (lower) router. On the lower router create NAT from 192.168.3.B address to 192.168.2.C.

Hope that helps

exa
  • 571
  • 4
  • 14