Setup Cisco IOS Static NAT

Question

I'm trying to allow access to a printer on a separate LAN in the same building. I have control over only one of the networks... My attempt at not using another router failed see here.

I now have a Cisco 2611 running IOS 12.2 (eBay special) to join the networks. I can't route as I have no control over the settings on the remote network I can only add an IP address in the form of one of the interfaces on the router - so I am left doing a static NAT.

Our network: 10.0.0.0/24 Our router interface e0/0 10.0.0.200 Their network: 192.168.2.0/24 Their router interface e0/1 192.168.2.200 Their printer 192.168.2.50

So I would like to do a static NAT from 10.0.0.200 to 192.168.2.50

My show running-config

Fibrotech(config)#do sh ru
Building configuration...

Current configuration : 573 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Fibrotech
!
ip subnet-zero
!
interface Ethernet0/0
ip address 10.0.0.200 255.255.255.0
ip nat outside
full-duplex
!  
interface Ethernet0/1
ip address 192.168.2.200 255.255.255.0
ip nat inside
full-duplex
!
ip nat inside source static 192.168.2.50 10.0.0.200 extendable
ip classless
no ip http server
ip pim bidir-enable
!
line con 0
line aux 0
line vty 0 4
!
end

Wireshark shows me that the request does get through to 192.168.2.50 from our network, but it is presented with a source address of (for instance) 10.0.0.5. Since it has no route to the 10.0.0.0 network it fails.

So how can I make it NAT properly so the source address is the inside interface of the router?

---

Edit - have removed port 80 from the sh ru, it just needs to be a straight static map. Also the router being used is not the gateway for either network, the only knowledge either network have of the router is the IP address on each interface.

Answer 1

In the end I had to enlist the help of the Cisco 877 that was the gateway and setup a static route to the other network via the router.

Answer 2

It isn't working because you are only doing NAT on the destination address. As you noted, the printer sees the connection coming from the real 10.0.0.x source, which it can't reach. You need to add a second ip nat statement to NAT the client source address, and swap the ip nat inside and ip nat outside statements.

Try this instead:

interface Ethernet0/0
 ip address 10.0.0.200 255.255.255.0
 ip nat inside
!  
interface Ethernet0/1
 ip address 192.168.2.200 255.255.255.0
 ip nat outside
!
ip nat inside source list acl_nat_inside interface Ethernet0/1 overload
ip nat outside source static tcp 192.168.2.50 80 10.0.0.50 80 add-route
!
ip access-list extended acl_nat_inside
 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.50 eq www

This will cause TCP port 80 traffic going to 10.0.0.50 to have its source (inside local) NAT'd to the IP of Eth0/1 (inside global) and its destination (outside local) NAT'd to 192.168.2.50 (outside global). This will let your clients on 10.0.0.x connect to 10.0.0.50 address to print, and the printer at 192.168.2.50 will think they are coming from 192.168.2.200, so it will know how to reply to them.

Assuming a client trying to print is at 10.0.0.100, the translations on your router would look something like this:

Fibrotech#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.2.200:2075 10.0.0.100:2075     10.0.0.50:80     192.168.2.50:80
tcp ---                ---                 10.0.0.50:80     192.168.2.50:80

When I tested this (on a 3620 running 12.2(40)), I was unable to make it work using my router's own IP address for the destination NAT address. I had to choose another local IP to use for that purpose (shown in this example as 10.0.0.50).