Configuring NAT using NVI Approach on Cisco IOS

Hi and Hello everyone :)

Last week,  I've been asked to Configured the Connectivity to the from the HQ to the Extranet Partner and Vice versa. Sound simple...., but then they throw some rules on it. First, lets see the Diagram here;

RULES:

• ·         R1 act as a Edge Extranet Corporate Router, connecting to the 3^rd party company. The Company Wants to make sure that the Extranet Partner (IP 10.170.200.0/24) will accessing the Backbone Server using 10.44.65.100

• ·         On the Other Hand, the Backbone Server should not know the real IP address of the extranet Partner. In this case, the extranet partner has been signed for 10.44.65.200 IP Address.

• ·         Configured the scenario above only using One Router

well, kinda interseting here, because if we only use NAT inside or NAT outside aproach, in My oppinion, we have to use two routers to do so. Then how to make it work on the Single Router Environment?!? the Answer lies int the NAT NVI Feature.

NAT NVI is the feature where the NAT IP Address will be injected to the Routing Table, so that we can have the freedom to choose wheater some IP(s) will act as a 'nat inside' or 'nat outside'. where in the convensional NAT we have to specified which one is the 'ip nat inside' and 'ip nat outside'

with this feature, it would be easier for us to the the above task requirement ;)

lets get going to the workaround here

R1 ! interface FastEthernet0/0  description connection to WAN  ip address 10.1.18.1 255.255.255.0 ! interface FastEthernet0/1  description Connection to the Backbone  ip nat enable ! ip nat pool NAT_POOL 10.44.65.1 10.44.65.254 netmask 255.255.255.0 add-route ip nat source static 192.168.12.100 10.44.65.100 extendable ip nat source static 10.170.200.200 10.44.65.200 extendable ! end

Verification:

Rack01R1#show ip nat nvi translations Pro Source global      Source local       Destin  local      Destin  global --- 10.44.65.200       10.170.200.200     ---                --- --- 10.44.65.100       192.168.12.100     ---                ---

I tried to open HTTP from Extranet Partner to the Backbone Server. In this case I used 10.44.65.100 from the Extranet Partner to access the Backbone Server. The backbone Server will recognize the traffic is coming from the 10.44.65.200, instead of 10.170.200.200

Rack01R1#show ip nat nvi translations Pro Source global      Source local       Destin  local      Destin  global tcp 10.44.65.200:1104  10.170.200.200:1104 10.44.65.100:80   192.168.12.100:80 tcp 10.44.65.200:1105  10.170.200.200:1105 10.44.65.100:80   192.168.12.100:80 tcp 10.44.65.200:1106  10.170.200.200:1106 10.44.65.100:80   192.168.12.100:80 tcp 10.44.65.200:1107  10.170.200.200:1107 10.44.65.100:80   192.168.12.100:80 --- 10.44.65.200       10.170.200.200     ---                --- --- 10.44.65.100       192.168.12.100     ---                ---

Cool, now, If I using ICMP from the Backbone server to the Externet Partner, the Backbone Server should only recognize the Extranet Partner as 10.44.65.200 instead of 10.170.200.200. If we tried to directly ping the Extranet Partner IP address, the Router will be rejected the request, because the policy stated that this kind of action considered as a forbidden access

Now let see the verification from the R1 perspective

Rack01R1#show ip nat nvi translations Pro Source global      Source local       Destin  local      Destin  global tcp 10.44.65.200:1106  10.170.200.200:1106 10.44.65.100:80   192.168.12.100:80 --- 10.44.65.200       10.170.200.200     ---                --- icmp 10.44.65.100:512  192.168.12.100:512 10.44.65.200:512   10.170.200.200:512 --- 10.44.65.100       192.168.12.100     ---                ---

We could also do the NAT configuration based on the Specified port only, the configuration wise would be like this

ip nat source static tcp 192.168.12.100 80 10.44.65.100 8080

I hope this has been informative for you, and I’d like to thank you for reading