0

I'm trying to allow access to a printer on a separate LAN in the same building. I have control over only one of the networks... My attempt at not using another router failed see here.

I now have a Cisco 2611 running IOS 12.2 (eBay special) to join the networks. I can't route as I have no control over the settings on the remote network I can only add an IP address in the form of one of the interfaces on the router - so I am left doing a static NAT.

Our network: 10.0.0.0/24 Our router interface e0/0 10.0.0.200 Their network: 192.168.2.0/24 Their router interface e0/1 192.168.2.200 Their printer 192.168.2.50

So I would like to do a static NAT from 10.0.0.200 to 192.168.2.50

My show running-config

Fibrotech(config)#do sh ru Building configuration... Current configuration : 573 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Fibrotech ! ip subnet-zero ! interface Ethernet0/0 ip address 10.0.0.200 255.255.255.0 ip nat outside full-duplex ! interface Ethernet0/1 ip address 192.168.2.200 255.255.255.0 ip nat inside full-duplex ! ip nat inside source static 192.168.2.50 10.0.0.200 extendable ip classless no ip http server ip pim bidir-enable ! line con 0 line aux 0 line vty 0 4 ! end

Wireshark shows me that the request does get through to 192.168.2.50 from our network, but it is presented with a source address of (for instance) 10.0.0.5. Since it has no route to the 10.0.0.0 network it fails.

So how can I make it NAT properly so the source address is the inside interface of the router?

Edit - have removed port 80 from the sh ru, it just needs to be a straight static map. Also the router being used is not the gateway for either network, the only knowledge either network have of the router is the IP address on each interface.

Improve this question

2 Answers 2

Reset to default
1

In the end I had to enlist the help of the Cisco 877 that was the gateway and setup a static route to the other network via the router.

Improve this answer
0

It isn't working because you are only doing NAT on the destination address. As you noted, the printer sees the connection coming from the real 10.0.0.x source, which it can't reach. You need to add a second ip nat statement to NAT the client source address, and swap the ip nat inside and ip nat outside statements.

Try this instead:

interface Ethernet0/0 ip address 10.0.0.200 255.255.255.0 ip nat inside ! interface Ethernet0/1 ip address 192.168.2.200 255.255.255.0 ip nat outside ! ip nat inside source list acl_nat_inside interface Ethernet0/1 overload ip nat outside source static tcp 192.168.2.50 80 10.0.0.50 80 add-route ! ip access-list extended acl_nat_inside permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.50 eq www

This will cause TCP port 80 traffic going to 10.0.0.50 to have its source (inside local) NAT'd to the IP of Eth0/1 (inside global) and its destination (outside local) NAT'd to 192.168.2.50 (outside global). This will let your clients on 10.0.0.x connect to 10.0.0.50 address to print, and the printer at 192.168.2.50 will think they are coming from 192.168.2.200, so it will know how to reply to them.

Assuming a client trying to print is at 10.0.0.100, the translations on your router would look something like this:

Fibrotech#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 192.168.2.200:2075 10.0.0.100:2075 10.0.0.50:80 192.168.2.50:80 tcp --- --- 10.0.0.50:80 192.168.2.50:80

When I tested this (on a 3620 running 12.2(40)), I was unable to make it work using my router's own IP address for the destination NAT address. I had to choose another local IP to use for that purpose (shown in this example as 10.0.0.50).

Improve this answer
4
  • I seem to be missing how hosts on the 10.0.0.0 network can connect to 10.0.0.200 and be natted to 192.168.2.50 - the acl permits this but doesn't cause the natting? Commented Oct 13, 2009 at 11:09
  • 1
    I think the confusion is that you're trying to connect to 10.0.0.200 and expecting to get sent to 192.168.2.50, which is not what my suggestion will do. Instead, configure your clients to connect directly to 192.168.2.50. The configuration NATs the clients' source addresses, not the destination address of the printer. Commented Oct 13, 2009 at 14:59
  • The clients on the 10.0.0.0 network can't go to any address on the 192 network as the router is not their gateway. This is the whole point of trying to statically NAT an address on the 10 network to an address on the 192 network. Commented Oct 13, 2009 at 21:50
  • Ah, my misunderstanding. I thought the 2611 was either the gateway, or that the gateway had a route to 192.168.2.0/24 via the 2611. I will update my answer in a few minutes. Commented Oct 14, 2009 at 14:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.