#CISCO ROUTER ON A STICK WITH NAT PRO#
Pro Inside global Inside local Outside local Outside global The router does the vrf RIB lookup and forwards the traffic through the next-hop of interface Tunnel 10, Tunnel 11 and as the last lookup for the destination address is done in the global GRT, the router forwards the traffic directly to the Server. The second NAT changes the arrived packet destination (inside->outside) from 1.1.1.1 to 10.10.10.10. In vrf 'A' the router sends the traffic to Tunnel 10 which is configured with 'ip nat outside' and here we will change again the destination of the packet for the second time with one-to-one NATĢ.5 ' 145.1.1.2 | 1.1.1.1 -> 10.10.10.10 ' 3, is and will route the traffic accordingly through the GRE Tunnel 0 to Tunnel 1 (entering the VRF 'A'). Once we have translated the destination the router will search in RIB to check where the destination 1.1.1.1. For each and every new connection established, it will allocate the next IP address in the rotary pool and round-robin them: 1.1.1.1 -> 1.1.1.2 -> 1.1.1.3 -> 1.1.1.1 -> 1.1.1.2 -> 1.1.1.3 The router receives the connection request on the outside interface (Gig0/0), and creates a translation to a 'dummy' IP address changing the destination of the packet to 1.1.1.1. In our case the source of the packet is the IP address of the directly connected device - 145.1.1.2 and the destination is 145.1.1.1:1613 which represents servers' public IP address. Traffic is coming from Internet and wants to reach the Public IP Address on the outside interface Gig0/0 on port 1613 of the NAT router. Traffic flow where we have the following packet representation ' Source | Destination' : In order for us to visualize the whole traffic flow and order of operations before stepping into the actual configuration, let's take a look at the following logical diagram of the NAT router: In this situation we will end up configuring four tunnel interfaces with four Loopback interfaces used for source-destination for the GRE.
In our case in order for the NAT configuration to work and to accomplish double NAT, we will have to pass the traffic through two pairs of inside outside interfaces. Solution:Įssentially, in order for NAT to work the router should have at least with one interface to the inside network and one to the outside, so when a certain traffic enters/exits the domain it will be respectively translated to the address we have specified.
NAT device is acting as router on-a-stick for the inside networks. Note: For simplicity and to easily distinguish different Routing and NAT operations we are using networks for the servers as follows: 10.10.10.10/24, 20.20.20.0/24, 30.30.30.0/24. From outside we need to access several servers providing same service, but residing in different networks in the private address range.We have only one public IP address ( 145.1.1.1) used to provide Internet access to all users behind the NAT/PAT router by 'overloading' it and we need to use it for the port forwarding.The difficulty in the following scenario is coming from two facts: All Internet users need access to a specific service on TCP port 1613 provided by three or more servers.