[c-nsp] Will NAT-on-a-stick solve this problem?

Ed Ravin eravin at panix.com
Tue Oct 26 15:59:46 EDT 2004


I am replacing a Netopia DSL router with a Cisco.  The existing
network looks like this:

  192.168.1.0/24 -------- Netopia -----  DSL to Internet
                             10.10.10.9 - router IP address, client NAT
                             10.10.10.10 - public server

Normal use is that clients in 192.168.1.0/24 send packets to the Internet
that go through NAT and are sourced with the Netopia's address, for
this example I'll use 10.10.10.9.  Server "A" on the 192.168.1.0 network
needs to be reachable from the Internet, and the Netopia has been told
to perform NAT for 10.10.10.10 to the server's real IP, 192.168.1.10.

The Netopia has another feature: the NAT for the 10.10.10.10 address
will work regardless of which side the source packet comes from.  If a
packet from the Internet side comes in for 10.10.10.10, the Netopia
translates it to 192.168.1.0 and relays it to the LAN side.  if a packet
from the LAN side of the router is destined for 10.10.10.10, it will also
receive NAT processing and will be routed back to the LAN at 192.168.1.10.
This is nice and simple for a small office network, even though it's extra
work for the router.

If I replace the Netopia with a Cisco with the usual NAT configuration,
everything works fine except that computers on 192.168.1.0/24, when they
want to reach 10.10.10.10, can't get to the server.   I can fix this by
playing games with DNS so that the customers receive the correct local
IP address for the server.  But for various logistical reasons, it would
be an easier migration if the Cisco router was willing to do the same
things the Netopia does.

Will NAT-on-a-stick solve this problem?  I'm looking at the Cisco example
at:

   http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

and it seems like the Cisco can do what I want, but the examples
given are for a different situation and I'm having trouble using
them.  I want my packets to do something like this:

  (inside LAN)
  192.168.1.5 => 10.10.10.10

  (router does one or more NAT translations, routes packet back to inside LAN)
  10.10.10.9 => 192.168.1.10

If I understand the NAT-on-a-stick stuff correctly, I should be able to
use policy routes to send the packets to a loopback interface marked with
"ip nat outside" in order to get the translation I need?

Thanks,

	-- Ed


More information about the cisco-nsp mailing list