Hi César , Hope you're doing good. I am not sure why would you want to do it in the first place. Do you plan to launch an IP spoofing attack on the outside host 2.2.2.2?
I can think of a way for this to happen, however, it requires static translations + you also need to control the Source Port. I did not think about it much, however, this is the first thing that came to my mind after reading you query. Topology: (1.1.1.1)-R1-----IN-R2-OUT-----R3 (3.3.3.3) R2 is the NAT Router (with IN out Marked). Requirement: S = 1.1.1.1 D = 3.3.3.3 1. Source will translate to 5.5.5.5, when source port is 123. 2. Source will translate to 6.6.6.6, when source port is 124. 3. Source will translate to 7.7.7.7, when source port is 125. Nat configuration on R2 (except from defining NAT inside & NAT outside interfaces) ! ip nat inside source static udp 1.1.1.1 123 5.5.5.5 123 extendable ip nat inside source static udp 1.1.1.1 124 6.6.6.6 124 extendable ip nat inside source static udp 1.1.1.1 125 7.7.7.7 125 extendable ! Output of NAT translations: ! R2#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp 5.5.5.5:123 1.1.1.1:123 3.3.3.3:1967 3.3.3.3:1967 udp 5.5.5.5:123 1.1.1.1:123 --- --- udp 6.6.6.6:124 1.1.1.1:124 3.3.3.3:1967 3.3.3.3:1967 udp 6.6.6.6:124 1.1.1.1:124 --- --- udp7.7.7.7:125 1.1.1.1:125 3.3.3.3:1967 3.3.3.3:1967 udp 7.7.7.7:125 1.1.1.1:125 --- --- ! I generated traffic with specific source port using SLA UDP Echo feature. This might not be feasible if in your scenario there is no way to control the source ports (which is usually the case). Hence dynamic translations, as per your peoriginal requirement, might not be possible. Hope this helps and may be you are able to build something on the basis of this configation to achieve what you are looking at! Thank you. Narendra Naukwal On Saturday, 15 March 2014 3:16 AM, Tony Singh <[email protected]> wrote: thinking about this again it can't be done... what your doing here is many-to-many source NAT i.e a source pool then a source pool to translate to (inside global) be it layer 3 or 4 the layer 3 source/destination pairs will always be matched in the translation table (layer 4 information is unique for PAT) BR Tony On 14 March 2014 18:38, Tony Singh <[email protected]> wrote: > > I'm sure this should work with PAT and matching layer 4 information, > reason it gets destination natted to the same address is the ACL matches > layer 3 information hence the same source/destination pairs, try on layer 4 > > With below config you'd need to source from say .3 to get a new public > > By the way you can't chop & change a TCP/UDP session to change it's > destination layer 3 address post NAT on the same device as the session > would drop > > -- > BR > > Tony > > > On 14 Mar 2014, at 15:23, César <[email protected]> wrote: > > > > George, thank you very for your detailed explanation. I'm going to use > your > > detailed scheme to explain more in detail what I need. > > > > I need that PC_A (192.168.1.2) gets PC_B (2.2.2.2) using in each > different > > period of time (every two seconds/10 seconds, for instance), different > > public IP addresses (1.1.1.3, 1.1.1.4, 1.1.1.5...) in the way that PC_B > see > > PC_A with different IP addresses. I don't know if it's possible. What I'm > > seeing configuring NAT without overloading is that when the router > > establish a NAT translation for a connection, it always use that IP > natted > > for the next connections (only changing the port numbers). > > > > Thanks, > > César. > > > > > > 2014-03-14 15:50 GMT+01:00 George Leslie <[email protected]>: > > > >> HI Cesar > >> If I understand your requirements correctly, then what you are > describing > >> is simply dynamic NAT. e.g. > >> > >> PC_A is on the "inside", 192.168.1.2/24. > >> PC_B is on the "outside", say 2.2.2.2/24 > >> > >> Topology: > >> > >> PC_A -> router eth 0 (inside) -> router serial 0 (outside) -> NAT -> WAN > >> -> PC_B > >> > >> A config like this should do it. I will assume public range of 1.1.1.1 > - > >> 1.1.1.15/28. > >> > >> int Eth 0 > >> ip address 192.168.1.1 255.255.255.0 > >> ip nat inside > >> > >> int ser0 > >> ip address 1.1.1.1 255.255.255.240 > >> ip nat outside > >> > >> ip route 0.0.0.0 0.0.0.0 1.1.1.2 > >> /* Assuming 1.1.1.2 is your ISP router. */ > >> > >> access-list 100 permit ip 192.168.1.0 0.0.0.255 any > >> > >> ip nat pool DYNAMIC_POOL 1.1.1.3 1.1.1.15 netmask 255.255.255.240 > >> ip nat inside source list 100 pool DYNAMIC_POOL > >> > >> This will nat PC_A to the next available NAT address in the dynamic > pool. > >> > >> Is this your requirement? > >> > >> George. > >> > >> > >> > >>> Date: Fri, 14 Mar 2014 15:18:04 +0100 > >>> From: [email protected] > >>> To: [email protected] > >>> Subject: [OSL | CCIE_RS] NAT > >> > >>> > >>> Hello, > >>> > >>> I would like to configure a network where you have a PC_A in the LAN, a > >>> router doing NAT (using a pool of public IP addresses) and a PC_B in > the > >>> WAN. Does anybody knows if it's possible to configure NAT in the router > >> in > >>> order to permit PC_A (using *always* the same private IP address) > connect > >>> to PC_B (using *always* the samedestination IP address) through > different > >> > >>> origin IP addresses assigned dynamically by the router? > >>> > >>> Thanks in advanced, > >>> Cesar. > >>> _______________________________________________ > >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos > :: > >>> > >>> iPexpert on YouTube: www.youtube.com/ipexpertinc > > _______________________________________________ > > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > > > iPexpert on YouTube: www.youtube.com/ipexpertinc > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
