↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Option 1 – NAT on both routers
  • Option 2 – NAT on one side only
  • Server 3 initiates
  • Server 4 initiates

Was this helpful?

  1. Security

NAT for Overlapping Networks

PreviousNAT 101NextACLs 101

Last updated 3 years ago

Was this helpful?

When we have 2 networks with overlapping addresses, chances are it’s not going to work. Unless, you use NAT. The situation we have to deal is can be seen in the next diagram

We have 2 routers, Router 1 and Router 2, connected via the 12.12.12.0/24 subnet. Each router has a LAN interface on the 10.0.0.0/24 subnet (the overlapping networks). How can we communicate between Server 3 and Server 4 without changing the addresses on each router? Let’s take it from the top.

The starting configurations are:

!Router 1:
R1(config)# int Fa0/1
R1(config-if)# ip address 10.0.0.1 255.255.255.0
R1(config-if)# int Fa0/0
R1(config-if)# ip address 12.12.12.1 255.255.255.0
!Router 2:
R2(config)# int Fa0/1
R2(config-if)# ip address 10.0.0.2 255.255.255.0
R2(config-if)# int Fa0/0
R2(config-if)# ip address 12.12.12.2 255.255.255.0

Option 1 – NAT on both routers

Translate Server3’s IP address into 13.13.13.3 and Server4’s IP address int 24.24.24.4. Server 3 will use 24.24.24.4 to access Server 4, and Server 4 will use 13.13.13.3 to access Server 3. Each router will need to be aware of the inside global addresses used on the other router.

! On R1
R1(config-if)# int Fa0/1
R1(config-if)# ip nat inside
R1(config-if)# int Fa0/0
R1(config-if)# ip nat outside
R1(config-if)# exit
! Translate inside local 10.0.0.3 to inside global 13.13.13.3
R1(config)# ip nat inside source static 10.0.0.3 13.13.13.3
! Add a route towards the inside global subnet used on the other router:
R1(config)# ip route 24.24.24.0 255.255.255.0 12.12.12.2
!On R2
R2(config-if)# int Fa0/1
R2(config-if)# ip nat inside
R2(config-if)# int Fa0/0
R2(config-if)# ip nat outside
R2(config-if)# exit
! Translate inside local 10.0.0.4 to inside global 24.24.24.4
R1(config)# ip nat inside source static 10.0.0.4 24.24.24.4
! Add a route towards the inside global subnet used on the other router:
R1(config)# ip route 13.13.13..0 255.255.255.0 12.12.12.1

This was simple, but what if we have more than one IP addresses that must talk to each other? Adding static NAT entries for each host would not be much fun. The first option that comes to mind is to use dynamic NAT instead of the static NAT. Unfortunately, translations for inside source dynamic NAT are only created when the inside host initiates the traffic. We would have a situation, where most of the time the connection would not work, but some times it would. Can you guess when? The answer is when both hosts initiate a connection at about the same time (inside the timeout interval) and translation rules are created on both routers. Otherwise, the traffic would reach the router on the other end, but it would not know how to send it to the inside host.

Depending on the type of applications you can use Static NAT on one side and dynamic NAT on the other, but not both dynamic.

Option 2 – NAT on one side only

Sometimes you do not have access to all devices in the network. Maybe R2 belongs to another company. We have to do it all in our R1 router. This can be done if we change both the source and the destination address in the packet:

R2(config)# int Fa0/0
R1(config-if)# ip nat outside
R1(config-if)# int Fa0/1
R1(config-if)# ip nat inside
R1(config-if)# exit
R1(config-if)# ip nat inside source static 10.0.0.3 13.13.13
R1(config-if)# ip nat outside source static 10.0.0.4 24.24.24.4

Again, depending on the side that initiates the connection you can use one static NAT and one dynamic NAT:

Server 3 initiates

R(config)# ip nat inside source list 3 pool POOL3
R1(config)# ip nat outside source static 10.0.0.4 24.24.24.4
R1(config)# ip nat pool POOL3 13.13.13.1 13.13.254 prefix-length 24
R1(config)# access-list 3 permit 10.0.0.0 0.0.0.255

Server 3 will access Server 4 using 24.24.24.4 address

Server 4 initiates

R1(config)# ip nat inside source static 10.0.0.3 13.13.13.3
R1(config)# ip nat outside source list 4 pool POOL4
R1(config)# ip nat pool POOL4 24.24.24.24.1 24.24.24.24.254 prefix-length 24
R1(config)# access-list 4 permit 10.0.0.0 0.0.0.255

Server 4 will access Server 3 using 13.13.13.3 address

NAT for Overlapping Networks – Example Topology