Hi
i am having a customer with the following scenario and now sure how my NAT configuration have to be.
the problem is they have only 1 Router to cater for this configuration.
Site A 10.10.0.0/24
Site B 192.168.1.0/24
Connected Main Site 10.10.0.0/24 and 192.168.1.0/24
Main Site have to communicate to all systems on Site A and B and Site A and B have to communicate to all IP on Main Site.
we are unable to change IP ranges on any of the sites since most are already in production so i would like to have a NAT configuration as follows
I would like to NAT Site A network as 172.21.0.0/24 and Site B network as 172.22.0.0/24 from the Main Site.
and Main Site to be reached via 172.20.0.0/24 from Site A and B.
You are going to have far more problems trying to get this working than is you simply use unique subnets for each site. While reverse NAT is possible, you will find that it is not practical and very complicated to manage.
What is the current network topology? A, B, Main C, Main D - is a simple flat networks without router/gateway? And you plan to connect them to single router? If yes it is impossible to implement even with NAT.
Just to be clear, your main location is already using the networks 10.10.0.0/24 and 192.168.1.0/24?
SiteA is 10.10.0.0/24
SiteB is 192.168.1.0/24
If the above is correct then you need to specify 2 networks for the main location. 1 network for 10.10.0.0/24%main-location and 1 network for 192.168.1.0/24%main-location. Basing this off of your existing information maybe this would work better:
Main Location 10.10.0.0/24 is known as 172.21.10.0/24
Main Location 192.168.1.0/24 is known as 172.21.192.0/24
SiteA 10.10.0.0/24 is known as 172.22.10.0/24
SiteB 192.168.1.0/24 is known as 172.23.192.0/24
With the correct ranges planned out you just need to NAT them correctly. Think through the operations that have to happen. You want to change the source IP of a packet to reflect it’s “fake” IP only when it is destined to another networks “fake” IP and sourced from the local “real” IP. That’s your SRCNAT operation. You want to change the destination IP of a packet to reflect it’s “real” IP only when it is destined to the correct “fake” IP and sourced from one of the expected “fake” IP. That’s your DSTNAT operation.
You need to place the rules correctly in the list so they are matched appropriately (usually above the catch-all outbound Internet MASQUERADE).
Remember you’ll need to access the far side resources by their “fake” IP. An example, if you are at the Main Location on a PC with the IP of 10.10.0.99 and you want to access a resource at SiteA with the IP 10.10.0.12 you’d need to use 172.22.10.12. The log on that device would say the source IP was 172.21.10.99.
Long story short, if you can renumber the remote networks it’s significantly easier. Additionally, you’ll give yourself far fewer headaches. If you dig through some of my other posts you’ll see a diagram I did for another guy showing how to double NAT a single subnet (I think I need to update the drawing, maybe I’ll get around to it). You’d just need to double the recipe.