Natting Cisco with IOS 8.3.1

I have a situation where we merged with another institution and they use the same RFC 1918 network as we do.  We both use 172.16.x.x, subnets are a little different but the issue they need access to our network and our 172.16 will not route back to them.  

Plan:  We will use a 10 network that both institutions do not use, both parties will have a cisco 5520 running 8.3.1 code.  The reason for this write up is because the new IOS code is completely different for writing nat rules.

Scenario:  Their 172.16.64.250/16 needs to talk to our 172.16.64.252/16.  In reality they would never have to know about the other 172.16 address because I would present a virtual which would act as the real address for them.  We decided to use 10.199.0-127.x when they connect to us and 10.199.128-255.x when we connect to one of their servers.  Our client hide addresses for this demo will be 10.199.127.254 for us and 10.199.255.254 for them.  Outside interfaces of the devices could have come from an address for those nat ranges however we decided on 1.1.1.1/30 and 1.1.1.2/30 since they are directly connected.  Odd thing cisco would not let me create 1.1.1.1/31 and I could not find the ip classless command.  Anyhow no big deal just eating up 2 extra addresses.

So lets get the route command setup for these.

Our fw will have

route add 10.199.127.0 255.128.0.0 1.1.1.2

On there fw

route add 10.199.0.0 255.128.0.0 1.1.1.1

172.16.64.252 which is a real is going to have 10.199.0.252 as its virtual-out from the clients perspective and its my virtual-in that will map to my real address of 172.16.64.252.  I use to work at a very large bank and I like using the terms virtual-out and virtual-in.  Its how my brain makes sense and keeps track of these virtuals.  Hope it makes sense for you as well.

 Now the nat commands

On our fw

nat (outside,inside) source static 10.199.255.254 10.199.255.254 destination static 10.199.0.252 172.16.64.252

On their fw

nat (inside,outside) source static 172.16.64.250 10.199.255.252 destination static 10.199.0.252 10.199.0.252

Access-lists on our fw

access-list outside_access extended permit tcp object 10.199.255.254 host 172.16.64.252 eq 10000

access-list outside_access extended permit icmp object 10.199.255.254 host 172.16.64.252 eq echo

access-list inside_access extended permit icmp object 172.16.64.252 host 10.199.255.254 eq echo-reply

Access-list on their fw

access-list outside_access extended permit icmp object 172.16.64.252 host 10.199.255.254 eq echo-reply

access-list inside_access extended permit ip object 172.16.64.250 host 10.199.0.252 eq 10000

access-list inside_access extended permit icmp object 172.16.64.250 host 10.199.0.252 eq echo

 

This is for them connecting to us.  I will do us connecting to them at a later date.  Hope this was useful.