Static NAT

We have a 3 node ELAN (100 MBPS) with 2851 connecting 1 Main and 2 satellite offices(SO). The Main office is connected to a Private Network via Nortel devices and routed accordingly. But we need to be able to connect to devices in the Nortel PN from the 2 satellites offices. The Network Security liason at the PN does not allow routing to happen to this 2 satellites office because of segments are RFC1918. They have recommended to have traffic from this SO be NAT'ED into ip's from segment from Main office. Problem is I dont know how to do this?
In summary:
1 device from 192.168.103.x will be nat'ed to one reserved ip from 190.50.103.x and 1 device from 192.168.101.x will be nat'ed to another ip in 190.50.103.x, so packets going into 190.20.102.x will be nat'ed to the ip addressess from the 190.50.103.x
Thanks

From memory, configure this on R3:

R3(config)# ip nat outside source static 192.168.101.x 190.50.103.y

where X is the octet for the host from R2 and y is the octet that the host will have in R3's subnet.

This tells R3 to translate the 192.168.101.x IP address to 190.50.103.y. I believe you also have to perform the NAT the other way around as well:

R3(config)# ip nat inside source static 190.50.103.y 192.168.101.x


Then configure this on R3:
R3(config)# ip nat outside source static 192.168.103.x 190.50.103.y

This tells R3 to translate the 192.168.103.x address to the 190.50.103.y addresss.

And just as above, I think you have to do the translation the other way around.

But make sure to also review the articles on NAT on this site:
www.firewall.cx/nat-static-part1.php
www.firewall.cx/nat-static-part2.php

I have read the KB before posting. As the diagram shows, it is not a simple router/gateway setup.
I need to be able to connect from system 1 on 190.20.102.x(A) to 1 system on 192.168.153.x(, in RE
From 190.20.102.225 to 192.168.153.60 nat'ed to 190.50.103.239.

Now that I look at the diagram again, where exactly is the subnet with IP address 192.168.103.x? I don't see it on the diagram.

Any way, if you want host 190.20.102.225 to be able to reach host 192.168.153.60 you'll have to define an IP address in the 190.50.103.0/24 subnet that will be translated to 192.168.153.60. Then on R3 configure the outside to inside NAT translation:

[code:1]
R3(config)# int ge0/0
R3(config-if)# ip nat inside
R3(config-if)# int ge0/1
R3(config-if)# ip nat outside
R3(config-if)# exit
R3(config)# ip nat ouside source static 190.20.103.x 192.168.153.60
[/code:1]

...where x is the octet for the newly defined public address that corresponds to 192.168.153.60

What should happen then is host 190.20.102.225 will instead communicate with host 192.168.153.60's corresponding public IP address (190.50.103.x), which will be translated to the private IP address 192.168.153.60 on R3. R3 will already have a routing table entry to reach 192.168.153.60 so it'll correctly route the traffic there.

You shouldn't need to NAT 190.20.102.x to 190.50.103.x since these are routable IP addresses (i.e.: traffic destined to interface Ge0/1's public IP address will successfully reach it).

when host 192.168.153.60 wants to communicate with host 190.20.102.225, the same concept holds true: you define a public IP address on the last Nortel router's WAN subnet that will be used to translate to that company's private IP address (this will obviously be done by that company's network engineer)


I also want to correct what I stated earlier:

R3(config)# ip nat outside source static 192.168.101.x 190.50.103.y
R3(config)# ip nat inside source static 190.50.103.y 192.168.101.x

Then configure this on R3:
R3(config)# ip nat outside source static 192.168.103.x 190.50.103.y

Correction:
Since Ge0/0 is the internal interface on R3, you would instead configure it as such:

[code:1]
R3(config)# int ge0/0
R3(config-if)# ip nat inside
R3(config-if)# int ge0/1
R3(config-if)# ip nat outside
R3(config-if)# exit
R3(config)# ip nat inside source static 192.168.101.x 190.50.103.y
[/code:1]

...where x and y are the respective octets for each host on each subnet.

There are also options to NAT complete subnets rather than individual hosts, if that's also needed.

Let me know if I misunderstood you

Sorry for the confusion
I have mistype. There is no 192.168.103.x/24 subnet