Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
1
Replies

Help with NAT Configuration

Matthew Martin
Level 5
Level 5

‎09-17-2019 10:34 AM

Hello All,

Device: ISR 4331

I think NAT is what I'm looking for here. But, maybe someone could help me out with this.

In a remote location we have an ISR4331 (*+ a C3650 Switch), which is connected back to HQ (*where I am located) on MPLS link via BGP. Also, this remote location has a Local Broadband router connected for Internet access. If I remote desktop to a PC in the remote location I am able to access the local broadband router's Admin GUI via a web browser. But, if I try to reach it from HQ, I cannot get there.

I believe the issue is that the broadband router does not see me as a LAN device connected to that router so it isn't letting me on. All the local addresses in that location are natted to be 10.77.3.2, going off the "show ip nat translations" command.

The interface connecting the local broadband router to the ISR is configured like so:

! ***Broadband Router interface on ISR4331***
interface GigabitEthernet0/0/2
 description Uplink to Broadband Modem
 ip address 10.77.3.2 255.255.255.0
 ip nat outside
 zone-member security INTERNET
 negotiation auto
!
! ***MPLS Interface***
interface GigabitEthernet0/0/1
description Private MPLS
ip address <removed>
zone-member security WAN
speed 100
no negotiation auto
!
! ***Interface/Sub-Interfaces facing the 3650 Switch***
interface GigabitEthernet0/0/0
description Inside Interface to Switch
no ip address
speed 100
no negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/0.1
description Data/PCs
encapsulation dot1Q 1 native
ip address 10.7.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
interface GigabitEthernet0/0/0.2
description IP Phones
encapsulation dot1Q 2
ip address 10.7.2.1 255.255.255.0
zone-member security INSIDE
!

*There's a couple of other Sub-Interfaces on Gi0/0/0 for different Wi-Fi Networks as well...

Now, I am able to ping, from the HQ to 10.77.3.2, but I cannot ping the Broadband Router's LAN address, which is 10.77.3.1.

Also, running a traceroute from my PC in the HQ to 10.77.3.1, appears to stop at the MPLS interface address for Gi0/0/1

Would setting up a NAT make me be able to access the Modem from the HQ?

Thanks in Advance,
Matt

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎09-17-2019 12:34 PM

Matt

 

Based on your description of the issue I am not sure that it is an issue with address translation. I can think of a few things that might be the reason why you are having problems to access the broadband router from HQ:

1) is it possible that the broadband router has a security policy that accepts access from addresses that are "local" but not from addresses that are "remote"? Can you check that broadband router for any security policies that restrict access to it?

2) is it possible that the broadband router receives your IP packet requesting access and attempts to respond, but tries to send the response using its outside interface rather than by using the interface from which the request arrived?

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card