NAT problem over several routers ?

StefLiesmons · ‎08-22-2006

Hi,

In a network with several routers there is a subnet that needs NAT access to our servers, since it is using

an IP range and default gateway configuration which can not be altered on their router or PC's. We did receive 6

addresses which can be translated to our server addresses on a distant subnet (behind 2 other routers).

So I added an extra router to do the NAT...

Setup:

CISCO 851

Network:

DefGATEWAYRouter -- 10.131.140.0 -- C851 -- 128.24.0.0 -- CROCUS -- leased line -- CROCUS -- 128.23.0.0

Our servers reside in the 128.23.0.0 and must be accessible using the given 10.131.140.x addresses.

Config file extract:

...

ip subnet-zero

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description IMSIR

ip address 10.131.140.199 255.255.255.0

duplex auto

speed auto

ip nat outside

!

interface Vlan1

description RVTBOOM1

ip address 128.24.1.251 255.255.0.0

ip tcp adjust-mss 1452

ip nat inside

!

ip default-gateway 128.24.1.252

ip classless

ip nat inside source static 128.23.2.1 10.131.140.190

ip nat inside source static 128.23.2.4 10.131.140.191

ip nat inside source static 128.23.2.5 10.131.140.192

ip nat inside source static 128.23.2.6 10.131.140.193

ip nat inside source static 128.23.2.101 10.131.140.194

ip nat inside source static 128.24.1.249 10.131.140.198

...

Only my test-laptop 128.24.1.249 (the Vlan1 subnet) seems to be accessable and NAT works fine in both

directions.

What am I missing? Do I have to add accesslists or other parameters? Is it simply not possible to do NAT

accross other routers with this model? Since the "4 port-switch" is considered as one Vlan interface and you

obviously can not configure seperate IP addresses per port, is this limiting things ?

Any help appreciated,

Stef

ilya.varlashkin · ‎08-22-2006

Your laptop, 128.24.1.249 is on the same subnet as your VLAN interface, so it's reachable from the router. On the other hand network 128.23.0.0/16 is not directly connected to this router, so the router needs a route entry to reach this network. Is something connected on the other side of the leased line a router or what is it? If it's a router, add following line to your C851 config:

ip route 128.23.2.0 255.255.255.0 128.24.x.y

where above 'x.y' is part of the address of remote router.

If that thing on the other side of the leased line some form of a bridge, add secondary address to your VLAN 1 interface on C851:

interface VLAN1

ip address 128.23.x.y 255.255.0.0 secondary

x.y. is any unused address in 128.23.0.0/16

By the way, do networks 128.23.0.0/16 and 128.24.0.0/16 really belong to you? If not, you should probably renumber to some real private addresses, since this are public addresses assigned to two organisations.

StefLiesmons · ‎08-23-2006

Thanks for your answer.

In the meantime I discovered it was indeed a simple routing problem. I was assuming my "ip default-gateway 128.24.x.y" command did the same thing as the now added "0.0.0.0 0.0.0.0" (also called 'last resort') routing address.

While at it, I added some extra ACL security on each interface. It works flawlessly now.

And yes, I am merely a consultant for this network and I warned them already years ago for keeping up with these subnets. For one reason or another these ranges were used a lot at the time by a lot of companies. This dates from the old days were people had only private leased lines and an occasional compuserve dialup ;-)