I think NAT is what I'm looking for here. But, maybe someone could help me out with this.
In a remote location we have an ISR4331 (*+ a C3650 Switch), which is connected back to HQ (*where I am located) on MPLS link via BGP. Also, this remote location has a Local Broadband router connected for Internet access. If I remote desktop to a PC in the remote location I am able to access the local broadband router's Admin GUI via a web browser. But, if I try to reach it from HQ, I cannot get there.
I believe the issue is that the broadband router does not see me as a LAN device connected to that router so it isn't letting me on. All the local addresses in that location are natted to be 10.77.3.2, going off the "show ip nat translations" command.
The interface connecting the local broadband router to the ISR is configured like so:
! ***Broadband Router interface on ISR4331*** interface GigabitEthernet0/0/2
description Uplink to Broadband Modem
ip address 10.77.3.2 255.255.255.0
ip nat outside
zone-member security INTERNET
! ! ***MPLS Interface*** interface GigabitEthernet0/0/1 description Private MPLS ip address <removed> zone-member security WAN speed 100 no negotiation auto ! ! ***Interface/Sub-Interfaces facing the 3650 Switch*** interface GigabitEthernet0/0/0 description Inside Interface to Switch no ip address speed 100 no negotiation auto spanning-tree portfast disable ! interface GigabitEthernet0/0/0.1 description Data/PCs encapsulation dot1Q 1 native ip address 10.7.1.1 255.255.255.0 ip nat inside zone-member security INSIDE ! interface GigabitEthernet0/0/0.2 description IP Phones encapsulation dot1Q 2 ip address 10.7.2.1 255.255.255.0 zone-member security INSIDE !
*There's a couple of other Sub-Interfaces on Gi0/0/0 for different Wi-Fi Networks as well...
Now, I am able to ping, from the HQ to 10.77.3.2, but I cannot ping the Broadband Router's LAN address, which is 10.77.3.1.
Also, running a traceroute from my PC in the HQ to 10.77.3.1, appears to stop at the MPLS interface address for Gi0/0/1
Would setting up a NAT make me be able to access the Modem from the HQ?
Based on your description of the issue I am not sure that it is an issue with address translation. I can think of a few things that might be the reason why you are having problems to access the broadband router from HQ:
1) is it possible that the broadband router has a security policy that accepts access from addresses that are "local" but not from addresses that are "remote"? Can you check that broadband router for any security policies that restrict access to it?
2) is it possible that the broadband router receives your IP packet requesting access and attempts to respond, but tries to send the response using its outside interface rather than by using the interface from which the request arrived?
Cisco SD-Access 22.214.171.124 Features OverviewBorder handoff enhancements: 4-byte ASNEmbedded wireless support on Fabric edgeFiaB deployment models:Multiple VN for Guest Access in Cisco SD-AccessCisco SD-Access Group-Based Access Control PolicyCisco SD-Access ...
. My work contains abbundance of networking gear.i have 3945 routers with attatched nme,3850 switches 48 gig port with 4 tengig port,3850 switch with 16 fiber ports, fortigate 600d along with servers with 8tbs of free space.if you have any labs for me id ...
Hello I have a network in prodcution like it mensionned in this picture. The customer wants to renovate the current infrastructure by changing all the hardware. For this reason we had think about deploying DNA Center and make automat...
I want to show how to quickly and reliably troubleshoot a network using notepad++.If you are not using Cisco GENIE and your network is not very big and you have several routers/switches only.For illustration, I created a simple topology.First, the loopbac...
Join us on Tuesday, October 15 at 10:00 am PT to to learn how Equinix and Cisco enable multicloud and Hybrid IT access.
Digital transformation initiatives are driving the adoption of internet, cloud, mobile and IoT technologies. In order t...