Allow NATed internal servers to talk to each other on the inside

fjamieson1 · ‎04-25-2016

I have two servers that need to be able to talk to each on the LAN (ports 8880 and 8881) as well as be reachable from the internet.

NAT is configured and working ... for the most part... The servers can reach the internet and be reached from the internet.

Internet -> Cisco 4351 -> Netgear Switch -> Server1

-> Server1

Added to this....they can both ping each others internal and external IP addresses. But I cannot ping the outside IP address from my desktop .

My current configuration involves NAT-On-A-Stick. But it is not working.

The issue appears to be NAT... the servers internal IP addresses are getting NATed regardless of any rules.

ip nat inside source static 192.168.1.x2 96.10.xx.x2
ip nat inside source static 192.168.1.x4 96.10.xx.x4

ip access-list extended NAT_stick
permit ip host 192.168.1.x2 host 96.10.xx.xx4
permit ip host 192.168.1.x4 host 96.10.xx.xx2

route-map NAT_stick permit 10
match ip address NAT_stick
set interface Loopback0

interface GigabitEthernet0/0/1.1
ip nat inside
ip policy route-map NAT_stick

interface Loopback0
ip address 10.10.10.1 255.255.255.0
ip nat outside

Any suggestions would be greatly appreciated.

Pawan Raut · ‎04-25-2016

It look like you are facing asymmetric NAT issue. Generally external IP used to for accessing the sever from external network or internet not sure why you want to access the extenal IP of sever from local machine.

Is your sever Internal IP and your machine IP in same vlan or subnet.

can you give me the sh ip route <your machine IP address> and sh ip route <your server internal IP address> output from router.

fjamieson1 · ‎04-25-2016

Thanks for responding. Being able to ping the external IP address from my desktop is not really an issue. The big problem is that the servers cannot communicate with each other over the management ports they use (8880 and 8881).

My desktop and servers are all in the same network/VLAN

Here is output you requested.

trunetrtr#sh ip route 192.168.1.174
Routing entry for 192.168.1.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet0/0/1.1
Route metric is 0, traffic share count is 1
trunetrtr#sh ip route 192.168.1.54
Routing entry for 192.168.1.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet0/0/1.1
Route metric is 0, traffic share count is 1
trunetrtr#

Pawan Raut · ‎04-25-2016

That what I was suspecting your sever and dekstop both are in same subnet that,s why it caused asymmetric NAT issue and you are would not able to ping sever NAT (external) IP from desktop but you should able to ping internal IP from desktop.

Second both sever are in same vlan/subnet then both should able to ping each other using internal IP address and both can able to communicate with each other using services which you have enable on respective server. As both source and destination host (here in this case server) are in same vlan so no ACL or NAT would effect it when you communicate with each other using internal IP address.

Please check both sever should communicate with each other using internal IP address as they both are same vlan subnet.

Please rate the post if you find the content in post as useful.

Regards,

Pawan (CCIE #52104)