Re: Backwards NAT or Reverse NAT

Jonathan Nali · ‎10-15-2020

Hi Everyone,

I am 100% sure I did not phrase the question correctly but pleas allow me to explain.

I have connected two branches together. i.e. HQ and branch. Branch can use and receive internet through some ACLs defined on the Cisco router.

The problem is HQ (10.10.1.0/24) cannot reach(ping) the LAN of the branch (192.168.8.0/24), it can only go as far as the LAN interface of the router which is 192.168.8.3

I am assumming that I am supposed to do some reverse NAT ACL on the LAN interface that says: deny all traffic coming from 10.10.1.0/24 to reach 192.168.8.0 a.k.a do not NAT. Although, I understand that this interface is NAT inside not outside so this is where I am confused, please help.

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet
ip address 192.168.124.6 255.255.255.252
ip helper-address 192.168.124.6
ip directed-broadcast
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip dhcp relay information option-insert
ip address 192.168.8.3 255.255.255.0
ip helper-address 192.168.8.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip forward-protocol udp talk
!
no ip http server
no ip http secure-server
!
ip nat inside source list 111 interface GigabitEthernet0/0 overload
ip nat inside source list 112 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.5
ip route 192.168.8.0 255.255.255.0 192.168.8.1
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254
ip route 192.168.124.4 255.255.255.252 192.168.124.5
!
access-list 111 deny ip 192.168.8.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.124.0 0.0.0.3
access-list 111 permit ip 192.168.8.0 0.0.0.255 any
!

Nali

MHM Cisco World · ‎10-15-2020

How the HQ connect to Branch?

Jonathan Nali · ‎10-15-2020

Hi @MHM Cisco World ,

HQ is connected to the branch via the VLAN created by the ISP. So it passes through the internet and enter the Cisco router at the branch

Nali

MHM Cisco World · ‎10-15-2020

I think config NAT re not work here,

you need config routing between HQ and Branch

Georg Pauwen · ‎10-15-2020

Hello,

--> HQ is connected to the branch via the VLAN created by the ISP. So it passes through the internet and enter the Cisco router at the branch

This is difficult to understand.. Post a schematic drawing of your topology showing what is connected to what, and how.

Jonathan Nali · ‎10-15-2020

Hi @Georg Pauwen ,

I hope this image will be helpful.

The 10.10.1.1 is a Sophos firewall. I had connectivity between the two branches before I started NATing on the Cisco router at the branch office.

After the NATing, only the branch office can reach the internal resources of HQ LAN 10.10.1.0 but HQ cannot reach branch LAN.

This happened after I did NAT outside and inside and the did the access lists.

I hope this clarifies the problem.

Nali

paul driver · ‎10-16-2020

Hello

"This happened after I did NAT outside and inside and the did the access lists."
This is expected as when youve applied NAT, you have hidden 192.168..8.x from the HQ thats what NAT is designed to do, So can you elaborate the reason your applying NAT to a network that was reachable before?

Also
ip route 192.168.8.0 255.255.255.0 192.168.8.1 <--- not requred as rtr has a connected interface to this subnet

Why do have specific routes to differing next-hops for a connected interface?
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254 <this take precedance over defaut route so where does .254 reside?
ip route 192.168.124.4 255.255.255.252 192.168.124.5 < your default takes care of this route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jonathan Nali · ‎10-16-2020

Hi @paul driver ,

The reason is this,

the same port G0/0 is used for both internet and Data. That means the LAN after G0/1 must be able to reach the LAN on the other side as well as the internet.

As so for the routers, should I remove the router you have advised?

Nali

paul driver · ‎10-16-2020

Hello
As your missing this in your topology can you confirm how is that gig0/0 for that router connect?

It seems that from that outside interface you have split routing , one path upstream towards the internet and another east-west towards your HQ would this be correct and if so the east-west traffic is this a vpls connection by any chance?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jonathan Nali · ‎10-16-2020

Hi,

I hope I can answer your question properly.

Our branches have a connection to the ISP via fiber.

The fiber connects to the router via a converter. That's on both sides.

So, at HQ, from the converter we have an ethernet cable going from the converter to my Firewall.

At Branch, the ethernet goes from the converter to the Cisco router gig0/0

This is an MPLS connect.

So there is a VLAN connection that joins HQ through the ISP and then the branch.

The LAN at HQ is 10.10.1.0/24 goes through the VLAN via 192.168.124.2 and reaches the branch on gig0/0 192.168.124.6

I hope that clarifies things.

Jonathan Nali · ‎10-16-2020

>>

Also
ip route 192.168.8.0 255.255.255.0 192.168.8.1 <--- not requred as rtr has a connected interface to this subnet

Why do have specific routes to differing next-hops for a connected interface?
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254 <this take precedance over defaut route so where does .254 reside?
ip route 192.168.124.4 255.255.255.252 192.168.124.5 < your default takes care of this route

<<

I added that route because there is a WiFi router 192.168.8.1 that supplies DHCP to that LAN. I wanted a smooth transition so I gave my interface 192.168.8.3 and put static routes on 192.168.8.1 leading back to the cisco router. I did this because I intend to remove the the 192.168.8.1

The networks 124.4 and 124.0 are difference networks because of their subnets i.e. /30

So the link goes like this.

HQ -192.168.124.2

ISP GW: 192.168.124.1
GW:192.168.124.5
Cisco Int: 192.168.124.6

So the reason I put a distance of 254 was to tell the router that it needs to skip the first two next hops, if that makes sense.

Nali

Georg Pauwen · ‎10-16-2020

Hello,

thanks for the update. Is the IP address of the GigabitEthernet0/0 the real IP address ?

interface GigabitEthernet0/0
description Internet
ip address 192.168.124.6 255.255.255.252

Jonathan Nali · ‎10-16-2020

Hi @Georg Pauwen ,

Yes that is the correct IP address.