10-15-2020 07:36 AM
Hi Everyone,
I am 100% sure I did not phrase the question correctly but pleas allow me to explain.
I have connected two branches together. i.e. HQ and branch. Branch can use and receive internet through some ACLs defined on the Cisco router.
The problem is HQ (10.10.1.0/24) cannot reach(ping) the LAN of the branch (192.168.8.0/24), it can only go as far as the LAN interface of the router which is 192.168.8.3
I am assumming that I am supposed to do some reverse NAT ACL on the LAN interface that says: deny all traffic coming from 10.10.1.0/24 to reach 192.168.8.0 a.k.a do not NAT. Although, I understand that this interface is NAT inside not outside so this is where I am confused, please help.
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet
ip address 192.168.124.6 255.255.255.252
ip helper-address 192.168.124.6
ip directed-broadcast
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip dhcp relay information option-insert
ip address 192.168.8.3 255.255.255.0
ip helper-address 192.168.8.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip forward-protocol udp talk
!
no ip http server
no ip http secure-server
!
ip nat inside source list 111 interface GigabitEthernet0/0 overload
ip nat inside source list 112 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.5
ip route 192.168.8.0 255.255.255.0 192.168.8.1
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254
ip route 192.168.124.4 255.255.255.252 192.168.124.5
!
access-list 111 deny ip 192.168.8.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.124.0 0.0.0.3
access-list 111 permit ip 192.168.8.0 0.0.0.255 any
!
Nali
10-15-2020 08:04 AM
How the HQ connect to Branch?
10-15-2020 08:19 AM - edited 10-15-2020 08:20 AM
Hi @MHM Cisco World ,
HQ is connected to the branch via the VLAN created by the ISP. So it passes through the internet and enter the Cisco router at the branch
Nali
10-15-2020 12:57 PM
I think config NAT re not work here,
you need config routing between HQ and Branch
10-15-2020 01:17 PM
Hello,
--> HQ is connected to the branch via the VLAN created by the ISP. So it passes through the internet and enter the Cisco router at the branch
This is difficult to understand.. Post a schematic drawing of your topology showing what is connected to what, and how.
10-15-2020 11:57 PM
Hi @Georg Pauwen ,
I hope this image will be helpful.
The 10.10.1.1 is a Sophos firewall. I had connectivity between the two branches before I started NATing on the Cisco router at the branch office.
After the NATing, only the branch office can reach the internal resources of HQ LAN 10.10.1.0 but HQ cannot reach branch LAN.
This happened after I did NAT outside and inside and the did the access lists.
I hope this clarifies the problem.
Nali
10-16-2020 12:20 AM - edited 10-16-2020 12:22 AM
Hello
"This happened after I did NAT outside and inside and the did the access lists."
This is expected as when youve applied NAT, you have hidden 192.168..8.x from the HQ thats what NAT is designed to do, So can you elaborate the reason your applying NAT to a network that was reachable before?
Also
ip route 192.168.8.0 255.255.255.0 192.168.8.1 <--- not requred as rtr has a connected interface to this subnet
Why do have specific routes to differing next-hops for a connected interface?
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254 <this take precedance over defaut route so where does .254 reside?
ip route 192.168.124.4 255.255.255.252 192.168.124.5 < your default takes care of this route
10-16-2020 01:06 AM
Hi @paul driver ,
The reason is this,
the same port G0/0 is used for both internet and Data. That means the LAN after G0/1 must be able to reach the LAN on the other side as well as the internet.
As so for the routers, should I remove the router you have advised?
Nali
10-16-2020 01:16 AM - edited 10-16-2020 01:17 AM
Hello
As your missing this in your topology can you confirm how is that gig0/0 for that router connect?
It seems that from that outside interface you have split routing , one path upstream towards the internet and another east-west towards your HQ would this be correct and if so the east-west traffic is this a vpls connection by any chance?
10-16-2020 01:47 AM
Hi,
I hope I can answer your question properly.
Our branches have a connection to the ISP via fiber.
The fiber connects to the router via a converter. That's on both sides.
So, at HQ, from the converter we have an ethernet cable going from the converter to my Firewall.
At Branch, the ethernet goes from the converter to the Cisco router gig0/0
This is an MPLS connect.
So there is a VLAN connection that joins HQ through the ISP and then the branch.
The LAN at HQ is 10.10.1.0/24 goes through the VLAN via 192.168.124.2 and reaches the branch on gig0/0 192.168.124.6
I hope that clarifies things.
10-16-2020 01:34 AM
>>
Also
ip route 192.168.8.0 255.255.255.0 192.168.8.1 <--- not requred as rtr has a connected interface to this subnet
Why do have specific routes to differing next-hops for a connected interface?
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254 <this take precedance over defaut route so where does .254 reside?
ip route 192.168.124.4 255.255.255.252 192.168.124.5 < your default takes care of this route
<<
I added that route because there is a WiFi router 192.168.8.1 that supplies DHCP to that LAN. I wanted a smooth transition so I gave my interface 192.168.8.3 and put static routes on 192.168.8.1 leading back to the cisco router. I did this because I intend to remove the the 192.168.8.1
The networks 124.4 and 124.0 are difference networks because of their subnets i.e. /30
So the link goes like this.
HQ -192.168.124.2
ISP GW: 192.168.124.1
GW:192.168.124.5
Cisco Int: 192.168.124.6
So the reason I put a distance of 254 was to tell the router that it needs to skip the first two next hops, if that makes sense.
Nali
10-16-2020 12:46 AM
Hello,
thanks for the update. Is the IP address of the GigabitEthernet0/0 the real IP address ?
interface GigabitEthernet0/0
description Internet
ip address 192.168.124.6 255.255.255.252
10-16-2020 01:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide