Solved: Cisco Router Behind existing router need help with no nat

mrmadgig · ‎08-24-2024

Hello everyone,

Been a while with a Cisco box and need some help refresher.

I am just trying to practice again after being away for a year. I thought that I wouldn't forget this but I guess I did.

I have a Cisco 891 and a C1111-4P (Lab units)

I can easily rout these devices with a NAT config but I thought that once upon a time in my lab I tried to do a LAN to WAN on private subnets with no nat.

I wanted to test by placing the routers (one or the other not both at the same time) behind the current network and NOT do NAT

I cannot seem to get this to work. I googled this for a while and didn't find a solution.

If I have a private address on one WAN interface and a private on the LAN interface they are directly connected so why wouldn't they rout out?

Static route is there

no need for ip nat inside source list ....

Is there an example for this anywhere?

Route map needed ??

Simple config it seems but no joy here.

Thanks for any guidance.

Joseph

paul driver · ‎08-25-2024

Hello

@mrmadgig wrote:
If I remove the nat statements then I cannot get out.

You would be correct ,by removing the nat domains you would be negating internet access to vlan1 clients.
Your wan rtr is ALREADY receiving a natted address range, as such it has no knowledge of your newly created vlan 1 subnet, so in essence you need to double nat to allow vlan1 internet access.

May I suggest a few tweak's to this configuration you have posted?

conf t
no ip route 0.0.0.0 0.0.0.0 10.10.111.254
no access-list 22 permit any

ip dhcp pool SCOPE1
no dns-server 8.8.8.8 1.1.1.1
import all

access-list 22 permit ip 192.168.200.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Flavio Miranda · ‎08-24-2024

@mrmadgig

NAT is not a requirement. A router must pass traffic from one interface to another by only given them IP address. I did not pictured your topology maybe you could explain better how it looks.

mrmadgig · ‎08-24-2024

Hi Flavio.
thanks for the reply. I agree. That’s what is throwing me. I will get more info for you when I get back. Thanks again.

paul driver · ‎08-24-2024

Hello

@mrmadgig wrote:

I thought that once upon a time in my lab I tried to do a LAN to WAN on private subnets with no nat.

I wanted to test by placing the routers (one or the other not both at the same time) behind the current network and NOT do NAT

I cannot seem to get this to work. I googled this for a while and didn't find a solution.

If I have a private address on one WAN interface and a private on the LAN interface they are directly connected so why wouldn't they rout out?

NAT is primally used to "hide" a network, for example if you had a wan rtr with an internet wan connecting
interface and your lan subnets are in the RFC1918 non public routable private address range, then you WILL require NAT for your lan traffic to access the internet... (10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16)

However if all your traffic is routable (WAN/LAN) for example within a private enterprise network and not exposed to the internet then you would not require nat for your LAN traffic to be reachable throughout that network

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mrmadgig · ‎08-25-2024

Hello Paul,

Thanks alot

Thanks for the reply. I do know about the nat and non routable addresses. However didn't think I needed this on the second router as I was assuming the ISP router would handle it. SO...I suppose this needs double NAT.

What I was chasing down was I can remove the NAT and I can ping out to google from source WAN GigabitEthernet8 10.10.111.140 but not the VLAN 1 and this is what clued me into the need for nat. I do realize nat is NOT needed and hence why I tried this.

The router that is connected to the internet

WAN 98.xxx.xxx.247 Obtained from ISP via DHCP

NATed of course

LAN 10.10.111.254/24 handing out DHCP

Router behind this ISP router below:

Gateway of last resort is 10.10.111.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.111.254
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.111.0/24 is directly connected, GigabitEthernet8
L 10.10.111.140/32 is directly connected, GigabitEthernet8
C 10.22.22.0/24 is directly connected, wlan-ap0
L 10.22.22.254/32 is directly connected, wlan-ap0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.200.0/24 is directly connected, Vlan1
L 192.168.200.254/32 is directly connected, Vlan1

Interface IP-Address OK? Method Status Protocol
Async3 unassigned YES unset down down
BRI0 unassigned YES NVRAM administratively down down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
FastEthernet0 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES unset down down
GigabitEthernet1 unassigned YES unset down down
GigabitEthernet2 unassigned YES unset down down
GigabitEthernet3 unassigned YES unset down down
GigabitEthernet4 unassigned YES unset down down
GigabitEthernet5 unassigned YES unset down down
GigabitEthernet6 unassigned YES unset down down
GigabitEthernet7 unassigned YES unset up up

GigabitEthernet8 10.10.111.140 YES DHCP up up<<<<<<<<This is the WAN connection to the upstream router that is connected to the Internet getting DHCP

NVI0 unassigned YES unset up up

Vlan1 192.168.200.254 YES NVRAM up up <<<<<<<<Created new subnet for this router to hand out to clients

Wlan-GigabitEthernet8 unassigned YES unset up up
wlan-ap0 10.22.22.254 YES NVRAM up up

Current configuration : 2531 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.200.254
!
ip dhcp pool SCOPE1
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 8.8.8.8 1.1.1.1
lease 3
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FW-A-K9 sn FJC2125L20D
!
!
!
redundancy
!
!
!
!
lldp run
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address dhcp
ip nat outside <<<<<<<<<<<<<<<<<<<< If I remove the nat statements then I cannot get out.
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
ip address 10.22.22.254 255.255.255.0
!
interface Vlan1
ip address 192.168.200.254 255.255.255.0
ip nat inside <<<<<<<<<<<<<<<<<<<< If I remove the nat statements then I cannot get out.
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 22 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 10.10.111.254
!
ipv6 ioam timestamp
!
access-list 22 permit any
access-list 100 remark EXTERNAL WAN ACL
access-list 100 permit tcp any eq www any
access-list 100 permit tcp any eq 443 any
access-list 100 permit udp any eq domain any
access-list 100 permit udp any eq bootps any
access-list 100 permit udp any any eq ntp
access-list 100 deny ip any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 60 0
logging synchronous
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
stopbits 1
line 3
speed 115200
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000

Thanks for taking a peek

paul driver · ‎08-25-2024

Hello

@mrmadgig wrote:
If I remove the nat statements then I cannot get out.

You would be correct ,by removing the nat domains you would be negating internet access to vlan1 clients.
Your wan rtr is ALREADY receiving a natted address range, as such it has no knowledge of your newly created vlan 1 subnet, so in essence you need to double nat to allow vlan1 internet access.

May I suggest a few tweak's to this configuration you have posted?

conf t
no ip route 0.0.0.0 0.0.0.0 10.10.111.254
no access-list 22 permit any

ip dhcp pool SCOPE1
no dns-server 8.8.8.8 1.1.1.1
import all

access-list 22 permit ip 192.168.200.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mrmadgig · ‎08-25-2024

Hi Paul,

Thanks for the clarification,

I had no problem with your suggestions thank you very much. I do appreciate that.

This left me with the few questions.

What made you decide to change the ip route statement as it was being placed in by the DHCP server of the WAN
I don't think i remember ever using the DHCP keyword after the statement.(I have used other keywords not this one) can you explain this one please? I think I have seen this on an interface for ip sla before also....
The same goes for the import all statement on the DHCP for subnet 192.168.200.0/24

@paul driver wrote:

Hello

@mrmadgig wrote:
If I remove the nat statements then I cannot get out.

You would be correct ,by removing the nat domains you would be negating internet access to vlan1 clients.
Your wan rtr is ALREADY receiving a natted address range, as such it has no knowledge of your newly created vlan 1 subnet, so in essence you need to double nat to allow vlan1 internet access.

So let me ask something here...

Could I have inserted a static route into the Internet router for it to know about the vlan 1 subnet?
So are confirming this is the correct action that NAS need

Thank you very much for the help I will address this shortly.

Joseph

paul driver · ‎08-26-2024

Hello

@mrmadgig wrote:

What made you decide to change the ip route statement as it was being placed in by the DHCP server of the WAN

I don't think i remember ever using the DHCP keyword after the statement.(I have used other keywords not this one) can you explain this one please? I think I have seen this on an interface for ip sla before also....

The same goes for the import all statement on the DHCP for subnet 192.168.200.0/24

1 & 2
-It tells the router to use the assigned default gateway of the rtr, whatever that maybe, it is also conditional meaning as/when the rtr renews its ip address lease that static default is removed from the route table of the rtr and re-added upon a successful renewal so the rtr will always be using the correct assigned DHCP D/G next hop from the ISP.

3 - import all - this again is a dynamic feature that will import the dhcp options from the assigning ISP DHCP server, thus it will always be valid

@mrmadgig wrote:

Could I have inserted a static route into the Internet router for it to know about the vlan 1 subnet?

So are confirming this is the correct action that NAS need

Assigning a static route on the rtr for you vlan1 will make no difference, the upstream ISP rtr is performing NAT already so it expects only to receive traffic from the address range it assigns to your rtr , all other traffic will be dropped as it doesn't know about it and no doubt will have no nat policy to translate for it.

If you do not wish to nat yourself you have 2 options.

- Extend the ISP wan rtrs lan interface (that's the port that your own rtr wan interface is attaching to) by removing your rtr attaching a L2 switch so multiple clients can receive dhcp assignment from the iSP

or

- use your rtr as well, remove the dhcp scope and bridge the wan/lan ports so the dhcp assigned ip range is extended to a L2 switch that will again allow multiple clients to receive dhcp assignment from the ISP in either of the above.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mrmadgig · ‎08-26-2024

Hi Paul,

Thank you,

Thanks for the clarity and explanation.