Solved: Connecting internal Private network to another local subnet

stdout · ‎08-08-2021

I currently have an internal domain with a non-routable IP address space. I need to allow another subnet to connect to this rack (everything is in one rack).

Unfortunately, I have not been given access to another router, instead, I have been given an IP address for an interface to connect to the other subnet directly connected to a switch. I can ping everything from the router (internal and other subnet). And while I can ping from a device on the internal private network to the router's "external" IP address, I have not been able to get traffic to go outside of the router from the internal network.

The route to everything outside of the internal network should be 192.168.112.1

I am sure it's my own internal ACLs or configuration, however, I cannot even see traffic getting blocked on the router.

ACLs Prior to Change:

Extended IP access list 102
    10 deny ip any any log-input (1 match)
Extended IP access list CoPP_DEFAULT
    10 permit ip any any
Extended IP access list EGRESS_ACL
    10 deny udp any any eq 3544 log
    20 permit ip any any
Extended IP access list ICMP
    10 permit icmp any any
Extended IP access list INGRESS_ACL
    10 deny udp any any eq 3544 log
    20 permit ip host 192.168.1.134 any
    30 deny ip 192.168.1.0 0.0.0.255 any log
    40 permit ip any 192.168.1.0 0.0.0.255
    50 deny ip any any log
Extended IP access list SSH
    10 permit tcp any any eq 22

ACLs After Change:

Extended IP access list 102
    10 deny ip any any log-input (1 match) 
Extended IP access list CoPP_DEFAULT
    10 permit ip any any
Extended IP access list EGRESS_ACL
    10 deny udp any any eq 3544 log
    20 permit ip any any (13 matches)
Extended IP access list ICMP
    10 permit icmp any any
Extended IP access list INGRESS_ACL
    10 deny udp any any eq 3544 log
    20 permit ip host 192.168.35.134 any
    25 permit ip host 10.22.114.243 any
    26 deny udp 10.22.112.0 0.0.3.255 eq netbios-ns netbios-dgm any (48 matches)
    27 permit udp any host 169.254.255.255 eq netbios-ns netbios-dgm log
    30 permit ip any 192.168.1.0 0.0.0.255
    35 deny udp 10.22.112.0 0.0.3.255 any eq 5355 8421 1947 5353 (791 matches)
    36 permit ip 10.22.112.0 0.0.3.255 any log (3 matches)
    40 deny ip 192.168.1.0 0.0.0.255 any log
    50 deny ip any any
Extended IP access list SSH
    10 permit tcp any any eq 22

Externally Facing Interface

interface GigabitEthernet0/0/2
 description "Outside Subnet"
 ip address 10.22.115.170 255.255.252.0
 no ip proxy-arp
 ip verify unicast source reachable-via rx 102
 ip access-group INGRESS_ACL in
 ip access-group EGRESS_ACL out
 load-interval 30
 negotiation auto
 service-policy output PRIORITIZE

Routes

Gateway of last resort is 10.22.112.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.112.1, GigabitEthernet0/0/2
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.22.112.0/22 is directly connected, GigabitEthernet0/0/2
L        10.22.115.170/32 is directly connected, GigabitEthernet0/0/2

Thanks... I'm lost

paul driver · ‎08-08-2021

Hello

I have not been able to get traffic to go outside of the router from the internal network.
The route to everything outside of the internal network should be 192.168.112.1

As you said the internal subnet is not routable publicly as such you need Network Address Translation (NAT) to allow this to happen, Unfortunatly most switches don’t support NAT so you would need a RTR to perform this function.

Looking at your post, it seems the external interface gig0/0/2 is also not routable publicly, So wherever your the NAT policy for your network resides will be where you need to make changes to allow your internal network access the internet.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Richard Burts · ‎08-09-2021

Let me address part of your post. You said 'And I might not understand the concept fully, but NAT (or PAT) only allows my private subnet to communicate OUT to the internet and allows a path back. It would not allow any unsolicited traffic in (like from the router on the other internal subnet). Is that not correct?...'

I would focus on this part: allows my private subnet to communicate OUT to the internet

NAT (or PAT) is not just for traffic to the Internet (though that is certainly the most common use). What I was suggesting was that if you forwarded traffic from your subnets to the remote private subnet, but that remote private subnet did not have routing information for your subnets that communication would fail. And I was suggesting that if you translated your traffic going to the remote private subnet that they would be able to respond to you.

That would solve part of the problem - your ability to send traffic to the remote private subnet and receive responses. But it does not provide the ability of that remote private subnet to initiate traffic to you. If both sides need to be able to initiate traffic to the other side and receive responses then perhaps the other side needs to perform a similar NAT for traffic that they send to you. Or another possibility might be a routing protocol that would provide routing information for each side about the subnets available on the other side.

HTH

Rick

View solution in original post

stdout · ‎08-09-2021

I think between all of these posts we have the answer:

I need a route from 10.22 network back to mine

OR

I need to NAT in order to be able to communicate out to the 10.22 network (again, I misspoke here saying internet) and have that traffic returned.

I can use NATing if I don't plan to go outside of the internal networks (192.168 & 10.22) but as you mentioned, this won't work for me since I need to be able to initiate traffic from the 10.22 network in to 192.168. Since I plan to use the other network to do the NATing out to the internet (if I decide to allow that) as well as use the DNS server on the OTHER network, I have to have the other engineer configure his router.

I sadly already knew this but couldn't get to that conclusion on my own. Thanks for the help, guys.

View solution in original post

paul driver · ‎08-08-2021

Hello

I have not been able to get traffic to go outside of the router from the internal network.
The route to everything outside of the internal network should be 192.168.112.1

As you said the internal subnet is not routable publicly as such you need Network Address Translation (NAT) to allow this to happen, Unfortunatly most switches don’t support NAT so you would need a RTR to perform this function.

Looking at your post, it seems the external interface gig0/0/2 is also not routable publicly, So wherever your the NAT policy for your network resides will be where you need to make changes to allow your internal network access the internet.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎08-08-2021

Looking at this from a slightly different perspective: From the truncated output of show ip route it appears that your internal network uses something in the 10.0.0.0 address space and that you have a static default route to send your traffic for external networks out interface G0/0/2. So your traffic will get to that external network. For communication to be successful that external network must be able to send responses to your network. How will that external network know how to reach your network(s) in 10.0.0.0? Have they configured static routes for your networks in 10.0.0.0? If not then I agree with @paul driver that NAT would be needed.

HTH

Rick

stdout · ‎08-09-2021

the 10.0.0.0 network is me just not "cleaning up" the IP info correctly. I will update the info above since it's all non-routable so it will make more sense...

Richard Burts · ‎08-09-2021

Let me address part of your post. You said 'And I might not understand the concept fully, but NAT (or PAT) only allows my private subnet to communicate OUT to the internet and allows a path back. It would not allow any unsolicited traffic in (like from the router on the other internal subnet). Is that not correct?...'

I would focus on this part: allows my private subnet to communicate OUT to the internet

NAT (or PAT) is not just for traffic to the Internet (though that is certainly the most common use). What I was suggesting was that if you forwarded traffic from your subnets to the remote private subnet, but that remote private subnet did not have routing information for your subnets that communication would fail. And I was suggesting that if you translated your traffic going to the remote private subnet that they would be able to respond to you.

That would solve part of the problem - your ability to send traffic to the remote private subnet and receive responses. But it does not provide the ability of that remote private subnet to initiate traffic to you. If both sides need to be able to initiate traffic to the other side and receive responses then perhaps the other side needs to perform a similar NAT for traffic that they send to you. Or another possibility might be a routing protocol that would provide routing information for each side about the subnets available on the other side.

HTH

Rick

stdout · ‎08-09-2021

Sorry, I might have been unclear in my original post. This device IS A ROUTER (ISR4331). Very few machines need to get to this internal network but I will eventually add a route to our other subnet (or the other Network guy will) so that things route in. With that said, I can get to this internal network from the machine ending in .243.

What I need to get working now is the ability to have the router use 192.168.112.1 as the next hop for anything outside of the internal network and it does not offer that to the internal devices.

I also need to have my internal DNS servers use the other subnet's DNS servers as the forwarder. Once that is done, internal devices will be able to access the other devices as well as the internet (the other network functions as such).

And I might not understand the concept fully, but NAT (or PAT) only allows my private subnet to communicate OUT to the internet and allows a path back. It would not allow any unsolicited traffic in (like from the router on the other internal subnet). Is that not correct?...

stdout · ‎08-09-2021

I think between all of these posts we have the answer:

I need a route from 10.22 network back to mine

OR

I need to NAT in order to be able to communicate out to the 10.22 network (again, I misspoke here saying internet) and have that traffic returned.

I can use NATing if I don't plan to go outside of the internal networks (192.168 & 10.22) but as you mentioned, this won't work for me since I need to be able to initiate traffic from the 10.22 network in to 192.168. Since I plan to use the other network to do the NATing out to the internet (if I decide to allow that) as well as use the DNS server on the OTHER network, I have to have the other engineer configure his router.

I sadly already knew this but couldn't get to that conclusion on my own. Thanks for the help, guys.

Richard Burts · ‎08-09-2021

I am glad that our suggestions and explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick