cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1187
Views
0
Helpful
7
Replies

Enabling all internal devices to be reachable through NAT on cisco 861

alebleicker
Level 1
Level 1

Hi guys,

I need to connect 10 branches to a datacenter using cisco 861 routers because the ethernet sollution the provider gave us can't assign more than 32 MAC addresses for whe whole network. So we have all our servers at the datacenter with a central firewall/router and all remote branches with a static route to this router. We would like to make all branches local networks available through NAT or another better solution so network devices at the datacenter network can communicate with all local devices accross all the brances.

I've tried to set up a dynamic NAT from outside to inside the network and didn't work, set up static ip routes for both datancenter and remote branchs and also didn't work, so I'm not sure if I'm approaching this issue with the right idea.

What kind of solution would you guys recommend is this situation?

I just would like to make the routers work in a transparent way, no blocking of anything, passing all traffic in and out the network.

Regards,

Alex

7 Replies 7

Edison Ortiz
Hall of Fame
Hall of Fame

You should look into GETVPN or DMVPN with IPSec to circumvent the provider's limitation and allow transparency between locations.

Hi mate,

I didn't want to use any VPN related tool becuase this cirtuit is a private one, there is no "ISP" , it is just a lan circuit delivered to all branches so I simply would like the router to accept all incoming traffic on the WAN port and forward it to the internal switch ports. Is possible to achieve this with some sort of NAT?

Regards,

Alex

Based on your requirements, I doubt it.

Well, if I am not missing anything, it should be a routing question...

You don't need to use NAT, just configure static routes for each of the other site's internal networks in each of the 10 routers.

If you are in site 1 and the local net is 10.1.0.0/16, site 2 is 10.2.0.0/16, site 3 is 10.3.0.0/16 and so on,

site 1 router's wan address is 10.99.0.1, site 2 is 10.99.0.2 and so on,

your routing config in site 1 should look as:

ip route 10.2.0.0 0.0.255.255 10.99.0.2

ip route 10.3.0.0 0.0.255.255 10.99.0.3

ip route 10.4.0.0 0.0.255.255 10.99.0.4

ip route 10.5.0.0 0.0.255.255 10.99.0.5

ip route 10.6.0.0 0.0.255.255 10.99.0.6

ip route 10.7.0.0 0.0.255.255 10.99.0.7

ip route 10.8.0.0 0.0.255.255 10.99.0.8

ip route 10.9.0.0 0.0.255.255 10.99.0.9

ip route 10.10.0.0 0.0.255.255 10.99.0.10

In the other sites just adapt to leave out the local network and create static routes for all the others.

If you want a more scalable solution, just implement something like OSPF and as you add new sites and routers, you won't need to change the config of every other router.

We tested static routes from another physical machine to the routers and no ping or access could be made to the internal network addresses on each branch, looks like the router is blocking it even though all security settings were disabled.

alebleicker
Level 1
Level 1

Hi guys,

I was reading some stuff about VPLS, would be possible to implement this with the cisco 861 routers?

Thanks

Hello Alex,

no VPLS is not supported on branch routers like C861.

You don't need NAT, you need to route between the branch routers and the central router so that less then 32 MAC addresses are seen in the provider network, that is just those of the router LAN interfaces connected to the service.

From your description your WAN service is already a form of VPLS that you can use.

You just need to run a routing protocol over a common IP subnet mapped to the WAN service, where the central site router  and all the branch routers are connected each with a LAN interface and you should be fine.

If you want to add encryption you can run DMVPN over it as already suggested by Edison.

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card