Solved: Help needed with NAT

astutedata · ‎02-08-2016

Hi All,

I am currently in the process of making a change to our network. We currently have a LAN which for all purposes is considered to be on a live public IP range and address space is very limited.

We have 20 branch offices that are connected via a 3rd party supplied MPLS, these branch offices must have the ability to access the public inet via the main site for specific services and we obviously need to be able to connect back to these sites for various reasons. There is not any NAT'ing taking place on the MPLS network and this will not change due to the need for up time etc. Due to the LAN being configured on a public range we implemented an SoHO WAN type router in the form of a Cisco RV320 and this has worked fine. We want to sure up this by replacing this device with a Cisco 2901 router and eventually a pair utilising HSRP (HSRP not part of this issue).

So the issue is when I configure the 2901 to replace the RV320 and add the nat statement ip nat inside source list 100 interface GigabitEthernet0/0 overload it does indeed nat the connection outbound using PAT, however I lose the ability to connect back to the branch offices i.e. when i ping the branch the outside IF of the router replies. With the limitation of IP's on the 10.10.10.0/24 network i am unable to perform static nat back to the branches so i am kinda stuck. Can this be bidirectional nat? Can i exclude the LAN client workstaion form being nat'd?

I cant understand why a £80 SoHo device can do this without any fuss but a much more reliable and expensive appliance cannot. As always any help is greatly appreciated. Topology is attached. basic config is below. Thanks

hostname RTR-01

clock set 14:12:00 10 feb 2005

int gi0/1
desc inside
ip address 192.168.254.254 255.255.255.0

ip nat inside

ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.1.0 255.255.255.0 192.168.254.1
ip route 192.168.2.0 255.255.255.0 192.168.254.1
ip route 192.168.3.0 255.255.255.0 192.168.254.1
ip route 192.168.4.0 255.255.255.0 192.168.254.1
ip route 192.168.5.0 255.255.255.0 192.168.254.1
ip route 192.168.6.0 255.255.255.0 192.168.254.1
ip route 192.168.7.0 255.255.255.0 192.168.254.1
ip route 192.168.8.0 255.255.255.0 192.168.254.1
ip route 192.168.9.0 255.255.255.0 192.168.254.1
ip route 192.168.10.0 255.255.255.0 192.168.254.1
ip route 192.168.11.0 255.255.255.0 192.168.254.1
ip route 192.168.12.0 255.255.255.0 192.168.254.1
ip route 192.168.13.0 255.255.255.0 192.168.254.1
ip route 192.168.14.0 255.255.255.0 192.168.254.1

int gi0/0
desc outside
ip address 10.10.10.235 255.255.255.0

ip nat outside

ip nat inside source list 100 interface GigabitEthernet0/0 overload
access-list 100 permit ip any any

Jon Marshall · ‎02-08-2016

Okay if the PC's are using static routes then you only need to NAT the remote branches when they go to the internet.

So modify your acl for NAT on the router from permit ip any any to -

access-list 100 deny ip 192.168.0.0 0.0.15.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 192.168.0.0.15.255 any

note the above range includes the subnets 192.168.0.0/24 to 192.168.15.0/24 which is slightly more than you are using but it shouldn't matter.

You could also simply your static routes ie. replace all the individual ones with -

ip route 192.168.0.0 255.255.240.0 192.168.254.1

Jon

View solution in original post

Jon Marshall · ‎02-08-2016

Is the 10.10.10.x addressing meant to represent the public IP addressing in use ?

What is the default gateway of the 10.10.10.x clients ?

I suspect it is not 10.10.10.235 in which case you are going to struggle to get this to work properly.

Jon

astutedata · ‎02-08-2016

Hi, yes that is correct, the 10.10.10.x does indeed represent the live range, the DFG is 10.10.10.1 and LAN PC's have static routes entries(as it is only admins that needs access back to the branch) to the remote sites via the 10.10.10.235 router.

Jon Marshall · ‎02-08-2016