How to enable NAT on a router and maintain two way communication

ramram · ‎01-07-2020

Hi,

I have a single 1841 router with two direct connected networks and I have configured NAT to allow the use of an internet gateway on both networks.

I would like to be allow local devices on both networks to communicate with each other after implementing NAT, however devices on the NAT outside interface cannot telnet to devices on the NAT inside interface once I enable NAT.

The router config is below, if I remove the IP NAT inside/outside from the F0/0 and F0/1 interfaces then I have two way communication.

As soon as I enter the NAT inside/outside commands I loose connection to the 10.243.1.0 network from 10.80.10.0

Please could someone advise what is required here, do I need to add a static route from 10.80.10.0 to 10.243.1.0?

A traceroute from 10.80.1.xx shows that it reaches interface 10.80.10.135 and then times out.

Thanks,

James

(10.80.10.1 is the router I use for internet access)

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname R1

boot-start-marker
boot-end-marker

enable password xxxxx

no aaa new-model
ip source-route

ip cef
multilink bundle-name authenticated

license udi pid CISCO1841

interface FastEthernet0/0
ip address 10.80.10.135 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface FastEthernet0/1
ip address 10.243.1.15 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Serial0/0/0
no ip address
shutdown
clock rate 2000000

ip forward-protocol nd

no ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.80.10.1

access-list 1 permit 10.243.1.0 0.0.0.255

control-plane

line con 0
line aux 0
line vty 0 4
password xxxxx
login

scheduler allocate 20000 1000
end

Seb Rupik · ‎01-07-2020

Hi there,

Try adding the following NAT command:

!
ip nat inside source static tcp <inside_telent_server_ip> 23 interface fa0/0 23 ext
!

Update <inside_telent_server_ip> with the correct inside address. Connecting to 10.80.10.135 TCP/23 will forward the traffic to the inside telent server.

cheers,

Seb.

ramram · ‎01-09-2020

I can't seem to get this to work unfortunately, the 'ext' at the end provides invalid input so I tried ? in its place and it shows <cr>

I tried the command without ext and it doesnt work either.

paul driver · ‎01-07-2020

Hello

@ramram wrote:

Hi,

I have a single 1841 router with two direct connected networks and I have configured NAT to allow the use of an internet gateway on both networks.

Do you have users in the outside domain (10.80.130.0/24) aswell as your internet router, if so do you want connecton to all hosts between the nat domains? (inside/outside)

I assume the internet router is also perfroming NAT?

What device is the internet rtr and are you able to adminster it?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ramram · ‎01-09-2020

Hi Paul,

In answer to your questions:

Do you have users in the outside domain (10.80.130.0/24) aswell as your internet router, if so do you want connecton to all hosts between the nat domains? (inside/outside)

Yes, there are users in the outside domain with the internet router and I would like connection possible between hosts in the nat domains.

I assume the internet router is also perfroming NAT?

What device is the internet rtr and are you able to adminster it?

The internet router I think must be providing NAT because users in this outside domain can access the internet via the router.

The internet router is a TP-Link router running OpenWRT and I do have admin access.

Many thanks,

James

paul driver · ‎01-09-2020

Hello James
Thank you for those answers it has made it much clearer to understand and as such it sounds like you don't really need to have nat on this router as TP-link rtr is performing this function that is unless you wish to hide 10.243.1.0/24 subnet from the the tp-link users?

All what you need to do is either apply some static or dynamic routing between each rtr and add the 10.243.1.0/24 subnet the the exiting nat rule of the TP-Link rtr for them to access the internet.

Example:

rtr
interface FastEthernet0/0
no ip nat outside
exit

interface FastEthernet0/1
no ip nat inside
exit

no ip nat inside source list 1 interface FastEthernet0/0 overload
no access-list 1 permit 10.243.1.0 0.0.0.255

tp_link rtr
ip route 10.243.1.0 255.255.255.0 10.80.10.135
Add a nat rule for 10.243.1.0/24

However if you do wish to hide 10.243.1.0/24 subnet from the TP-Link users then you would need nat, so can you please confirm?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎01-09-2020

Hello,

what if you simply exclude the traffic between both networks from being natted ?

ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 deny ip 10.243.1.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 101 permit ip 10.243.1.0 0.0.0.255 any