02-28-2019 07:26 AM
Hello All,
I suppose this is rather a simple question but I not sure on the answer I have in mind.
Please take a look a the diagram as this explains for 99 % the situation :
As you see at the left side a 100 % simple LAN.
At the right side a single machine BUT it doesn't allow any modification
What is needed between these two to be able to browse from the LAN clients to the server ?
I suppose a router type C1101-4P , but what about NAT setting and IP addresses to use ?
Is it as simple as just configuring NAT (type ?) so the device acts as a kind of 'relay' to 192.168.100.100
( if so, still a config is welcome )
Thanks for all answers !
02-28-2019 07:38 AM - edited 02-28-2019 07:40 AM
Hi,
You can configure static NAT on the router as below:
interface gig0/0
Description Connected to LAN Internet
IP address 10.0.0.254 255.255.255.0
IP nat inside
no shut
!
interface gig0/1
Description Connected to Mystery network
IP address 192.168.100.254 255.255.255.0
IP nat outside
no shut
!
ip nat inside source static 10.0.0.254 192.168.100.100
Note: You can assign Secondary IP address for the management interface on the interface gig0/0
Regards,
Deepak Kumar
02-28-2019 07:53 AM
Hello Deepak, thanks for our ( very fast ) answer.
I fully understand the config.
Just to be sure : clients will need to browse to http(s)://10.0.0.254/ to get to the server ?
And the server will communicate back to 192.168.100.254 ?
02-28-2019 07:55 AM - edited 02-28-2019 08:02 AM
Yes, It is. You can configure ACL for controlling on allowed or denied port.
Regards,
Deepak Kumar
02-28-2019 07:39 AM
This is a bit unusual but I think that what you need is a simple router. It would have one interface is the 10.0.0.0/24 and a second interface with an IP in the 192.168.100 network. The router would advertise the 192.168.100 network to the 10.0.0.0 network and would be configured to do address translation for any traffic coming from 10.0.0.0 toward 192.168.100 using the address of the 192.168.100 interface as the translated address. Or you could make it a bit more specific and just do translations for tcp port 80 and 443.
HTH
Rick
02-28-2019 07:44 AM
After posting my response I looked at the diagram again and realize that there is a problem and I do not know how to solve it. The problem relates to my statement that the new router would advertise 192.168.100. But the diagram is specific that the 10.0.0.0 network uses 10.0.0.1 as the gateway and that no modification of that router is possible. With no modification possible I do not see how we get that gateway to forward 192.168.100 to the new router.
Does anyone see an alternative that I have missed?
HTH
Rick
02-28-2019 07:54 AM
I believe that the suggestion from Seb provides the solution to the problem I mentioned. So +5 for that. Translating the server address so that it appears to have a 10.0.0.0 address removes the need for anybody in the 10.0.0.0 network to know about the 192.168.100 network.
The challenge that I see in Seb's suggestion is that devices in 10.0.0.0 are using DHCP. We would want the firewall (or router) to learn its 10.0.0.0 from DHCP (if we hard code an address there will be the possibility of a duplicate address issue) and so there is possiblity that over time the address of the firewall (or router) might change. So how do the clients in 10.0.0.0 find out what address to use to access the mystery server?
HTH
Rick
02-28-2019 08:13 AM
Hopefully between the DHCP server probing the proposed address with an ICMP echo request, and the client itself checking the received lease with an ARP request, the NAT device could be introduced to the subnet with a static IP without making any adjustments to the DHCP service.
cheers,
Seb.
02-28-2019 07:41 AM
HI there,
I’d go for a firewall with static NAT configured. This would translate the server IP 192.168.100.100 onto the 10.0.0.0/24 subnet and make it available to those other devices. An ACL on the ‘outside’ (translated side) interface of the firewall would control which ports are reachable on the server.
Cheers,
Seb.
03-01-2019 02:23 AM - edited 03-01-2019 02:41 AM
Hello
No modification of any addressing on the WEB server
No modification on the L2 switches for any routing
No modification on the l3 router (dhcp/routing etc..)
Whatever you put between these two sites the problem as @Richard Burts stated still exits for the clients on the left will still have a default gateway/route pushing traffic way from 192.168.0.0/24.
Although it would be an administrative burden I guess route modification is on the client could be applicable but then you need a stable ip address for the device in the middle so it doesn't change in the future again as @Richard Burts stated.
L2 switch ( on 10.0.0.x network)
int x/x
description facing to middle device
switchport mode trunk
Middle device
int x/x
no shut
int x/x.10
description facing 10.0.0./24 site
encapsulation dot1Q 10
ip address 10.0.0100 255.255.255.0
ip nat inside
int x/x
description facing WEB server switch
ip address 192.168.0.100 255.255.255.0
ip nat outside
access-list 10 permit 10.0.0.0 0.0.0.255
ip nat inside source list 10 interface xx
ip route 0.0.0.0 0.0.0.0 x/x name web-srv-nexhop_interface
10.0.0.x clients ( window clients)
route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.100 IF X
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide