Re: I lost it ... ( router between 2 existing LAN's )

Bart De Pauw · ‎02-28-2019

Hello All,

I suppose this is rather a simple question but I not sure on the answer I have in mind.

Please take a look a the diagram as this explains for 99 % the situation :

As you see at the left side a 100 % simple LAN.

At the right side a single machine BUT it doesn't allow any modification

What is needed between these two to be able to browse from the LAN clients to the server ?

I suppose a router type C1101-4P , but what about NAT setting and IP addresses to use ?

Is it as simple as just configuring NAT (type ?) so the device acts as a kind of 'relay' to 192.168.100.100

( if so, still a config is welcome )

Thanks for all answers !

Deepak Kumar · ‎02-28-2019

Hi,

You can configure static NAT on the router as below:

interface gig0/0

Description Connected to LAN Internet

IP address 10.0.0.254 255.255.255.0

IP nat inside

no shut

!

interface gig0/1

Description Connected to Mystery network

IP address 192.168.100.254 255.255.255.0

IP nat outside

no shut

!

ip nat inside source static 10.0.0.254 192.168.100.100

Note: You can assign Secondary IP address for the management interface on the interface gig0/0

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Bart De Pauw · ‎02-28-2019

Hello Deepak, thanks for our ( very fast ) answer.

I fully understand the config.

Just to be sure : clients will need to browse to http(s)://10.0.0.254/ to get to the server ?

And the server will communicate back to 192.168.100.254 ?

Deepak Kumar · ‎02-28-2019

Yes, It is. You can configure ACL for controlling on allowed or denied port.

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Richard Burts · ‎02-28-2019

This is a bit unusual but I think that what you need is a simple router. It would have one interface is the 10.0.0.0/24 and a second interface with an IP in the 192.168.100 network. The router would advertise the 192.168.100 network to the 10.0.0.0 network and would be configured to do address translation for any traffic coming from 10.0.0.0 toward 192.168.100 using the address of the 192.168.100 interface as the translated address. Or you could make it a bit more specific and just do translations for tcp port 80 and 443.

HTH

Rick

HTH

Rick

Richard Burts · ‎02-28-2019

After posting my response I looked at the diagram again and realize that there is a problem and I do not know how to solve it. The problem relates to my statement that the new router would advertise 192.168.100. But the diagram is specific that the 10.0.0.0 network uses 10.0.0.1 as the gateway and that no modification of that router is possible. With no modification possible I do not see how we get that gateway to forward 192.168.100 to the new router.

Does anyone see an alternative that I have missed?

HTH

Rick

HTH

Rick

Richard Burts · ‎02-28-2019

I believe that the suggestion from Seb provides the solution to the problem I mentioned. So +5 for that. Translating the server address so that it appears to have a 10.0.0.0 address removes the need for anybody in the 10.0.0.0 network to know about the 192.168.100 network.

The challenge that I see in Seb's suggestion is that devices in 10.0.0.0 are using DHCP. We would want the firewall (or router) to learn its 10.0.0.0 from DHCP (if we hard code an address there will be the possibility of a duplicate address issue) and so there is possiblity that over time the address of the firewall (or router) might change. So how do the clients in 10.0.0.0 find out what address to use to access the mystery server?

HTH

Rick

HTH

Rick

Seb Rupik · ‎02-28-2019

Hopefully between the DHCP server probing the proposed address with an ICMP echo request, and the client itself checking the received lease with an ARP request, the NAT device could be introduced to the subnet with a static IP without making any adjustments to the DHCP service.

cheers,

Seb.

Seb Rupik · ‎02-28-2019

HI there,

I’d go for a firewall with static NAT configured. This would translate the server IP 192.168.100.100 onto the 10.0.0.0/24 subnet and make it available to those other devices. An ACL on the ‘outside’ (translated side) interface of the firewall would control which ports are reachable on the server.

Cheers,

Seb.

paul driver · ‎03-01-2019

Hello

No modification of any addressing on the WEB server
No modification on the L2 switches for any routing
No modification on the l3 router (dhcp/routing etc..)

Whatever you put between these two sites the problem as @Richard Burts stated still exits for the clients on the left will still have a default gateway/route pushing traffic way from 192.168.0.0/24.

Although it would be an administrative burden I guess route modification is on the client could be applicable but then you need a stable ip address for the device in the middle so it doesn't change in the future again as @Richard Burts stated.

L2 switch ( on 10.0.0.x network)
int x/x
description facing to middle device
switchport mode trunk

Middle device
int x/x
no shut
int x/x.10
description facing 10.0.0./24 site
encapsulation dot1Q 10
ip address 10.0.0100 255.255.255.0
ip nat inside

int x/x
description facing WEB server switch
ip address 192.168.0.100 255.255.255.0
ip nat outside

access-list 10 permit 10.0.0.0 0.0.0.255
ip nat inside source list 10 interface xx
ip route 0.0.0.0 0.0.0.0 x/x name web-srv-nexhop_interface

10.0.0.x clients ( window clients)
route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.100 IF X

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul