cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2119
Views
10
Helpful
8
Replies

NAT and Internal Static Routes

CDaff
Level 1
Level 1

It may simple, but I'm stucked with a little trouble:
I got a 1900 Cisco Router, with two subinterfaces, 0/0.15 it's the WAN and the other 0/0.11 the LAN interfaces.
I setup a NAT to permit all network access internet via the WAN interface, the way I made it's by the NVI NAT mode.

!
interface GigabitEthernet0/0.11
description LAN
encapsulation dot1Q 11
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
interface GigabitEthernet0/0.15
description WAN
encapsulation dot1Q 15
ip address 200.2.2.2 255.255.255.0
ip nat enable
!

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

!

ip nat source list 101 interface GigabitEthernet0/0.15 overload

!

At this, everything works fine, I can access Internet and even can I open ports to internal devices to be opened from WAN.

But, I got a second little router with no NAT and an IP address 10.1.1.10, behind that router there's a LAN, the 10.3.3.0. When I create a static route in the cisco to point to this second LAN (10.3.3.0), I receive packets with the Source IP addres 200.2.2.0 (WAN Interface address).

I create the static route like this:

 

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.15
ip route 10.3.3.0 255.255.255.0 10.1.1.10

!


Now I'm so wrong, but even if the traffic flows thru one subinterface that ingress to the router, the NAT apllies and it's resend to egress by the same subinterface!!??

It's that correct? How I can create this static route with no NAT effects in it?

 

8 Replies 8

casanavep
Level 3
Level 3

First, route to a next-hop IP vs an interface where possible.  Routing to an interface creates a requirement for unique ARP entries per destination vs just a single one for the next-hop IP.  Given that you have a static IP on the WAN side, your next-hop is typically static too, thus should be a consistent target for that route. 

 

Have you tried "ip nat inside" and "ip nat outside"on the two interfaces, vs enable? You would then update the global NAT statement to only nat inside (ip nat inside source...) traffic flowing to the outside, which wouldn't include what I believe you are discussing. If there is an expectation for the 10.3.3.0/24 subnet to also utilize the same router for internet and NAT access, it's network should added to your ACL 101.  

 

Sorry, I am not a fan of NVI NAT mode....

At this point, I'm surely that I won't become a fan of the NVI NAT...
First I changed my route from an interface to an address, so... thanks you for that tip.

So, I think that your recommnedation to implement "ip nat inside and outside" will be mi option to try to implement, but I'm gonna try it over the next week.

Thanks for the advices...

Hello

 

access-list 101 deny host 10.1.1.10 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any

 

The above wont allow host 10.1.1.10 to get natted


res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul,
I understand what are you trying to do, but if I deny the host, neither the host and the LAN behind that host can access to the WAN interface.
The idea is that the host and the LAN, with the correct ACL implemented, can access the web too.

 

I don't know how the router can resend a packet with the WAN IP address as source to an internal host...

 

Thank you for the reply!

Hello

Okay apologies mis-understood -  then just amend the acl to add that internal subnet to be natted also.

 

access-list 101 deny host 10.1.1.10 any
access-list 101 permit 10.3.3.0 0.0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any

 

As long as the 1900 rtr has a route back to this subnet then it should work with the above acl amendment

res
Paul

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you...

This helps me a lot!

Hello,

 

in addition to the other posts, try the access list below:

 

access-list 101 deny ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 101 permit ip 10.3.3.0 0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Georg

 

Thank you... it helps me a lot

Review Cisco Networking for a $25 gift card