01-12-2018 01:38 PM - edited 03-05-2019 09:45 AM
It may simple, but I'm stucked with a little trouble:
I got a 1900 Cisco Router, with two subinterfaces, 0/0.15 it's the WAN and the other 0/0.11 the LAN interfaces.
I setup a NAT to permit all network access internet via the WAN interface, the way I made it's by the NVI NAT mode.
!
interface GigabitEthernet0/0.11
description LAN
encapsulation dot1Q 11
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
interface GigabitEthernet0/0.15
description WAN
encapsulation dot1Q 15
ip address 200.2.2.2 255.255.255.0
ip nat enable
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat source list 101 interface GigabitEthernet0/0.15 overload
!
At this, everything works fine, I can access Internet and even can I open ports to internal devices to be opened from WAN.
But, I got a second little router with no NAT and an IP address 10.1.1.10, behind that router there's a LAN, the 10.3.3.0. When I create a static route in the cisco to point to this second LAN (10.3.3.0), I receive packets with the Source IP addres 200.2.2.0 (WAN Interface address).
I create the static route like this:
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.15
ip route 10.3.3.0 255.255.255.0 10.1.1.10
!
Now I'm so wrong, but even if the traffic flows thru one subinterface that ingress to the router, the NAT apllies and it's resend to egress by the same subinterface!!??
It's that correct? How I can create this static route with no NAT effects in it?
01-12-2018 04:53 PM - edited 01-12-2018 04:56 PM
First, route to a next-hop IP vs an interface where possible. Routing to an interface creates a requirement for unique ARP entries per destination vs just a single one for the next-hop IP. Given that you have a static IP on the WAN side, your next-hop is typically static too, thus should be a consistent target for that route.
Have you tried "ip nat inside" and "ip nat outside"on the two interfaces, vs enable? You would then update the global NAT statement to only nat inside (ip nat inside source...) traffic flowing to the outside, which wouldn't include what I believe you are discussing. If there is an expectation for the 10.3.3.0/24 subnet to also utilize the same router for internet and NAT access, it's network should added to your ACL 101.
Sorry, I am not a fan of NVI NAT mode....
01-13-2018 04:56 AM
At this point, I'm surely that I won't become a fan of the NVI NAT...
First I changed my route from an interface to an address, so... thanks you for that tip.
So, I think that your recommnedation to implement "ip nat inside and outside" will be mi option to try to implement, but I'm gonna try it over the next week.
Thanks for the advices...
01-13-2018 01:34 AM
Hello
access-list 101 deny host 10.1.1.10 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
The above wont allow host 10.1.1.10 to get natted
res
Paul
01-13-2018 04:34 AM - edited 01-13-2018 04:55 AM
Paul,
I understand what are you trying to do, but if I deny the host, neither the host and the LAN behind that host can access to the WAN interface.
The idea is that the host and the LAN, with the correct ACL implemented, can access the web too.
I don't know how the router can resend a packet with the WAN IP address as source to an internal host...
Thank you for the reply!
01-13-2018 05:13 AM
Hello
Okay apologies mis-understood - then just amend the acl to add that internal subnet to be natted also.
access-list 101 deny host 10.1.1.10 any
access-list 101 permit 10.3.3.0 0.0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
As long as the 1900 rtr has a route back to this subnet then it should work with the above acl amendment
res
Paul
01-13-2018 05:59 AM
Thank you...
This helps me a lot!
01-13-2018 05:21 AM
Hello,
in addition to the other posts, try the access list below:
access-list 101 deny ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 101 permit ip 10.3.3.0 0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
01-13-2018 06:00 AM
Georg
Thank you... it helps me a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide