cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2577
Views
0
Helpful
6
Replies

Nat Translations working but can't http through from outside to inside

p.christie8186
Level 1
Level 1

Hello all, new to the forum and to networking administration in general....

I'm attempting to setup a pretty simplitic lab envirnonment, I’ve attached some config and a very simplistic diagram of what I’m trying to do.

The problem I am seeing is that my client devices in the 192.168.0.x/24 range can ping my nas device via NAT on 192.168.10.3 however they can’t ping my device on 192.168.10.2 or connect via port 80 (http) to the NAS device.

 

When I telnet or attempt to browse to the nas device from the clients in 192.168.0.x range, I can’t get through port 80. However if I connect to my router on teh outside interface 192.168.0.12 (vlan1) I can telnet to port 80 on 192.168.10.3 no problem and ping the inside client 192.168.10.2.

 

Everything is working fine the opposite direction (from inside to outside 192.168.10.0/24). I don’t have any ACLs setup up the outside interface (192.168.0.12). If no ACL is present will that cause an issue?

Any help/advice would be greatly appreciated.

Cheers

1 Accepted Solution

Accepted Solutions

I suspect the issue is your are translating all your 192.168.10.x IPs as they go through the router.

So your client is connecting to 192.168.10.3 but the return traffic has the src IP (192.168.10.3) being translated which breaks the TCP connections.

Try modifying your NAT acl ie. -

ip access-list extended NAT-ACL
 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 192.168.10.0 0.0.0.255 any

so any traffic from 192.168.10.x to 192.168.0.x does not translate the source IPs.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Please post full configuration of the router.

Also a better setup might be to use subinterfaces on the router interface and have the client and server vlans both routed on there rather than having to add a static route to the client device.

Depends on what the switch connecting to the router is capable of though.

Jon

really appreciate the quick response guys, and Fallacy11 - thanks for taking the time to put those diagrams together.

Couple of things I probably should have mentioned to start with:

- The sky hub router is dumb/locked down. I can't add any NAT'ing or routing to this device, hence the reason I've had to configure a static route on the 192.168.0.3 device to the 192.168.0.12 interface.


- Also, one of my original requirements was to allow all devices in the 192.168.10.x/24 range access to the internet. As the sky hub is dumb/locked down, it will only translate 192.168.0.x/24 address to my public ip and out to the net. This was my reasoning behind NAT'ing to a 192.168.0.x address.

Appreciate any input guys, i've also attached a full config as requested

I suspect the issue is your are translating all your 192.168.10.x IPs as they go through the router.

So your client is connecting to 192.168.10.3 but the return traffic has the src IP (192.168.10.3) being translated which breaks the TCP connections.

Try modifying your NAT acl ie. -

ip access-list extended NAT-ACL
 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 192.168.10.0 0.0.0.255 any

so any traffic from 192.168.10.x to 192.168.0.x does not translate the source IPs.

Jon

Hey Jon,

                That has done the trick. Thank you very much for helping me out and explaining the logic.

Cheers :)

Hello,

If I understood correctly, you are just doing PAT. You need to configure static NAT for this purpose.

Please set this command on your router. As Jon mantioned, share your configuration so that we can help precisely.

ip nat inside source static tcp 192.168.10.3 80 192.168.0.12 80

Masoud

Fallacy11
Level 1
Level 1

Based on that diagram if 192.168.0.3 can talk to 192.168.0.12 by being on the same vlan there is no reason to NAT traffic. Now as to why 192.168.10.2 is working but 192.168.10.3 is not is because on the router I think proxy arp maybe enabled so the router is taking over traffic for the 192.168.10.3 address when the NAT is in place but when 192.168.10.3 get traffic from 192.168.0.3 the translation makes it appear as though it's receiving traffic from it's own address. Typically for static NATs like this you will make it a different subnet that doesn't exist on either side, then on the router that doesn't know about the translated address you'll just add a route sending traffic back to get NATTED again.

See diagrams below.

Review Cisco Networking for a $25 gift card