Solved: NAT with two differnent ip pools not working

sibericus · ‎12-12-2022

I have a problem with NAT I cannot solve.

I have a Cisco 1900 series router with two ethernet ports. GE0/0 is configured for LAN (192.168.1.0/24) whereas GE0/1 is for the WAN (let's say static IP 123.123.123.123).

Now I have a second network with surveillance cameras (192.168.0.0/24), which so far was not connected to the LAN.

I have to make some cameras visible from the outside, keeping their initial IPs address. Let's say I have two cameras: 192.168.0.37 (Port 80) and 192.168.0.165 (Port 8082). I plugged in the ethernet cable into my switch, so both networks are connected. I have added all values in ACL, but cameras are still not visible from the outside.

I suspect that I need to have an additional ethernet port for the 2nd network (192.168.0.0/24) for the BVI2 to function correctly, but I may be wrong here.

Any help will be appreciated.

My config with the relevant data:

bridge irb
!
!
!
!
interface Loopback0
ip address 192.168.99.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internal LAN
no ip address
duplex auto
speed auto
bridge-group 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered BVI1
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
description Internet
mac-address xxxx.xxxx.xxxx
ip address 123.123.123.123 255.255.255.252
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
no cdp enable
crypto map Internet_vpn
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
no ip address
bridge-group 1
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 102 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.0.37 80 123.123.123.123 80 extendable
ip nat inside source static tcp 192.168.0.165 8082 123.123.123.123 8082 extendable
!
ip access-list standard LIST103
ip access-list standard list103
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 123.123.123.123 eq www
access-list 103 permit tcp any host 123.123.123.123 eq 8082
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq domain
access-list 103 permit tcp any eq domain any
access-list 103 deny ip any any
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee

MHM Cisco World · ‎12-12-2022

View solution in original post

paul driver · ‎12-12-2022

Hello
Surprising you are bridging the lan interface, however what we don’t see unless you have not posted it is a default route towards your WAN interface?

Additionally the current ip addressing on your wan interface is incorrect, given that subnet range it will either be

123.123.123.121 or 123.123.123.122

which means you static nat statements are incorrect also

example:

ip route 0.0.0.0 0.0.0.0 gig01/ 123.123.123.12x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sibericus · ‎12-12-2022

oops. my bad.

ip route 0.0.0.0 0.0.0.0 123.123.123.122

But this didn't solve the issue.

Are you suggesting that BVI2 is unnecessary? BTW it doesn't work without it either.

paul driver · ‎12-12-2022

Hello
As I stated your ip addressing is incorrect, you need to rectify anything associated with it.



interface GigabitEthernet0/1
description Internet
mac-address xxxx.xxxx.xxxx
ip address 123.123.123.123 255.255.255.252

access-list 103 permit tcp any host 123.123.123.123 eq www
access-list 103 permit tcp any host 123.123.123.123 eq 8082

ip nat inside source static tcp 192.168.0.37 80 123.123.123.123 80 extendable
ip nat inside source static tcp 192.168.0.165 8082 123.123.123.123 8082 extendable

For example


interface GigabitEthernet0/1
description Internet
mac-address xxxx.xxxx.xxxx
ip address 123.123.123.121255.255.255.252

ip route 0.0.0.0 0.0.0.0 123.123.123.122

access-list 103 permit tcp any host 123.123.123.121 eq www
access-list 103 permit tcp any host 123.123.123.121 eq 8082

ip nat inside source static tcp 192.168.0.37 80 123.123.123.121 80 extendable
ip nat inside source static tcp 192.168.0.165 8082 123.123.123.121 8082 extendable

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sibericus · ‎12-12-2022

What I wanted to achieve is to bridge both 192.168.0.0 and 192.168.1.0. Maybe I'm just doing it all wrong.

MHM Cisco World · ‎12-12-2022

sibericus · ‎12-12-2022

Thanks, I'll try it out and will reply regarding the result!

sibericus · ‎12-19-2022

Thank you for your suggestion! I chose L3 setup and it worked.

On my main router:

- I set up the

ip route 192.168.0.0 255.255.255.0 192.168.1.3

- deleted all the unnecessary BVI2, VLAN interfaces, bridge-group 2 and etc.

- kept all relevant ip nat inside and ACL

On my main switch:

- swapped the switch to a router and set up an

ip route 0.0.0.0 0.0.0.0 192.168.1.1

- set up ip routing

As simple as that. Huge thanks!

MHM Cisco World · ‎12-19-2022

you are so so welcome.