11-13-2023 07:37 PM
Dear Expert,
I have created LAB in eve ng and the same design is attached herewith.
I have done all configuration with using MPLS WAN solution on design.
Private NW is done successfully and now i wanted to allow all DC Server, HQ Users and Branch user can access INTERNET without using routing because Priavet NW can not advertise on INTERNET WORLS then NATTING is option remain, And here is query to that how i should allow to all users to access INTERNETW with using solution NATTING.
Could you please view design and suggest me accordingly.
HQ Users LAN range is 10.22.2.0/24. 10.22.4.0/24 CAN ACCESS internet
DC Subnet range is 172.16.111.0/24, 172.16.112.0/24 CAN ACCESS internet
BR users range : 10.22.22.0/24, 10.22.23.0/24 CAN ACCESS internet
The prompt response would be highly appreciated.
Thanks a lot
Regards
Virendra P
Solved! Go to Solution.
11-14-2023 01:39 AM - edited 11-14-2023 01:40 AM
Now BR have default route toward DC
DC must have default route toward R35 and R36
NOW for NATing
are R35/36 have route toward BR subnet ?
if not then you need to NATing in DC and NATing in R35/R36 (overload to internet)
if yes then you need NATing in R35/36 (overload to internet)
11-14-2023 02:09 AM
Dear MHM,
Let me do this and get back to you.
regards
Virendra P
11-14-2023 02:14 AM
You are welcome
11-14-2023 02:30 AM - last edited on 01-23-2024 04:02 AM by Translator
As you thought, i have done static routing on 35 and 36 routers towards CUS Private NW.
ip route 10.22.0.0 255.255.0.0 102.1.1.4
ip route 112.112.112.112 255.255.255.255 102.1.1.3 This is used for iBGP session
ip route 172.16.0.0 255.255.0.0 102.1.1.4
CUSINTRTR1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Et0/0.10 10 150 P Active local 102.1.1.3 102.1.1.1
CUSINTRTR1#
CUSINTRTR1#sh running-config | sec route
router bgp 1000
bgp router-id 111.111.111.111
bgp log-neighbor-changes
neighbor 36.1.1.2 remote-as 500
neighbor 36.1.1.2 ebgp-multihop 2
neighbor 36.1.1.6 remote-as 600
neighbor 36.1.1.6 ebgp-multihop 2
neighbor 112.112.112.112 remote-as 1000
neighbor 112.112.112.112 update-source Loopback0
neighbor 112.112.112.112 next-hop-self
I DID NOT ADVERTISE HERE PUBLIC POOL 102.1.1.0
PLEASE FIND NAT CONFIGURATION
ip access-list extended natpool
permit ip 172.16.0.0 0.0.255.255 any
permit ip 10.22.0.0 0.0.255.255 any
CUSINTRTR1#
ip nat pool natpool 102.1.1.0 102.1.1.254 netmask 255.255.255.0
ip nat inside source list natpool pool natpool
Current configuration : 121 bytes
!
interface Ethernet0/1
ip address 36.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
end
CUSINTRTR1#sh running-config int e0/2
Building configuration...
Current configuration : 121 bytes
!
interface Ethernet0/2
ip address 36.1.1.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
end
CUSINTRTR1#sh running-config int e0/0.10
Building configuration...
Current configuration : 203 bytes
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip address 102.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 10 ip 102.1.1.1
standby 10 priority 150
standby 10 preempt
end
CUSINTRTR1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 102.1.1.1 172.16.111.11 --- ---
CUSINTRTR1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 102.1.1.1:54006 172.16.111.11:54006 200.1.1.1:23 200.1.1.1:23
--- 102.1.1.1 172.16.111.11 --- ---
CUSINTRTR1# IS THIS CORRECT ?
11-14-2023 02:49 AM - edited 11-14-2023 02:49 AM
172.16.0.0/16
10.22.0.0/16
are subnet of BR's then your config is correct and as I see tcp entry in NAT is correct.
11-14-2023 02:54 AM - last edited on 01-23-2024 04:03 AM by Translator
yes and see the response from R3 which is assumed as server :
DCSERVER3#telnet 200.1.1.1 23
Trying 200.1.1.1 ...
% Connection timed out; remote host not responding
CUSINTRTR1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 102.1.1.2:14165 172.16.111.11:14165 200.1.1.1:23 200.1.1.1:23
--- 102.1.1.2 172.16.111.11 --- ---
CUSINTRTR1# REMOTE HOST TELNET CONFIGURATION
ISPAS2000#sh running-config | sec vty
line vty 0 4
password cisco
login local
transport input telnet ssh
ISPAS2000#
BUT FROM BRANCH NOT ABLE TO REACH ON INTERNET ROUTER IF I AM DOING TELNET. SEE THE RESPONSE
R1user31#tel
BR1user31#telnet 200.1.1.1 23
Trying 200.1.1.1 ...
% Destination unreachable; gateway or host down
BR1user31#
11-14-2023 03:03 AM - last edited on 01-28-2024 11:48 PM by Translator
do
traceroute 200.1.1.1 source 172.16.0.x
let see where traffic is stop
11-14-2023 03:14 AM - last edited on 01-23-2024 05:44 AM by Translator
please find traceroute
BR1user31#traceroute 200.1.1.1 numeric
Type escape sequence to abort.
Tracing the route to 200.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.22.22.1 1 msec 0 msec 1 msec
2 172.16.1.2 8 msec 9 msec 9 msec
3 172.16.1.14 9 msec 9 msec 9 msec
4 172.16.1.17 9 msec 9 msec 9 msec
5 172.16.1.22 9 msec 9 msec 9 msec
6 172.16.1.22 !H * !H
BR1user31# 172.16.1.22 is configured on DC RTR15 and WAN interface is e0/2.
DCCE1#sh running-config int e0/2
Building configuration...
Current configuration : 82 bytes
!
interface Ethernet0/2
ip address 172.16.1.22 255.255.255.252
duplex auto
end
DCCE1#layer 3 switches configuration
DCSW22#
DCSW22#sh running-config | sec route
ip route 0.0.0.0 0.0.0.0 102.1.1.2
ip route 10.22.0.0 255.255.0.0 172.16.110.1
ip route 172.16.0.0 255.255.0.0 172.16.110.1
DCSW22#
DCSW23#wr
*Nov 14 11:16:34.908: %SYS-5-CONFIG_I: Configured from console by console
DCSW23#sh running-config | sec route
ip route 0.0.0.0 0.0.0.0 102.1.1.1
ip route 10.22.0.0 255.255.0.0 172.16.110.1
ip route 172.16.0.0 255.255.0.0 172.16.110.1
DCSW23#
11-14-2023 04:21 AM
can you point in topolgy where is this IP ?
MHM
11-14-2023 04:46 AM - last edited on 01-23-2024 05:45 AM by Translator
DCCE1#sh running-config int e0/2 MARKED IN BLUE.
Building configuration...
Current configuration : 82 bytes
!
interface Ethernet0/2
ip address 172.16.1.22 255.255.255.252
duplex auto
end
11-14-2023 04:51 AM
shut the connect of this router to ISP
and do traceroute again
11-14-2023 04:55 AM - last edited on 01-23-2024 05:48 AM by Translator
As expected, the traffic diverted to backup ROUTER which DCCE2
And traceroute from sa
me use PC:
BR1user31#traceroute 200.1.1.1 numeric
Type escape sequence to abort.
Tracing the route to 200.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.22.22.1 1007 msec 1 msec 0 msec
2 172.16.1.2 8 msec 9 msec 9 msec
3 172.16.1.14 9 msec 9 msec 10 msec
4 172.16.1.17 9 msec 9 msec 9 msec
5 172.16.1.30 18 msec 17 msec 18 msec
6 172.16.1.30 !H * !H
11-14-2023 05:04 AM - last edited on 01-23-2024 05:50 AM by Translator
inside DC which protocol you use ?
can I see
show ip route in R16
11-14-2023 05:06 AM - last edited on 01-23-2024 05:51 AM by Translator
Dear MHM,
please find the configuration :
DCCE1#sh running-config | sec route
router ospf 135
router-id 110.1.1.3
redistribute static subnets
network 172.16.1.20 0.0.0.3 area 1
network 172.16.1.24 0.0.0.3 area 1
network 172.16.110.0 0.0.0.255 area 1
default-information originate always
ip route 172.16.111.0 255.255.255.0 172.16.110.4 This is towards layer 3 Switch.
ip route 172.16.112.0 255.255.255.0 172.16.110.4
DCCE1#
11-14-2023 05:12 AM
default-information originate always <<- so there is no defualt route in this router R15/R16
remove always and config defualt route toward SW (which connect to internet router)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide