01-18-2013 01:19 AM - edited 03-04-2019 06:45 PM
Hello all,
I need your help today because of NAT with i'm not really familiar.
As you can see on the schema bellow, I have a site A and a site B linked with a VPN, site A is in 10.213.128.0/24 and site B in 10.212.186.0/24.
Both network are routed and everything works for ages.
On an other floor of the site B, we bought a society and we want to run some tests before integrate them to our network, that's the reason of the NAT.
I want to go through our B site network to reach the B' site network from our A site using NAT configuration. At this moment I don't have any access to B' network.
On the B site I have a 1721 cisco router with one WAN port with a VPN to site A, and one LAN port where I created 2 virtual interfaces :
int fast 0/1.1 | int fast 0/1.2 |
---|---|
desc to_site_B' encapsulation dot1q 1 native ip address 10.0.1.254 255.255.255.0 | desc to_site_B encapsulation dot1q 2 ip address 10.212.186.254 255.255.255.0 |
On my switch on B site the port 1 is trunked for the vlan 1 and 2.
All other ports are on access mode vlan 2, except port 24 on access mode vlan 1 to reach the B' site.
With this configuration I'm able to ping every devices on B' site from my router on B site.
Here is the hard part, the NAT.
For exemple I have a free IP address 10.212.186.70 which I want to NAT to the IP 10.0.1.2 to be able to connect to the B' site switch from my site A.
Whether I put "ip nat outside" on the Fa0/0 and "ip nat inside" on the Fa0/1.1 or the inverse, and "ip nat inside source static 10.0.1.2 10.212.186.70"
I never can telnet the switch.
The command "sh ip nat translations" always shows half of the table filled in, depends of the interface where the "ip nat inside/outside" is put.
Do I have to use the command "ip nat pool A_to_B_NAT_Pool x.x.x.x x.x.x.x prefix-length " ?
On the different tutorial I read only "ip nat inside/outside" and "ip nat inside source static...." is needed.
Some time the ping succeed, but I think it is fake because with the same configuration if I NAT a free IP address 10.0.1.x the ping also works.
If you can bring me any help to understand this NAT configuration this could be great.
thx
01-19-2013 03:44 AM
ok i first i tell you what i get, you want telnet 10.1.0.2 from site A ,i thing i am right.
i want know something
first
is this switch layer three .
second did you configure ip default address on switch
on which port you configure nat inside and nat outside of router
01-19-2013 04:09 AM
ok then
in this case
no ip nat inside source static 10.0.1.2 10.212.186.70
this comment is for inside to outside nat
the comment is
ip nat source static 10.0.1.2 10.212.186.70
01-21-2013 12:55 AM
hello,
first thanks for your answer.
My switch are all layer 2.
yes I want to telnet the device 10.0.1.2 from site A.
At this time, Fa0/0 is inside nat and Fa0/1.1 is outside nat.
I will try your comment.
01-21-2013 09:13 AM
or you have to configure a acl on router
conf t
ip access-list standard 1
10 permit 10.1.0.2
01-22-2013 01:56 AM
I finally resolve my issue.
It seems that the Cisco router 1841 with the IOS C1841-ADVIPSERVICESK9-M when it receive a packet, first route it and then do the NAT.
As I wanted to NAT IP address from VLAN 1 with IP address from my VLAN 2 (which I know from my site A), the router was lost.
I find that because the "sh ip nat translations" never show any translations.
So I route a new subnet to site B which is not used there, and I NAT my IP address from VLAN 1 with this subnet.
By doing this, the router is no more lost, because it do not do any routing before nating.
Hope I was clear.
Thx for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide