Solved: Re: routing through static NAT configuration on subnets - Page 2

Brian Taylor · ‎05-08-2022

When on the subnet (10.0.4.*) pinging devices beyond the subnet works, but pinging via the internal subnet (192.168.2.*) fails. A previous post (here) and subsequent testing determined that the 10.0.4.* network was correctly configured and you experts were no doubt correct that the problem was due to the GATEWAY not being configured correctly at the “other end” (beyond the 10.0.4.*) network.

Now from the description supplied by the other network implementer, the “other end” has statements possibly like:

ip nat inside source static tcp 172.16.10.14 8000 10.0.4.17 8000

Given this scenario, is it possible (e.g. via NAT statements) to actually get normal routing working from the internal subnet, i.e. where I can ping 10.0.4.* from 192.168.2.* (and "telnet 10.0.4.17 8000")? Or perhaps anything we try still won’t work if the gateway is not correctly configured (at both ends)?

Alternatively I have told the other network implementer to set up a normal subnet interface and control access via ACLs. Is this better that static routes? e.g. using:

interface GigabitEthernet0/1.4
 encapsulation dot1Q 4
 ip address 192.168.0.251 255.255.255.0
 ip access-group GIG140 in
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone

Brian Taylor · ‎05-10-2022

Thanks for the explanation. I might have a look at the packets to see what it is doing.

So that last translation I assume means the 10.0.4.x subnet can connect to 10.0.4.17 on port 8000 and it is translated to 192.168.2.117 ?

Yes correct: a 1:1 NAT map so that 192.168.2.117 actually connects to the 10.0.4.17 camera on port 8000.