I have a Cisco 3925 on 15.01.
I'm attempting to allow machines on the Engineering network to access a webserver on the Management network on VLAN10 through a Static NAT. The webserver on the Management network is configured for 192.168.1.125. Any Engineering machine can hit the main page of the website at https://10.230.32.132 but as soon as I click on a link on the web page NAT appears to stop working. I can see it attempting to load the next webpage from 192.168.1.125 rather than 10.230.32.132 as I think it should until it times out. All webpages loaded from this web server should appear to be loaded from 10.230.32.132 from the perspective of any machine on the Engineering network.
Specific machines on the Management network are allowed to access the internet through interface gi/0/0 but machines on the engineering network are not. That last bit may not be relevant. The webserver also has access to the internet.
Relevant settings are below:
description Management Network
ip address 192.168.1.1 255.255.255.128
ip nat inside
encapsulation dot1Q 10
description Engineering Network
ip address 10.230.32.132 255.255.255.0
ip nat outside
description Connection to the Internet
ip address x.x.x.x 255.255.255.240
ip nat outside
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.1.125 10.230.32.132
ip route 0.0.0.0 0 0.0.0.0 X.X.X.X <-- default gateway to the internet.
access-list 1 permit 192.168.1.111
access-list 1 permit 192.168.1.121
access-list 1 permit 192.168.1.125
access-list 1 deny any
Any suggestions on how I can fix this?
Can you clarify, Is this an intranet web srv or is it should to be accessed from the internet also?
If I understand your posted config and your request then you shouldn't need to nat between vlans to accomplish this.
10.230.32.0/24 and 192.168.10/24 look like internal networks so you can just create simple DNS entry for this web srv. for internal access
If the MGT vlan web serv doesn't need natted internet access then dont apply nat to its vlan,
However if it does need to be natted to a public ip, Then just nat on that host and deny all other hosts from that subnet nat,
It is basically an intranet web server. It should not be accessed from the internet (internet inbound initiated sessions) but it should have access to the internet outbound to pull software updates, etc.
I know that we could/should simply route between the two VLANs but for the sake of this example is it possible to make the webserver appear to be on the Engineering network (10.230.32.0/24 network) by giving it a one-to-one Static NAT? Any packet with a destination address of 10.230.32.132 gets automatically translated to 192.168.1.125 and forwarded onto the Management network. As well as any traffic going to the Engineering network with a source address of 192.168.1.125 gets translated to a source address of 10.230.32.132.
Thanks for your help.
Not sure I see any benifits of that?
Unless you want to segregate between the vlans then you could use RACLs to accomplish this.