cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

76
Views
0
Helpful
3
Replies

Static NAT fails to continue NATing on 3925

I have a Cisco 3925 on 15.01. 

I'm attempting to allow machines on the Engineering network to access a webserver on the Management network on VLAN10 through a Static NAT.  The webserver on the Management network is configured for 192.168.1.125.  Any Engineering machine can hit the main page of the website at https://10.230.32.132 but as soon as I click on a link on the web page NAT appears to stop working.  I can see it attempting to load the next webpage from 192.168.1.125 rather than 10.230.32.132 as I think it should until it times out.  All webpages loaded from this web server should appear to be loaded from 10.230.32.132 from the perspective of any machine on the Engineering network.

Specific machines on the Management network are allowed to access the internet through interface gi/0/0 but machines on the engineering network are not.  That last bit may not be relevant.  The webserver also has access to the internet.

Relevant settings are below:

Interface gi0/1.10 

 description Management Network

 ip address 192.168.1.1 255.255.255.128

 ip nat inside

 encapsulation dot1Q 10

Interface gi0/2 

 description Engineering Network

 ip address 10.230.32.132 255.255.255.0

 ip nat outside

Interface gi0/0/0

 description Connection to the Internet

 ip address x.x.x.x 255.255.255.240

 ip nat outside

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static 192.168.1.125 10.230.32.132

ip route 0.0.0.0 0 0.0.0.0 X.X.X.X <-- default gateway to the internet.

access-list 1 permit 192.168.1.111

access-list 1 permit 192.168.1.121

access-list 1 permit 192.168.1.125

access-list 1 deny any

Any suggestions on how I can fix this?

Everyone's tags (1)
3 REPLIES 3
VIP Advisor

HelloCan you clarify, Is this

Hello
Can you clarify, Is this an intranet web srv or is it should to be accessed from the internet also?
If I understand your posted config and your request then you shouldn't need to nat between vlans to accomplish this.

10.230.32.0/24 and 192.168.10/24 look like internal networks so you can just create simple DNS entry for this web srv. for internal access

If the MGT vlan web serv doesn't need natted internet access then dont apply nat to its vlan,
However if it does need to be natted to a public ip, Then just nat on that host and deny all other hosts from that subnet nat,

res
Paul




kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

It is basically an intranet

It is basically an intranet web server.  It should not be accessed from the internet (internet inbound initiated sessions) but it should have access to the internet outbound to pull software updates, etc.

I know that we could/should simply route between the two VLANs but for the sake of this example is it possible to make the webserver appear to be on the Engineering network (10.230.32.0/24 network) by giving it a one-to-one Static NAT?  Any packet with a destination address of 10.230.32.132 gets automatically translated to 192.168.1.125 and forwarded onto the Management network.  As well as any traffic going to the Engineering network with a source address of 192.168.1.125 gets translated to a source address of 10.230.32.132.

Thanks for your help.

Highlighted
VIP Advisor

Hello

Hello

Not sure I see any benifits of that?

Unless you want to segregate between the vlans then you could use RACLs to accomplish this.

res

paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards