Re: Static NAT one vlan can reach webserver while the other can't.

Bobber · ‎12-08-2021

So I always had hard time understand NAT, but this is weird. How I imagine there shouldn't be any difference from which VLAN I try to connect, but the "Public" Vlan 10 successfully reaches webserver, while "Admin" Vlan 20 does not. Any help?

Building configuration...

Current configuration : 1473 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 11.11.11.12 255.255.255.0
 ip access-group 101 out
 ip nat inside
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 10.0.1.98 255.255.255.252
 ip nat outside
!
interface GigabitEthernet2/0
 ip address 10.0.1.106 255.255.255.252
 ip nat outside
!
interface GigabitEthernet3/0
 ip address 10.0.1.102 255.255.255.252
 ip nat outside
!
interface GigabitEthernet4/0
 no ip address
 shutdown
!
ip nat inside source static 11.11.11.11 10.0.1.98 
ip nat inside source static 11.11.11.11 10.0.1.106 
ip nat inside source static 11.11.11.11 10.0.1.102 
ip classless
ip route 10.0.0.0 255.255.255.192 10.0.1.97 
ip route 10.0.0.64 255.255.255.192 10.0.1.97 
ip route 10.0.0.128 255.255.255.192 10.0.1.105 
ip route 10.0.0.192 255.255.255.192 10.0.1.105 
ip route 10.0.1.0 255.255.255.192 10.0.1.101 
ip route 10.0.1.64 255.255.255.224 10.0.1.101 
ip route 0.0.0.0 0.0.0.0 10.0.1.97 
ip route 0.0.0.0 0.0.0.0 10.0.1.101 
ip route 0.0.0.0 0.0.0.0 10.0.1.105 
!
ip flow-export version 9
!
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit ip 11.11.11.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Do ignore this: access-list 101 permit ip 11.11.11.0 0.0.0.255 any, I was trying out random ideas.

Pro  Inside global     Inside local       Outside local      Outside global
---  10.0.1.102        11.11.11.11        ---                ---
---  10.0.1.106        11.11.11.11        ---                ---
---  10.0.1.98         11.11.11.11        ---                ---
tcp 10.0.1.102:443     11.11.11.11:443    10.0.1.62:1027     10.0.1.62:1027
tcp 10.0.1.102:443     11.11.11.11:443    10.0.1.65:1029     10.0.1.65:1029
tcp 10.0.1.102:443     11.11.11.11:443    10.0.1.65:1031     10.0.1.65:1031
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.62:1025     10.0.1.62:1025
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.62:1026     10.0.1.62:1026
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1025     10.0.1.65:1025
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1026     10.0.1.65:1026
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1027     10.0.1.65:1027
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1028     10.0.1.65:1028
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1032     10.0.1.65:1032
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1035     10.0.1.65:1035
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.97:1025     10.0.1.97:1025
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.97:1026     10.0.1.97:1026
tcp 10.0.1.106:443     11.11.11.11:443    10.0.0.215:1031    10.0.0.215:1031
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1026    10.0.0.215:1026
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1027    10.0.0.215:1027
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1029    10.0.0.215:1029
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1030    10.0.0.215:1030
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1032    10.0.0.215:1032
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1033    10.0.0.215:1033
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1034    10.0.0.215:1034
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1035    10.0.0.215:1035
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1036    10.0.0.215:1036
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1027     10.0.1.97:1027
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1028     10.0.1.97:1028
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1029     10.0.1.97:1029
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1030     10.0.1.97:1030

Georg Pauwen · ‎12-08-2021

Hello,

--> but the "Public" Vlan 10 successfully reaches webserver, while "Admin" Vlan 20 does not.

At first glance, I do not see anything related to Vlan 10 and Vlan 20 in your configuration.

Either way, with your current configuration, only IP address 11.11.11.11 will be able to reach the outside. Which additional IP addresses do you need to go outside ?

Bobber · ‎12-10-2021

The running-config I provided was for a router that is directly connected to the web server ( 11.11.11.11 ), VLAN's are defined on different routers. Vlan 10 are public ones, they can't have access to Vlan 20, while Vlan 20 are allowed full access to everything. Also Vlan 10 is using PAT and Vlan 20 isn't. The whole network looks like this:

Just in case I'm attaching zipped .pkt file as well. Thanks.

Georg Pauwen · ‎12-10-2021

Hello,

where is the zipped .pkt file ?

Bobber · ‎12-10-2021

I guess it didn't attach, sorry.

Georg Pauwen · ‎12-10-2021

Hello,

--> the "Public" Vlan 10 successfully reaches webserver, while "Admin" Vlan 20 does not.

With your current configuration, no PC from Vlan 10 or Vlan 20 can reach the web server. You have three static NAT entries from the web server, who is on the inside.

What do you want to accomplish ? Which IP addresses need to reach the web server ? And does the web server need to be on the inside or the outside ?

Bobber · ‎12-10-2021

Every PC, no matter NAT or Vlan should be able to reach web server via HTTP/HTTPS, anything else should be blocked and Web server IP ( 11.11.11.11 ) should be natted when data is being sent "outside"

Georg Pauwen · ‎12-10-2021

Hello,

does the web server have to be on the NAT inside or the NAT outside ?

Georg Pauwen · ‎12-10-2021

Hello,

the easiest way to make this work is to add the lines marked in bold (I temporarily removed access list 101 from the interface connected to the web server so I could test ICMP/Ping connectivity):

Router#sh run
Building configuration...

Current configuration : 1605 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
ip address 11.11.11.12 255.255.255.0
--> no ip access-group 101 out
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet1/0
ip address 10.0.1.98 255.255.255.252
ip nat outside
!
interface GigabitEthernet2/0
ip address 10.0.1.106 255.255.255.252
ip nat outside
!
interface GigabitEthernet3/0
ip address 10.0.1.102 255.255.255.252
ip nat outside
!
interface GigabitEthernet4/0
no ip address
shutdown
!
--> ip nat pool OUTSIDE_POOL 10.0.0.100 10.0.0.200 netmask 255.255.255.0
ip nat inside source static 11.11.11.11 10.0.1.98
ip nat inside source static 11.11.11.11 10.0.1.106
ip nat inside source static 11.11.11.11 10.0.1.102
--> ip nat outside source list 1 pool OUTSIDE_POOL
ip classless
ip route 10.0.0.0 255.255.255.192 10.0.1.97
ip route 10.0.0.64 255.255.255.192 10.0.1.97
ip route 10.0.0.128 255.255.255.192 10.0.1.105
ip route 10.0.0.192 255.255.255.192 10.0.1.105
ip route 10.0.1.0 255.255.255.192 10.0.1.101
ip route 10.0.1.64 255.255.255.224 10.0.1.101
ip route 0.0.0.0 0.0.0.0 10.0.1.97
ip route 0.0.0.0 0.0.0.0 10.0.1.101
ip route 0.0.0.0 0.0.0.0 10.0.1.105
!
ip flow-export version 9
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit ip 11.11.11.0 0.0.0.255 any
--> access-list 1 permit 10.0.0.0 0.255.255.255
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Bobber · ‎12-10-2021

From what I understand I should be able to use the IP address of whatever router port the VLANS are attached to and reach the web server. Which way that is for NAT I don't know, as I wouldn't be asking if I could get it to work.

Georg Pauwen · ‎12-10-2021

Hello,

I am not sure I am following.

Either way, did you add the commands I put in the config above ? That should enable all hosts, from all Vlans, to access the web server...

Bobber · ‎12-11-2021

Yes I did and it didn't work. I even removed all static nat translations and the same problem still persist

Georg Pauwen · ‎12-11-2021

Hello,

attached the file that allows PING to the webserver form anywhere...(saved in PT version 8.1, the latest I guess).

Bobber · ‎12-11-2021

Ah, you misunderstood me, I wasn't clear enough. Nobody should be able to ping the webserver, BUT everybody should be able to reach the web page on the web server via the browser. Which VLAN10 can do, while VLAN20 can't.

Georg Pauwen · ‎12-11-2021

Hello,

which web page ? I can reach the page below from anywhere...