Static NAT one vlan can reach webserver while the other can't. - Page 2

Bobber · ‎12-08-2021

So I always had hard time understand NAT, but this is weird. How I imagine there shouldn't be any difference from which VLAN I try to connect, but the "Public" Vlan 10 successfully reaches webserver, while "Admin" Vlan 20 does not. Any help?

Building configuration...

Current configuration : 1473 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 11.11.11.12 255.255.255.0
 ip access-group 101 out
 ip nat inside
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 10.0.1.98 255.255.255.252
 ip nat outside
!
interface GigabitEthernet2/0
 ip address 10.0.1.106 255.255.255.252
 ip nat outside
!
interface GigabitEthernet3/0
 ip address 10.0.1.102 255.255.255.252
 ip nat outside
!
interface GigabitEthernet4/0
 no ip address
 shutdown
!
ip nat inside source static 11.11.11.11 10.0.1.98 
ip nat inside source static 11.11.11.11 10.0.1.106 
ip nat inside source static 11.11.11.11 10.0.1.102 
ip classless
ip route 10.0.0.0 255.255.255.192 10.0.1.97 
ip route 10.0.0.64 255.255.255.192 10.0.1.97 
ip route 10.0.0.128 255.255.255.192 10.0.1.105 
ip route 10.0.0.192 255.255.255.192 10.0.1.105 
ip route 10.0.1.0 255.255.255.192 10.0.1.101 
ip route 10.0.1.64 255.255.255.224 10.0.1.101 
ip route 0.0.0.0 0.0.0.0 10.0.1.97 
ip route 0.0.0.0 0.0.0.0 10.0.1.101 
ip route 0.0.0.0 0.0.0.0 10.0.1.105 
!
ip flow-export version 9
!
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit ip 11.11.11.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Do ignore this: access-list 101 permit ip 11.11.11.0 0.0.0.255 any, I was trying out random ideas.

Pro  Inside global     Inside local       Outside local      Outside global
---  10.0.1.102        11.11.11.11        ---                ---
---  10.0.1.106        11.11.11.11        ---                ---
---  10.0.1.98         11.11.11.11        ---                ---
tcp 10.0.1.102:443     11.11.11.11:443    10.0.1.62:1027     10.0.1.62:1027
tcp 10.0.1.102:443     11.11.11.11:443    10.0.1.65:1029     10.0.1.65:1029
tcp 10.0.1.102:443     11.11.11.11:443    10.0.1.65:1031     10.0.1.65:1031
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.62:1025     10.0.1.62:1025
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.62:1026     10.0.1.62:1026
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1025     10.0.1.65:1025
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1026     10.0.1.65:1026
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1027     10.0.1.65:1027
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1028     10.0.1.65:1028
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1032     10.0.1.65:1032
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.65:1035     10.0.1.65:1035
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.97:1025     10.0.1.97:1025
tcp 10.0.1.102:80      11.11.11.11:80     10.0.1.97:1026     10.0.1.97:1026
tcp 10.0.1.106:443     11.11.11.11:443    10.0.0.215:1031    10.0.0.215:1031
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1026    10.0.0.215:1026
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1027    10.0.0.215:1027
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1029    10.0.0.215:1029
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1030    10.0.0.215:1030
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1032    10.0.0.215:1032
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1033    10.0.0.215:1033
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1034    10.0.0.215:1034
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1035    10.0.0.215:1035
tcp 10.0.1.106:80      11.11.11.11:80     10.0.0.215:1036    10.0.0.215:1036
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1027     10.0.1.97:1027
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1028     10.0.1.97:1028
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1029     10.0.1.97:1029
tcp 10.0.1.98:80       11.11.11.11:80     10.0.1.97:1030     10.0.1.97:1030

Bobber · ‎12-11-2021

Can you reach it even with pc's with "A" at beginning instead of "V"?

Georg Pauwen · ‎12-11-2021

Hello,

on the Ryla router, remove the access list. The access list is wrong because it specifies the wrong network.

interface GigabitEthernet2/0.20
encapsulation dot1Q 20
ip address 10.0.0.254 255.255.255.192
--> no ip access-group 101 out

Bobber · ‎12-11-2021

Why? it does what it's supposed to do from first glance.

Georg Pauwen · ‎12-11-2021

Hello,

does this access list:

access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 10.0.1.64 0.0.0.31 any
access-list 101 permit ip 10.0.0.64 0.0.0.63 any

match this interface ?

interface GigabitEthernet2/0.20
encapsulation dot1Q 20
ip address 10.0.0.254 255.255.255.192
ip access-group 101 out

paul driver · ‎12-11-2021

Hello
Your topology shows you are using static routing with multiple default routes on the NAT rtr pointing to the other 3 rtrs I assume they are doing the same but are they perfroming NAT also?

As that web server is the "hidden" network (gig0/0) then you really only require 1 static nat statement and all the other networks just need to be able reach the inside global address of the web server you choose it to be.

Remove all your default static routes and then test your routing, (ie) from either remote network test to see if you can reach the nat rtrs public facing interfaces, if you can then a simple single nat statement on that nat rtr should work for all other networks to reach.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Bobber · ‎12-11-2021

1. Yes, other 3 routers are also performing NAT ( PAT ) for VLAN10. VLAN20 has no NAT.

2. I removed all static NAT translations and tried directly reaching the web server IP address and I still get the same problem. VLAN10 still can reach web server while anything from VLAN20 can't.

RSKU router run config:

Building configuration...

Current configuration : 1255 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 11.11.11.12 255.255.255.0
 ip access-group 101 out
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 10.0.1.98 255.255.255.252
!
interface GigabitEthernet2/0
 ip address 10.0.1.106 255.255.255.252
!
interface GigabitEthernet3/0
 ip address 10.0.1.102 255.255.255.252
!
interface GigabitEthernet4/0
 no ip address
 shutdown
!
ip classless
ip route 10.0.0.0 255.255.255.192 10.0.1.97 
ip route 10.0.0.64 255.255.255.192 10.0.1.97 
ip route 10.0.0.128 255.255.255.192 10.0.1.105 
ip route 10.0.0.192 255.255.255.192 10.0.1.105 
ip route 10.0.1.0 255.255.255.192 10.0.1.101 
ip route 10.0.1.64 255.255.255.224 10.0.1.101 
ip route 0.0.0.0 0.0.0.0 10.0.1.97 
ip route 0.0.0.0 0.0.0.0 10.0.1.101 
ip route 0.0.0.0 0.0.0.0 10.0.1.105 
!
ip flow-export version 9
!
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit ip 11.11.11.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end