cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
3970
Views
0
Helpful
12
Replies
ciscogeruta
Beginner

does NAT work with a different Subnet then what is directly connected?

does NAT work with a different Subnet then what is directly connected?

 

I would assume that the answer is yes but Im having some trouble with a test environment that I set up.

 

Attached is a picture of what I currently have setup.

 

I have a basic home network connection where the wireless router is setup as 192.168.1.1/24. All devices in the 192.168.1.0/24 network can ping Google's DNS server (8.8.8.8) no problem. I also have a router connected with an ip address of 192.168.1.12 on one end an a 10.10.10.1/24 network on the other end. Both the wireless router at 192.168.1.1 and the router at 192.168.1.12 have RIP running and both are seeing each others networks.

 

But the problem is here, when attempting to to reach a network resource on the internet, like googles DNS server from the 10.10.10.0/24 network, it fails to go any further.

 

Heres an example of a traceroute from the 192.168.1.12 interface of the router.

1. 192.168.1.1 72 msec 48 msec 28 msec

2. * * *

3. etc, etc, etc. till it hits google.

10. 8.8.8.8 36 msec 40 msec 16 msec

 

And a traceroute from the 10s side of the network interface looks like this:

 

1. 192.168.1.1 113 msec 28 msec 24 msec

2. * * *

3. * * *

4. * * *

5. * * *

and so on and so forth. Once it hits the 192.168.1.1 and that router performs a NAT service, my 10s network cant go any further.

 

So ultimately, I want to know why the router at 192.168.1.1 can perform NAT no problem for any device connected in the 192.168.1.0/24 network, but not any device from the 10.10.10.0/24 network.

 

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Sorry I was posting when you added this reply.

So you did what I have suggested but that stopped communication between your 192.168.1.x and 10.10.10.x network ?

That makes sense and I should have spotted that :-)

Just modify the acl ie.

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

Jon

View solution in original post

12 REPLIES 12
Jon Marshall
VIP Community Legend

The answer is with Cisco devices yes it will work ie. NAT does not need to be on a directly connected subnet.

However some home wireless routers etc. will only perform NAT for the directly connected network and you may be facing this issue.

You haven't said where you are doing the NAT and what device the router with the 10.10.10.0/24 subnet is.

If it is a Cisco device then there may be a solution but can you clarify with a few more details.

Jon

The home wireless device thats performing the NAT is a Netgear WNR2000 with no way to alter or view any advance NAT settings.

 

That router that connects between the 192.168.1.0/24 network and the 10.10.10.0/24 network is a Cisco 2621XM, The PC that sits on the 10's network is just a standard win 7 pc.

By the way, I just want to also add that I have in the past successfully configured NAT to run on the Cisco 2621XM router and therefore allow internet connection all the way down to the 10s network. But with this configuration, it preventing me from communicating directly with my 10s network and PCs on my 192.168.1.0/24 network so I returned back to the original configuration.

Sorry I was posting when you added this reply.

So you did what I have suggested but that stopped communication between your 192.168.1.x and 10.10.10.x network ?

That makes sense and I should have spotted that :-)

Just modify the acl ie.

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

Jon

View solution in original post

Okay, then what you can do is -

a) turn off RIP because you don't need to the Netgear to know about the 10.10.10.x network

b) on your 2621x add this configuration -

int fa0/0 <-- this connects to Netgear

ip nat outside

int fa0/1 <-- this is the interface for the 10.10.10.0/24 subnet

ip nat inside

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0 overload

Don't worry if the interfaces are the other way round in terms of connectivity, just modify the above configuration.

What this will do is NAT all 10.10.10.x IPs to the 192.168.1.x address on the interface connecting to the Netgear.

Because the Netgear knows about that subnet it will be able to then send the return packets from the internet back to the Cisco router.

Jon

Opps, looks like we posted at the same time. Can you please take a look at what I wrote above.

 

 

With NAT on the 2621xm, i can initiate a connection from the 10s to the 192.168.1.0/24 network no problem, but I cant initial a connection going on the opposite direction. (starting from 192.168.1.0/24 and attempting to hit something in the 10s)

Yes we are having a bit of a problem with cross posting :-)

Can you try with the acl I posted.

If that doesn't work then we can try conditional NAT for the internal subnet communication.

Jon

It looks like that did the trick. But why?

 

This here is the line I didnt try before when setting up NAT initially on the 2621xm.

 

"access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255"

 

 

If I understand the above line correctly, that tells the router to deny any packets from source of 10.10.10.0/24 and destination of 192.168.1.0/24. But why would that allow the two networks now, the 192.168.1.0/24 network and the 10.10.10.0/24 network to start communicating in both directions now?

Because you are telling the router not to do NAT for communication between those two subnets.

What you have setup is dynamic NAT from inside to outside. With just the "any" line in the acl when a 192.168.1.x PC initiates the connection the router expects to find a NAT translation already setup but there isn't one so it doesn't work.

By adding the other line you are in effect telling the router that for that specific traffic there is no need to find a NAT translation and so it works.

Does that make sense ?

Jon

This is genius! I never thought about scoping the ACL to allow NAT to be performed based upon which flow of traffic is desired.

 

So awesome. Thanks for the help Jon!

No problem, glad you got it working.

Jon

One last thing I want to add. Originally you told me to disable RIP but by doing so, the PCs on the 192.168.1.x network wont know where to route packets destined for a 10.10.10.x network without having to first manually set a static route on the PCs. Since i didnt want to do static routes, I let RIP stay active.

 

 

Thanks.