Re: Identical subnets: How to route / NAT traffic to test enviro

goodwinscott · ‎03-03-2009

We have test environment that is a duplicate of our production environment. The test

and production environments both have hosts on two different subnets (172.16.12.0/24 and

172.16.22.0/24). We want to be able to access the test environment from the production

environment via natted addresses. It's not possible to change the actual IP addresses

of the hosts in the test environment in this case.

So from a workstation on the corporate LAN(172.16.40.0/24) we want to be able to access

Production server A on(172.16.22.50), and (identical)Test server A on say 172.26.22.50

which NAT translates back to 172.16.22.50 in the test environment.

Currently the test environment is built on a free-standing 3750 layer3 IOS switch using

EIGRP routing between subnets (on the same switch).

The production environment lives on a 6509 core also running layer3 IOS with EIGRP

between subnets.

Ideally we'd like to connect the 3750G (Test) switch to the product (6509) switch and

use EIGRP to route between them.

Any ideas or suggestions would be most welcome. We're open to dedicating a router to

this if necessary but it would be ideal to do this in layer3.

Jon Marshall · ‎03-03-2009

Your going to have a problem with this because with Cisco switches only the 6500 supports NAT. What you need is for a device that connects to the 6500 to be able to advertise 172.26.22.0 and then NAT it to the real IP of 172.16.22.x in the test lab.

Do you have a spare router or pix/ASA handy ?

Jon

goodwinscott · ‎03-03-2009

I have a 2851 Wan router with an unused GigE interface that is already in the same EIGRP group as the 6500. Would that work? We're going to be freeing up a couple of 2621's soon.

Jon Marshall · ‎03-03-2009

Anything that can sit between the 6500 and the 3750 switches will work.

How many addresses are you wanting to present to the production network. These will be static NAT's so that the router knows which one goes with which ie. if a packet arrives at the router from production with an address of 172.26.22.10 the router needs to know which 172.16.22.x address you want it translated to ?

The general idea would be -

6500 -> fa0/0 (2600) fa0/1 - 3750

on the 2600

int fa0/0

ip nat outside

int fa0/1

ip nat inside

ip nat inside source static 172.16.22.10 172.26.22.10

ip nat inside source static 172.16.22.11 172.26.22.11

etc.. for all 172.16.22.x addresses you want to present to production.

As for routing, if all production lives on the 6500 you may be better off just using a static route on the 6500 ie.

ip route 172.26.22.0 255.255.255.0 <2600 fa0/0 IP address>

And you would need route(s) on the 2600 pointing back to the 6500 for all the production vlans that are allowed to connect to test network.

Note that if you want to be able to connect to test address from a 172.16.22.x address in production you will have to do source NAT on the production addresses as well but you didn't specify this as a requirement.

You probably don't want to use EIGRP or any dynamic routing protocol because you will have to filter routes ie. you cannot have the 2600 receiving routes for 172.16.22.x from both the 6500 and the 3750.

Plus just using statics is a bit more secure and protects against someone making an error. Last thing you want is for all traffic to 172.16.22.x suddenly going to your test lab !

Jon

goodwinscott · ‎03-04-2009

Thanks Jon. I will try this and let you know how it goes. Great suggestion on the use of static routing for this -- sounds much safer!

Jon Marshall · ‎03-04-2009

Scott

No problem. Be interested to hear how you get on.

Jon

Identical subnets: How to route / NAT traffic to test environment