cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
4
Replies

IP NAT

Bob Greer
Level 4
Level 4

Hi there,

Thanks for reading.

I have a vlan which I need to make available to remote users.  It's a small location with a switch behind a router.  The router has a /24 vlan int defined which we're natting to the Internet Fa1.  Here's (what I think are) the important details:

RT1

interface FastEthernet1
 description INTERNET
 no ip dhcp client request static-route
 no ip dhcp client request router
 ip address 192.168.0.2 255.255.255.0
 ip access-group 198 in
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto

interface Vlan1
 description LAN
 ip address 10.25.2.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452

ip nat inside source static tcp 10.25.2.254 23 interface FastEthernet1 23
ip nat inside source route-map NONAT interface FastEthernet1 overload

route-map NONAT permit 10
 match ip address 110

access-list 110 deny   ip 10.25.2.0 0.0.0.255 192.44.44.0 0.0.0.255
access-list 110 deny   ip 10.25.2.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 10.25.2.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 110 deny   ip host 10.25.255.29 host A.B.C.135
access-list 110 deny   ip host 10.25.255.29 host A.B.C.136
access-list 110 permit ip any any

The router can ping the 10.25.x.x range but local VPN Tunnel infs cannot.  The Tunnels are how the remote site is connected to the central network.

show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.25.2.100           133   78e3.b5f6.3c22  ARPA   Vlan1
Internet  10.25.2.253            15   649e.f31c.42e2  ARPA   Vlan1
Internet  10.25.2.254             -   0016.c7bf.f5ce  ARPA   Vlan1
Internet  192.168.0.1            10   c03f.0ecb.43c0  ARPA   FastEthernet1
Internet  192.168.0.2             -   0016.c7bf.f5cf  ARPA   FastEthernet1

!
router eigrp 100
 passive-interface FastEthernet1
 network 10.3.144.80 0.0.0.3 (This covers one of the Tunnel /30 networks)
 network 10.3.208.80 0.0.0.3 (This covers the other Tunnel /30 network)
 network 10.3.128.0 0.0.127.255
 network 10.25.2.0 0.0.0.255
 no auto-summary
 eigrp stub connected summary

This looks wrong to me: shouldn't the inside global be a routable address?

rtuk401#show ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
tcp 192.168.0.2:23        10.25.2.254:23        ---                   ---
udp 192.168.0.2:500       192.168.0.2:500       91.212.206.135:500    91.212.206.135:500
udp 192.168.0.2:500       192.168.0.2:500       91.212.206.136:500    91.212.206.136:500
udp 192.168.0.2:4500      192.168.0.2:4500      91.212.206.135:4500   91.212.206.135:4500
udp 192.168.0.2:4500      192.168.0.2:4500      91.212.206.136:4500   91.212.206.136:4500

Thanks in advance!

4 Replies 4

Sam Smiley
Level 3
Level 3

Hi Bob,
There are a number of things that are missing from the equation, sharing the configs for the router and switch would help a lot. If you would fell better e-mailing them to me that would be fine. You didn't go into a lot of details as to what type of VPN (IPSEC, AnyConnect, DMVPN, etc.) that the users connect with. I can only assume that the VPN terminates on the router. It looks as though you have several interfaces/VLANs that terminate on this router.

Share your configs and I'll see if I can help.

Cheers,
Sam

Hi Sam,

Thanks for writing.  Here's the config.  Let me know if I removed just the wrong info.

Hi Bob,

When something like this happens it is generally a route or an access list issue. I would like to see a show ip route instance from all VPN endpoints. If the routes are built correctly you should be able to ping each endpoint from the router. If you are able to ping/trace to each endpoint and the subnets behind the endpoints the routing is correct.

The next step is the access list, your NAT access list seems to have an error:

access-list 110 deny   ip 10.25.2.0 0.0.0.255 192.44.44.0 0.0.0.255

This is removing NAT to a public address, I would like to see a NAT list with a broader scope to see if it solves the problem, something like this:

access-list 110 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 110 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip any any

This is a very broad access-list for your NAT process, if this works there is an issue with your access list. It is difficult to decipher no knowing the routes to the remote sites; I can only assume that 10.1.50.0/24 and 10.1.11.0/24 are your endpoints.

Finally the problem could also be on the far endpoint in the routing or access-list, you don't provide any information on the remote locations. However they too will have to have routes and access list that would allow traffic back to this endpoint.

Regards,
Sam

Hi Sam,

Thanks for your feedback.  I'm stuck right now without remote-hands help.  There had been a device powered up getting a VLAN1 ip address but no more.  They're in a different time zone too (8 hour difference).  So I'm unable to continue til next week (damitol).

Thanks again for your detailed response!

Bob