Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
2
Replies

NAT configuration in WAN prevents correct routing between VLANS

Go to solution
Mike Mas
Level 1
Level 1

‎04-05-2017 04:00 PM - edited ‎03-08-2019 10:05 AM

Hi all,

I'm configuring a Cisco 800 series routing and I'm now fighting with NAT but I'm stuck with a couple of issues.
Router is configured with 2 VLANs in fe0 and fe1 and a WAN connection in gi0. I configured NAT for connecting from
WAN to port 80 of IP 10.15.0.20 in VLAN1 and port 443 of IP 10.16.0.20 in VLAN2. This is working
correctly but my NAT configuration prvents systems in VLAN1 to connect to port 443 of IP 10.16.0.20 in VLAN2 and systems
from VLAN2 to connecto to port 80 of IP 10.15.0.20 in VLAN1. When removing NAT static routes the system
routes correctly the packets to those ports.

Second issue I found is that when gi0 is down any communication between VLANs is not possible.

Any help is apreciated.

Thanks!


This is my configuration:

ip access-list extended INET>VLAN1
permit tcp any any eq 80
ip access-list extended VLAN1>INET
permit ip any any
ip access-list extended INET>VLAN2
permit tcp any any eq 443
ip access-list extended VLAN2>INET
permit ip any any
ip access-list extended VLAN1>VLAN2
permit ip any any
ip access-list extended VLAN2>VLAN1
permit ip any any
!
zone security INET
zone security VLAN1
zone security VLAN2
!
class-map type inspect match-all cm_INET-VLAN1
match access-group name INET>VLAN1
class-map type inspect match-all cm_VLAN1-INET
match access-group name VLAN1>INET
class-map type inspect match-all cm_INET-VLAN2
match access-group name INET>VLAN2
class-map type inspect match-all cm_VLAN2-INET
match access-group name VLAN2>INET
class-map type inspect match-all cm_VLAN1-VLAN2
match access-group name VLAN1>VLAN2
class-map type inspect match-all cm_VLAN2-VLAN1
match access-group name VLAN2>VLAN1
!
policy-map type inspect pm_INET-VLAN1
class type inspect cm_INET-VLAN1
inspect
class class-default
drop
policy-map type inspect pm_VLAN1-INET
class type inspect cm_VLAN1-INET
inspect
class class-default
drop
policy-map type inspect pm_INET-VLAN2
class type inspect cm_INET-VLAN2
inspect
class class-default
drop
policy-map type inspect pm_VLAN2-INET
class type inspect cm_VLAN2-INET
inspect
class class-default
drop
policy-map type inspect pm_VLAN1-VLAN2
class type inspect cm_VLAN1-VLAN2
inspect
class class-default
drop
policy-map type inspect pm_VLAN2-VLAN1
class type inspect cm_VLAN2-VLAN1
inspect
class class-default
drop
!
zone-pair security Inpeco-Siemens source INET destination VLAN1
service-policy type inspect pm_INET-VLAN1
zone-pair security Inpeco-Siemens source VLAN1 destination INET
service-policy type inspect pm_VLAN1-INET
zone-pair security Inpeco-Siemens source INET destination VLAN2
service-policy type inspect pm_INET-VLAN2
zone-pair security Inpeco-Siemens source VLAN2 destination INET
service-policy type inspect pm_VLAN2-INET
zone-pair security Inpeco-Siemens source VLAN1 destination VLAN2
service-policy type inspect pm_VLAN1-VLAN2
zone-pair security Inpeco-Siemens source VLAN2 destination VLAN1
service-policy type inspect pm_VLAN2-VLAN1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface GigabitEthernet0
ip address dhcp
no ip redirects
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
zone-member security Inet
!
interface Vlan1
ip address 10.15.0.1 255.255.255.0
no ip redirects
ip nat enable
ip virtual-reassembly in
zone-member security VLAN1
!
interface Vlan2
ip address 10.16.0.1 255.255.255.0
ip nat enable
zone-member security VLAN2
!
ip nat source static tcp 10.15.0.20 80 interface GigabitEthernet0 80
ip nat source static tcp 10.16.0.20 443 interface GigabitEthernet0 80
ip nat source route-map Pat1-rmap interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
!
ip access-list extended Pat1-acclist
permit ip 10.15.0.0 0.0.0.255 any
permit ip 10.16.0.0 0.0.0.255 any
!
route-map Pat1-rmap permit 10
match ip address Pat1-acclist
set interface GigabitEthernet0
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-05-2017 06:14 PM

Mike

This may not be possible but what if you replace the "ip nat enable" with "ip nat inside" and "ip nat outside" statements and then update your NAT statements to add the "inside" keyword.

I am not promising it will work but I think it may be because you are using the enable version that traffic between your internal vlans is also getting caught with the NAT.

Alternatively you could use a route-map with your static NAT statements and exempt traffic between the vlans but again because I have not used the enable version can't promise whether it will make a difference or not.

So the above are just suggestions not definite solutions but thought they may help.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-05-2017 06:14 PM

Mike

This may not be possible but what if you replace the "ip nat enable" with "ip nat inside" and "ip nat outside" statements and then update your NAT statements to add the "inside" keyword.

I am not promising it will work but I think it may be because you are using the enable version that traffic between your internal vlans is also getting caught with the NAT.

Alternatively you could use a route-map with your static NAT statements and exempt traffic between the vlans but again because I have not used the enable version can't promise whether it will make a difference or not.

So the above are just suggestions not definite solutions but thought they may help.

Jon

0 Helpful

Go to solution
Mike Mas
Level 1
Level 1
In response to Jon Marshall

‎04-10-2017 03:09 AM

Hi John,

It worked with "ip nat inside" and "ip nat outside". Thanks for your help!

Mike.

0 Helpful
Customers Also Viewed These Support Documents