Elton,

Can you perhaps post a diagram of your network including the addressing and explain using this exhibit what exactly you are trying to accomplish? It would help a lot. Thanks!

Best regards,

Peter

I will post a diagram tomorrow when I get into work. I have it all laid out in packet tracer. Thanks for your reply.

Sent from Cisco Technical Support iPhone App

Hello,

Please see below for topology and config for my 1841 (Core) router. I have everything else working with NAT and inter-vlan connectivity. Please note this configuration is not totally complete with security polices as I just was labbing it in packet tracer to make sure everything would work the way I wanted.

I have also posted the config of the router. The FTP VLAN and the Guest_VLAN will be accessing the Internet through the same ISP. I want the users on the Guest_VLAN to be able to browse to the public IP address on Interface fa0/0.10 and be able to access the FTP server. Currently this isn't working and the only way they can talk to the FTP server is if they use the private address of the server.

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

!

hostname CORE

!

!

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

!

ip dhcp excluded-address 192.168.200.1 192.168.200.5

ip dhcp excluded-address 192.168.0.1 192.168.0.5

!

ip dhcp pool Guest_Network

network 192.168.200.0 255.255.255.0

default-router 192.168.200.1

ip dhcp pool PRODUCTION

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

!

!

!

username ebabcock password 7 082F45450C1E0A1B145F585C7E

!

!

!

!

!

ip ssh version 2

ip domain-name ffna.plt

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

no ip address

duplex full

speed 100

!

interface FastEthernet0/0.1

description PRODUCTION_VLAN

encapsulation dot1Q 1 native

ip address 192.168.0.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.10

description PUBLIC_TO_ISP

encapsulation dot1Q 10

ip address 10.1.1.2 255.255.255.0

ip nat outside

!

interface FastEthernet0/0.20

description CORP_VLAN

encapsulation dot1Q 20

ip address 167.158.34.50 255.255.254.0

ip nat outside

!

interface FastEthernet0/0.30

description FTP_VLAN

encapsulation dot1Q 30

ip address 192.168.255.249 255.255.255.248

ip nat inside

!

interface FastEthernet0/0.40

description GUEST_VLAN

encapsulation dot1Q 40

ip address 192.168.200.1 255.255.255.0

ip access-group GUEST in

ip nat inside

!

interface FastEthernet0/1

no ip address

duplex full

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list FTP_NAT interface FastEthernet0/0.10 overload

ip nat inside source list FTP_NAT_FUJ interface FastEthernet0/0.20 overload

ip nat inside source list GUEST_NAT interface FastEthernet0/0.10 overload

ip nat inside source list PROD_NAT_FUJ interface FastEthernet0/0.20 overload

ip nat inside source static tcp 192.168.255.250 21 10.1.1.2 21

ip nat inside source static tcp 192.168.255.250 20 10.1.1.2 20

ip nat inside source static tcp 192.168.255.250 21 167.158.34.50 21

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.10

!

!

ip access-list standard FTP_NAT

permit 192.168.255.248 0.0.0.7

ip access-list standard GUEST_NAT

permit 192.168.200.0 0.0.0.255

ip access-list standard FTP_NAT_FUJ

permit host 192.168.255.250

ip access-list standard PROD_NAT_FUJ

permit host 192.168.0.9

!

banner login ^C

******************************************************************************

*                                                                            *

*                                                                            *

*       This is a private system. Authorized access only!!!                  *

*                                                                            *

*                                                                            *

******************************************************************************

^C

!

!

!

!

line con 0

line vty 0 4

password 7 0822455D0A16

login

transport input ssh

line vty 5 15

password 7 0822455D0A16

login

transport input ssh

!

!

!

end

Hello Elton,

Ideally, your internal VLANs should not talk to the FTP server using its public address. Rather, a DNS server with split views should provide the internal VLANs with the internal IP addresses when they resolve the FTP server's name, and respond to public queries with public IP address.

I believe there is an option of doing this even with NAT, however, I will have to test it. I hope to answer in a few hours.

Best regards,

Peter

Hey Peter,

Thanks for the reply. Ideally yes, I would love to have my internal vlans talk to the server without going out and coming back in. However I don't think this is possible because this FTP server won't have a domain name on public domain name servers. Users would need to use the IP when outside of the network and the domain name inside.

I don't think there is a way to configure DNS to forward one IP address to another is there?

I read about some ways to do this with NAT. I guess its called hairpinning or reflection? I couldn't find much information on it. Your help would be appreciated.

Just wondering if you had a chance to check this out? I have been doing more research but I can't seem to find anything.

Hi Elton,

I'm just in the process of testing a solution. Will update you in approx. 30 minutes or so.

Best regards,

Peter

Elton,

I have devised a NAT solution using Policy Based Routing and loopbacks that seems to be actually working - but suddenly it occured to me that we are probably overcomplicating things.

Does the operating system on the FTP server allow you to define multiple secondary IP addresses on the FTP server's network interface? If yes then I believe we do not need to complicate things with NAT at all. What we need is:

1. Add the IP address 167.158.34.50 as a secondary (or additional) IP address to the FTP server's configuration
2. Configure the core router with a static /32 route for 167.158.34.50 pointing to the next hop 192.168.255.250, i.e. ip route 167.158.34.50 255.255.255.255 192.168.255.250

This way, internal clients (with their traffic going through NAT-inside interfaces) will be able to talk to the FTP server both using its internal and public IP address. The existing static NAT entries are actually not necessary at all in this approach. Of course, the ISP has to be configured so that it forwards packets for 167.158.34.50 towards your 10.1.1.2 but this is probably already configured, otherwise the NAT would not be working anyway.

Do you believe this would be a workable solution? If not, I will post the NAT thing but it is going to be somewhat cumbersome.

Best regards,

Peter

Thanks for your reply. I don't want the users talking to the server via its internal address. At least for what they think. I always want them to be using public IP address whether they are on the inside our outside of the network. This way it doesn't get confusing for them. I am mostly concerned about the Guest and Production subnets. The corp network won't be allowed to talk to the core router through NAT as they have they own Internet connection out via our MPLS network.

I just want users on the Guest and production LANS to be able to type in 10.1.1.2 and be directed directly to the FTP server. I want them to have the LAN speed when they upload and download as if it is on their local network.

I do see what your saying and it does make sense. I do have the ability to add muliple IP addresses to the FTP server. I could add the 10.1.1.2 address to the FTP server as well as its local subnet address.

I am wondering if I add:

ip route 10.1.1.2 255.255.255.255 192.168.255.250

Would I need to add a secondary IP address on the router interface for that VLAN? I'm not sure how the FTP server would talk with the router if it didn't have an address on the subnet to match the server.

Bump, Peter do you have an answer to my last question? I don't think I can put a secondary IP that is in the same subnet as my Internet interface. If I configure the secondary IP on my server will creating the static route to my server via its VLAN interface work?

Hello Elton,

Sorry for responding lately. These days have been busy at my work.

I am somewhat confused with what you are trying to accomplish currently. I thought that the public address of the FTP server is 167.158.34.50. Why are you trying to assign the FTP server the address that is used on your core router? You were talking about making your FTP server reachable under the public address - well, the 10.1.1.2 is certainly not a public address.

I guess I am misunderstanding you somewhere. Can you elaborate more on this please? Thank you!

Best regards,

Peter