02-16-2015 08:10 PM - edited 03-07-2019 10:41 PM
Hello,
I am new to this forum (officially) but have used it several times for much needed help.
My question is regarding NAT and Ill try to make this as brief as I know how.
I have a cisco 2821 router that has G0/0 as my outside NAT to a private 192.168 network. My G0/1 is my NAT inside, also a private network of 10.
My 192.168 network resides on a Modem which also does WiFi. I'm not overly impressed with the modem due to its lack of configurability.
Devices on the 192.168 network cannot ping anything on my 10 network due to my NAT statements.
Is it possible to configure my G0/0 interface to allow traffic from both of these networks to go in and out? Specifically to my server which lies on the 10 network. If so how does this work considering you can only have one statement on the interface (nat inside or outside).
Any help would be great.
Mark
02-16-2015 08:25 PM
Hi,
From your explanation you are using 192.168 network on one interface and 10 network on the other interface. Both networks are private IP networks, if this is correct then you don't need NAT.
HTH
02-17-2015 08:35 AM
So that's what I had thought however, my g0/1 has 5 subnets which is then trunked to a switch. All the subnets are IP correctly but where never able to ping any device on the 192.168 network other than the modems gateway. Nothing was able to ping the internet (ie: googles IP 8.8.8.8) unless directly connected to the modem (via LAN/wifi) & my cisco routers G0/0 interface.
Here's my topology:
ISP>Motorola modem (192.168) also provides WiFi > Cisco router (G0/0 connected to Modem/G0/1 w/sub interfaces 10.X.X.X connected to switch via trunk) Ports on switch access to various vlans.
Without NAT/PAT I was unable to get WAN access. G0/0 outside>>G0/1 inside.
02-17-2015 08:54 AM
Mark
So presumably your modem does not allow you to add routes and it only NATs for directly connected networks ?
If so yes you do need NAT and it sounds like you had it setup but you also want to allow access from the 192.168.x.x network to a specific server ?
If so can you post your current router configuration and also do you have spare 192.168.x.x IP not being used ?
If you don't you can use the router's outside interface IP but then we would need to know which ports the server was meant to be accessed on.
If I have misunderstood please clarify.
Jon
02-17-2015 09:57 AM
02-17-2015 10:18 AM
Mark
Not a spare port but a spare 192.168.1.x IP to use for the internal server.
What is the internal server you want to give access to from your 192.168.x.x subnet ?
If you don't have a spare then we can use the 192.168.x.x IP on the router interface but we then need to know which ports on the server you want to use.
I assume you can access the internet with your current configuration ?
By the way you don't need a separate acl for each subnet in your NAT configuration ie. you can use just one acl but it won't stop it working the way you have it.
Jon
02-17-2015 11:21 AM
Jon,
Thanks for the help. MUCH appreciated. I have a block of IP's I can use from the 192.168 network.
The server I want to hit from the 192.168 is on the 10 network (vlan 32). Its connected to my Dell switch. The Dell is then connected to G0/1 on the router. I have a VM on that server I want all 192.168 devices to be able to access. But as you stated, my modem is VARY limited on configurability. (Garbage...I know).
I can access the internet from everything no problem.
On another note, I know I didn't have to create the ACL the way I did. I was trying to get fancy with it. I guess because I can? I don't know. To the outside eye it appears pointless (which it is truly). I'm a relatively new admin (2 years) but...I just wanted to. Thats really it...no other point! HAA
Thanks for your help!
Mark
02-17-2015 11:28 AM
Mark
Nothing wrong with experimenting, that's how we learn, I just thought I'd point it out.
Okay so for your server add this to your router -
ip nat inside source static <real IP of server> <192.168.x.x spare IP>
your 192.168.x.x clients would then connect to the 192.168.x.x IP in the above statement and the router should translate it to the real IP of the server.
The above translates all ports because it is an IP to IP translation. You can tie it down with the specific ports the server is accessed on if you want.
Up to you as both should work.
Jon
02-17-2015 11:33 AM
Ahh EXCELLENT!
I'll give that a try here in a few moments.
Now this begs another question. Do I need to make a reservation on the modem for that 192.168 IP? I don't want it get handed out via DHCP. Or do I put this is the exempt addresses (outside the DHCP scope)?
02-17-2015 11:36 AM
Mark
I would make it an exemption from the DHCP scope.
Jon
02-17-2015 12:13 PM
Jon,
I tried putting in that static nat but I'm not able to ping the server still from my wireless laptop which resides on the 192.168 network.
In the router I had added "ip nat inside source static 10.X.X.X (my ESXI address) 192.168.X.X (my available IP not in the DHCP scope)
I was unable to ping.
Then for giggles I set the first IP to my server vlan mgmt IP...still nothing of course.
Mark
02-17-2015 12:35 PM
What is the server IP address ie. the real one.
Can you post "sh ip nat translations | include <real server IP>"
Jon
02-17-2015 12:53 PM
The ESXI IP address is .1 and the VM is .2. I used .1 and then used an IP on the 192.168 that is not w/in the DHCP scope.
I don't a "sh ip nat translations | include <ESXI IP> and got back the 192.168 ip added in my static NAT
02-17-2015 12:56 PM
Jon,
Wait...brain fart...I had to be pinging the wrong IP. If that 10.x.x.x ip is translated to the 192.168.x.X address then I should be pinging the 192 address IF ON a device that is ON the 192. network. DANG IT! Yep. Pinging that 192 address did in fact work. Got PINGS!
Thanks brother...your help has saved me a LOT of time.
Much appreciated.
Mark
02-17-2015 06:48 AM
I believe as Reza said there is no need for any NAT to communicate with each other if these subnets are directly connected.Otherwise I think we can use one more static NAT statement for the server residing in the 10 network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide