cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7476
Views
6
Helpful
5
Replies

NAT on 6509 between Vlans

g.roselt
Level 1
Level 1

I have a 6509 switch with Multiple Vlans. VLAN205 (10.1.5.*) is assigned to the Infrastruicture team. However due to some older applications in our organisation in VLAN 1, in their code are a range of ip addresses as a security measure. These are 172.16.1.*

I have set up NAT from Vlan 205 (ip nat inside) to VLAN 1 (ip nat outside) to use 172.16.1.250

But, since this, members of the Infrastructure team can no longer ping their ip address or use Remote Desktop to the 10.1.5.* range.

How can I fix this while still having NAT in place?

Any help would be greatly appreciated.

5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Take a look at this link on how to set up NAT.

I would also stay away from using VLAN 1 for production.  VLAN 1 is used for control data like CDP, PAGP,etc....

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080881718.shtml

HTH

Reza

Hi Reza,

Thanks for that. I had actually come across that document and it was really helpful. Appreciate your adive on VLAN1 - its a old network config that I have picked up and we are beginning to slowly migrate out of VLAN1...a bit of a slow process but getting there!

After doing some more research, I think STATIC NAT is the way to go..just a bit unsure.

Below is the parts of my config that are maybe relevant.

interface Vlan205
description Infrastructure_Subnet
ip address 10.1.5.254 255.255.255.0
ip helper-address 10.0.3.100

ip nat inside

interface Vlan1
description Legacy_VLAN

ip nat outside

access-list 1 permit 10.1.5.0 0.0.0.255

ip nat pool ucasinfpool 172.16.1.250 172.16.1.250 prefix 24

ip nat inside source list 1 pool ucasinfpool overload

Your current config will work if all the connections are initiated from vlan 205. What you have configured is dynamic NAT/PAT

However if you need to be able to initiate connections from another vlan to a device on vlan 205 then you will indeed need to use static NAT mappings eg.

ip nat inside source static 10.5.1.x

and then the connection would be initiated to the NATTED address and translated to the 10.5.1.x address. Note that for each 10.5.1.x device that you need to initiate connections to you need a separate static NAT statement.

Edit - if you do use static NAT mappings then you can get rid of the dynamic NAT/PAT config.

Jon

Hi Jon,

Thanks for this. This makes a lot of sense. I noted taht you said if I use STATIC NAT then I can get rid of the Dynamic NAT/PAT. I am a little stuck on what the Config might look like. Would it just be :

ip nat inside source static 10.5.1.x 172.16.1.250

what about Nating outside into VLAN1 on 172.16.1.250? Would this still work?

g.roselt wrote:

Hi Jon,

Thanks for this. This makes a lot of sense. I noted taht you said if I use STATIC NAT then I can get rid of the Dynamic NAT/PAT. I am a little stuck on what the Config might look like. Would it just be :

ip nat inside source static 10.5.1.x 172.16.1.250

what about Nating outside into VLAN1 on 172.16.1.250? Would this still work?

Each individual device in the 10.5.1.x subnet that you want to make a connection to from another vlan will need it's own static mapping ie.

ip nat inside source static 10.5.1.10 172.16.1.250    would translate 10.5.1.10 to 172.16.1.250. If you wanted to connect to 10.5.1.10 from outside vlan 205 you would actually connect to 172.16.1.250.

if you then want to connect 10.5.1.11 you need a differernt static mapping and you can't reuse 172.16.1.250 so

ip nat inside source static 10.5.1.11 172.16.1.251

etc. for each 10.5.1.x device you want to be able to connect to and from.

Remember that a static NAT mapping is bi-directional so that it works both ways ie. with

ip nat inside source static 10.5.1.10 172.16.1.250  this means

1) you can connect to 172.16.1.250 from outside vlan 205 and it will get translated to 10.5.1.10

2) you can connect from 10.5.1.10 to an outside device and it will get translated to 172.16.1.250

as it is bi-directional you therefore would not need your dynamic NAT/PAT.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco