Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
5
Helpful
4
Replies

NAT Translation among sub-interfaces

Ricky Sandhu
Level 3
Level 3

‎01-17-2018 11:54 AM - edited ‎03-08-2019 01:27 PM

Good afternoon,  I have a DMZ segment on my network (VLAN55) which contains a server that is accessible from the internet.  I have the following configuration:

interface Gi0/1.100

encapsulation dot1q 100 native

ip address 172.18.19.1 255.255.255.0

ip nat inside

!

interface Gi0/1.55

encapsulation dot1q 55

ip address 192.168.55.1 255.255.255.0

ip nat inside

!

interface Gi0/0

ip address 1.1.1.1 255.255.255.0

ip address 1.1.1.2 255.255.255.0 secondary

ip nat outside

!

ip nat inside source static 192.168.55.5 1.1.1.2

 

With the above configuration, I can ping the server 1.1.1.2 and it gets properly translated to 192.168.55.5.  But if I am on the local network (Gig0/1.100) and ping 1.1.1.2, I don't get natted to 192.168.55.5 and keep getting reply from gig0/0 interface of the router.

Trying to figure out what am I missing?  Please advise

 

Labels:
0 Helpful
4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

‎01-17-2018 12:40 PM

Try adding a static statement for the device on the local network.

ip nat inside source static 172.18.19.x 1.1.1.2

x is the PC or laptop you are using.

HTH

 

0 Helpful

Ricky Sandhu
Level 3
Level 3
In response to Reza Sharifi

‎01-17-2018 12:51 PM

My apologies perhaps I didn't explain correctly.
172.18.19.0 is the inside network that needs access to a server in the DMZ network 192.168.55.0 using 1.1.1.2 which is the Inside Global address sitting on the WAN interface of the router. So basically a packet would come in on Gi0/1.100 sourced from 172.18.19.0 network, get translated to 1.1.1.1 due to NAT overload and then "turned around" and sent to 1.1.1.2 which is mapped to 192.168.55.5 sitting off Gi0/1.55.
I think what I am trying to do may not be possible as technically both source and destination is behind the same interface?
0 Helpful

paul driver
VIP
VIP
In response to Ricky Sandhu

‎01-17-2018 01:25 PM - edited ‎01-17-2018 01:28 PM

Hello

You could use NVI NAT which is used in hairpinning and will change the translation order of nat and should allow access to the global address of an internal server from an internal host.

 

See  here

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ricky Sandhu
Level 3
Level 3
In response to paul driver

‎01-29-2018 07:01 AM

Thank you I'll give this a try in future. For now we've decided to isolate and completely bypass the NAT/Firewall and allow direct access to the device from the internet. It's a vendor managed device outside of our network and is now in the DMZ.
0 Helpful
Customers Also Viewed These Support Documents