10-07-2018 06:00 AM - edited 03-08-2019 04:19 PM
hi everyone
it would be much appreciated if someone would help or even advise /give some tips
In this Network the following scenario is needed to be accomplished:
Both Networks (192.168.10.0/24 & 192.168.20.0/24) to reach some applications on Server 1 (port 80) & server 2 (port 8080)
Restrictions:
From my basic understanding, this could be done by configuring natting on company router to do the following:
I made the following configuration- testing only remote user1 (192.168.10.1) to server1 (10.10.10.1) but it didn’t work
I can see dual step natting in “debug ip nat detailed” but I can’t reach server 1 from remote user1
interface FastEthernet0/0
ip address 20.20.20.251 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.251 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip nat inside source static 10.10.10.1 20.20.20.251 extendable
ip nat outside source static 192.168.10.1 10.10.10.251 extendable
help would be much appreciated
thanx
10-07-2018 08:30 AM
Hello,
at first glance I would say you need the two entries below:
ip nat inside source static tcp 10.10.10.1 80 20.20.20.251 80 extendable
ip nat inside source static tcp 10.10.10.2 8080 20.20.20.251 8080 extendable
10-07-2018 08:44 AM
hi Georg
as i said i was just trying to start it simple and build up
that is why i took one remote user (10.10.10.1) as a sample . cause what goes for this remote user will go for the other one
so i didn't miss this line :
ip nat inside source static tcp 10.10.10.2 8080 20.20.20.251 8080 extendable
As for not specifying port 80...
and writing :
ip nat inside source static 10.10.10.1 20.20.20.251 extendable
instead of :
ip nat inside source static tcp 10.10.10.1 80 20.20.20.251 80 extendable
this was also to port forward any port (again to make it simple for this step)
but it didn't work
anyway..i will try it
thanks anyway
10-07-2018 10:06 AM
Hello,
--> that is why i took one remote user (10.10.10.1) as a sample
I am not sure I understand what you are saying. 10.10.10.1 is the server, right ? You don't need to specify any remote user in your NAT statements. Any user that can reach your outside address can reach the servers...
10-07-2018 01:27 PM
---> 10.10.10.1 is the server, right ?
-yes, it is one of the servers
---> You don't need to specify any remote user in your NAT statements. Any user that can reach your outside address can reach the servers...
-Once more yes it would reach the server (one way communications). But it would reach the server with source address (192.168.10.1) which the server can not reply to ( cause no default gateway is configured on the server) . so any remote user request would reach the server but the server will not be able to send the reply as the server can not communicate with outer network
that is why i am trying to change the source ip of the remote user request to be the the router interface facing the servers
I hope i made it more clear
10-07-2018 02:24 PM
Hello,
is NAT a requirement for this ? I am not sure you can achieve your goal with NAT. A tunnel between both networks might work.
Or is it a hard condition to use NAT ?
10-08-2018 01:57 PM
no it is not a must to use natting
any means that would accomplish the requirements is okall i could think of was natting
about tunneling ...the way i see it will involve routing which is not an option
cause once again the servers do not have default gw
and the servers network (10.10.10.0/24) is not routed to the remote users network (192.168.10.0/24 or 192.168.20.0/24)
10-08-2018 02:14 PM
Hello
@Yasser A. Sayed wrote:
no it is not a must to use natting
any means that would accomplish the requirements is okall i could think of was natting
about tunneling ...the way i see it will involve routing which is not an option
cause once again the servers do not have default gw
and the servers network (10.10.10.0/24) is not routed to the remote users network (192.168.10.0/24 or 192.168.20.0/24)
If the server network isnt routed to the users network then you will HAVE to use NAT so the users network can access the server via a global inside address of the servers wan facing rtr.
Than also apply the acl i previously posted on the users wan facing rtr so to negate traffic being initiated from the server network accessing the users network
10-08-2018 01:37 AM - edited 10-08-2018 02:07 AM
Hello
Does your company router have routes to 192.168.10.0/x and 192.168.20.0/x networks
Now if you only wish for a host from the remote users network to be able to access a server on the company network but not have the company network communicate to the host then you can apply an access list to do this on the remote user rtr for just to allow established traffic back in
remote user rtr
access-list 101 permit tcp any host 192.168.10.1 established
access-list 101 deny ip any host 192.168.10.1
access-list 101 permit ip any any
int x/x
Description WAN interface
ip access-group 101 in
10-08-2018 02:11 PM
---> Does your company router have routes to 192.168.10.0/x and 192.168.20.0/x networks
* * Yes it does...but only the router can reach 192.168.10.0/x and 192.168.20.0/x . The servers can not . As again they don't have the company router as their default gateway
----> Now if you only wish for a host from the remote users network to be able to access a server on the company network but not have the company network communicate to the host then you can apply an access list to do this on the remote user rtr for just to allow established traffic back in
** No it's not that scenario. Actually it's almost the opposite. The requirement is not to allow the servers to be accessed from external network...so the incoming traffic at int fa0/0 (The comapny router) i need to change the source ip of the remote user (192.168.10.1) to a new source (10.10.10.251) and at the same time change the destination IP from (20.20.20.251) to (10.10.10.1)...with the end result to be seen as 10.10.10.251 connecting to 10.10.10.1
and of course the reverse for the reply
and at the same time change destination
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide