Solved: Newbie needs help with NAT and VLANs

fearless.rabbit · ‎01-15-2011

Hello everyone,

I am having my network restructured due to ISP change, and found myself responsible for dealing with reconfiguration of our Cisco router. I am getting a little lost with certain things, and would like to hear a word or two from more experienced gurus.

My network is pretty simple. We have one 3550 switch with 10 VLANs, and 2811 router dealing with inter-VLAN routing and traffic filtering. Its a "router on a stick" configuration, since the router has only two interfaces, inside trunk, and outside. The outside one used to forward traffic to DSL modem, but now we are shifting to static public IP. Here is how it should like:

VLANs ==== 3550 switch ==trunk== 2811 router ==public ip==

From my humble experience I know I have to set up default route to the outside interface, enable DNS forwarding to ISP DNS, and configure NAT. That is where I get confused.

Inside router interface is g0/0, which is subdivided into ten subinterfaces for different VLANs. Some VLANs need Internet, some dont. So, how do I configure NAT in that case? Do I just make g0/0 inside NAT, and g0/1 outside? Or declare g0/1 outside, and every subinterface that need Internet access inside? I know I need NAT Overload here, but Im not sure how to implement them with VLANs in the picture.

Another thing Im not sure how to configure is outside access to some hosts in server VLAN, like RDP, some Mac protocol, PBX, and such.

I am apologizing in advance if my questions are trivial. I just dont want to mess something up, and if I need help, I`d rather ask here where pros live, than anywhere else Feel free to point me to some tutorial, I am not afraid of reading and learning, but nothing I found so far reflects my scenario with VLANs.

Thank you again!

Jon Marshall · ‎01-15-2011

For NAT overload if you only want certain vlan to access internet then -

int g0/1 < outside router interface

ip nat outside

then for each of the vlans that needs internet access under the subinterface add "ip nat inside" eg.

int gi0/0.10

encapsulation dot1q 10

ip nat inside

no need to add it to gi0/0 or to any subinterfaces that don't need internet.

Next create an access-list that includes all the vlans that need internet access eg.

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 101 permit ip 192.168.6.0 0.0.0.255 any

etc..

then add this to your config -

ip nat inside source list 101 interface gi0/1 overload

that takes care of outbound internet access.

For inbound to some servers it depends on whether you have spare public IPs ie. not the one assigned to the outside interface. Lets assume you do and it is 195.77.10.1. You want to give access to 2 inside servers for http and rdp

http server = 192.168.10.3

rdp server = 192.168.10.5

ip nat inside source static tcp 192.168.10.3 80 195.77.10.1 80

ip nat inside source static tcp 192.168.10.5 389 195.77.10.1 389

if you only have the public IP assigned to the outside interface then you can use that instead of 195.77.10.1

Jon

View solution in original post

Jon Marshall · ‎01-15-2011

For NAT overload if you only want certain vlan to access internet then -

int g0/1 < outside router interface

ip nat outside

then for each of the vlans that needs internet access under the subinterface add "ip nat inside" eg.

int gi0/0.10

encapsulation dot1q 10

ip nat inside

no need to add it to gi0/0 or to any subinterfaces that don't need internet.

Next create an access-list that includes all the vlans that need internet access eg.

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 101 permit ip 192.168.6.0 0.0.0.255 any

etc..

then add this to your config -

ip nat inside source list 101 interface gi0/1 overload

that takes care of outbound internet access.

For inbound to some servers it depends on whether you have spare public IPs ie. not the one assigned to the outside interface. Lets assume you do and it is 195.77.10.1. You want to give access to 2 inside servers for http and rdp

http server = 192.168.10.3

rdp server = 192.168.10.5

ip nat inside source static tcp 192.168.10.3 80 195.77.10.1 80

ip nat inside source static tcp 192.168.10.5 389 195.77.10.1 389

if you only have the public IP assigned to the outside interface then you can use that instead of 195.77.10.1

Jon

fearless.rabbit · ‎01-15-2011

I am blown away by speed and detail of your answer, to say the least. Thank you, Jon.

Transfer to static public IP is scheduled for Monday morning, and I will test your instructions than, but I am sure that`s it concerning the NAT.

We have single public IP, and incoming traffic to servers will have to go through that address. Is that possible?

Thank you once again. I have some other minor issues I might need help with, but I will leave that for other topic.

Jon Marshall · ‎01-15-2011

We have single public IP, and incoming traffic to servers will have to go through that address. Is that possible?

Yes it should work as long as you specify the port numbers as in the example i gave.

Hope it goes well and let us know if there any problems.

Jon

fearless.rabbit · ‎01-19-2011

Just wanna say thanks once again, everything worked like a charm. Only issues were double NAT with ISP, and slightly different syntax on my IOS version, but nothing to panic about I appreciate your help.