cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
2
Replies

Problems getting static NAT to work between two internal lans

kiboro999
Level 1
Level 1

Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.

Manual NAT Policies (Section 1)

1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup

    translate_hits = 0, untranslate_hits = 3

2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup

    translate_hits = 0, untranslate_hits = 0

interface GigabitEthernet0/0

nameif inside-ld5

security-level 100

ip address 10.20.15.2 255.255.255.0

!

interface GigabitEthernet0/6

nameif office

security-level 100

ip address 10.20.11.9 255.255.255.0

!

object network inside-ld5

subnet 10.20.15.0 255.255.255.0

object network inside-office

subnet 10.20.11.0 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup

nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

2 Replies 2

kiboro999
Level 1
Level 1

oops, nameif should be inside not inside-ld5

Hi Kevin,

because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.

Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).

Best Regards,

Jan

Review Cisco Networking for a $25 gift card