NAT and NVI NAT Virtual Interface Troubles

cfcciscoacct · ‎08-28-2008

Hi,

I've tried several different setups including a standard NAT configuration and have also tried to use NVI.

Here's what I have and would like to achieve:

- A Main Internal Network that has several hosts NATed to the external world (i.e. Mail Server, Web Server, etc)

- A Guest Network (i.e. Wireless Access) that restricts access to all the internal IP addresses on our main network, but allows access to our 'public services' (i.e. Mail Server, Web Server, etc)

- An additional internal network for a different workgroup that can access all hosts on the main network.

- VPN Access to the Internal Network

I first set this up using a traditional NAT configuration. 'ip nat inside' on the three internal networks, 'ip nat outside' on the external network, and several static nat statements. Problems arose with this setup. On the guest network, users were unable to access the external IP addresses of our hosts. I needed to setup a ACLs to allow traffic to the internal IP addresses. VPN users were also unable to access hosts that had Static NAT setup at their internal IP addresses. NAT would kick into effect before the return packets were encrypted and would never reach their destination.

I have found NVI's and thought it would solve our problems. It has solved our guest network problem. Now hosts on the Guest network can access the external IP addresses of our hosts. External users can still access the Static NAT hosts. However now users from the second internal network can no longer access the internal IP addresses of our mail and web servers. They can however access them at their external IP addresses.

What seems to be happening is that with no concept of 'inside' and 'outside' networks traffic from a machine at 172.17.13.1 is sent to a host on our main network at 172.17.11.200. That host at 172.17.11.200 has a static nat mapping that maps it to 1.2.3.4. The host at 172.17.11.200 gets the packet and responds to the machine at 172.17.13.1. The router see's the packet from 172.17.11.200, performs a lookup, sees it has a mapping 1.2.3.4 and forwards the packet onto 172.17.13.1 with a source of 1.2.3.4. This is of course not the host it expects it to come from. I would typically set up a route-map to prevent the static nat statement from applying to internal <-> internal traffic however NVI's do not support route-maps.

Some sample configuration:

interface FastEthernet0

description Internet Access

ip address 1.1.1.1 255.255.255.252

ip nat enable

!

interface FastEthernet1.11

description Main Office Network

encapsulation dot1Q 11

ip address 172.17.11.254 255.255.255.0

ip nat enable

!

interface FastEthernet1.13

description Boot Hill Network

encapsulation dot1Q 13

ip address 172.17.13.254 255.255.255.0

ip nat enable

!

interface FastEthernet1.15

description Guest Network

encapsulation dot1Q 15

ip address 172.17.15.254 255.255.255.0

ip access-group guestnet-in in

ip nat enable

!

ip nat source list nat interface FastEthernet0

ip nat source static 172.17.11.200 1.2.3.4

ip nat source static 172.17.11.201 1.2.3.4

!

ip access-list extended guestnet-in

deny ip any 172.16.0.0 0.15.255.255

permit ip any any

ip access-list extended nat

deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255

permit ip 172.17.0.0 0.0.255.255 any

Simply enough, I want to prevent NAT from occurring on any 172.16/12 to 172.16/12 traffic except for traffic destined for the external IP addresses of the statically NATed hosts.

Thanks,

James

Giuseppe Larosa · ‎08-29-2008

Hello James,

I would suggest to use a route-map and then reference the extended named ACL inside it:

ip nat source route-map NAT_select int f0 overload

route-map NAT_select permit 10

match ip address nat

Hope to help

Giuseppe

jonesm111 · ‎08-29-2008

I was running into trouble just like this at my last company... I finally setup a firewall and let it do all of the NAT.