NAT and no NAT together?

jorolas · ‎12-17-2008

Hi,

Imagine I have 3 networks: Lan1, Lan2, and WAN for example.

I want Lan1 clients to access Lan2 natted (ie overlapping Lan2 gw).

Up to here it seems to be an easy task. I do config ip nat inside and ip nat outside in Lan1 and Lan2 networks. I do configure ip nat static source list with an access-list which allows only Lan1 to Lan2 traffic.

What do I need to do if I want Lan1 hosts to accces Wan network without being natted? Without further configuration I do not have communication between Lan1 and Wan unless I add ip nat outside to Wan interface, and I change acl for allowing this traffic as well.

Is it possible this scenario?

Thanks in advance,

Jorge

Jon Marshall · ‎12-17-2008

Jorge

Could you post config of router.

Jon

jorolas · ‎12-17-2008

Sure:

hostname 6501

!

no aaa new-model

ip subnet-zero

!

no ip domain-lookup

!

no mls flow ip

no mls acl tcam share-global

mls ip slb purge global

mls ip multicast flow-stat-timer 9

mls cef error action freeze

!

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

!

redundancy

mode sso

main-cpu

auto-sync running-config

system flowcontrol bus auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

no crypto ipsec nat-transparency udp-encaps

!

interface GigabitEthernet4/21

switchport

switchport access vlan1

no ip address

!

interface GigabitEthernet4/22

switchport

switchport access vlan2

no ip address

!

interface GigabitEthernet4/23

switchport

switchport access vlan3

no ip address

!

interface Vlan1

description LAN1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan2

description LAN2

ip address 192.168.2.1 255.255.255.0

ip nat outside

!

interface Vlan3

description WAN

ip address 192.168.3.1 255.255.255.0

!

ip nat static source list 101 interface vlan2 overlap

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

ip default-gateway 192.168.3.2

ip classless

!

end

jorolas · ‎12-17-2008

Hey!!

I found answer by myself. I think I need to use route-maps instead of access list!!

I ll try and let you know.

jorolas · ‎12-17-2008

Hi again, couldnt make it work :-(

Packets from vlan 1 to vlan 2 natted, but no communication between vlan 1 and vlan 3.

Thing is that icmp request from vlan 1 reach unnatted vlan3, but icmp replays from vlan3 do not come back.

Any idea?

This is what I did:

hostname 6501

!

no aaa new-model

ip subnet-zero

!

no ip domain-lookup

!

no mls flow ip

no mls acl tcam share-global

mls ip slb purge global

mls ip multicast flow-stat-timer 9

mls cef error action freeze

!

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

!

redundancy

mode sso

main-cpu

auto-sync running-config

system flowcontrol bus auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

no crypto ipsec nat-transparency udp-encaps

!

interface GigabitEthernet4/21

switchport

switchport access vlan1

no ip address

!

interface GigabitEthernet4/22

switchport

switchport access vlan2

no ip address

!

interface GigabitEthernet4/23

switchport

switchport access vlan3

no ip address

!

interface Vlan1

description LAN1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan2

description LAN2

ip address 192.168.2.1 255.255.255.0

ip nat outside

!

interface Vlan3

description WAN

ip address 192.168.3.1 255.255.255.0

!

ip nat inside source route-map Nat_only_vlan1_2 interface vlan 6 overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

route-map Nat_only_vlan1_2 permit 1

match ip address 101

!

ip default-gateway 192.168.3.2

ip classless

!

end

Thanks in advance

Jon Marshall · ‎12-17-2008

Jorge

I'm not sure the NAT is the issue. Rather you don't seem to have a default-route on your switch. You have a default-gateway but this is something very different.

If you don't have it can you

1) remove "ip default-gateway 192.168.3.2"

2) add "ip route 0.0.0.0 0.0.0.0 192.168.3.2"

Jon

jorolas · ‎12-18-2008

Hi,

finally, I could find the solution. It was as easy as the first configuration I made:

nterface Vlan1

description LAN1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan2

description LAN2

ip address 192.168.2.1 255.255.255.0

ip nat outside

!

interface Vlan3

description WAN

ip address 192.168.3.1 255.255.255.0

!

ip nat static source list 101 interface vlan2 overlap

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

With this configuration, I can reach from lan1 lan2 with my packets natted, and I can reach from lan1 to Wan without being natted as I expected.

Problem I had was related to an indirect route issue, but nothing regarding default-gateway as Jon thought.

By the way Jon, why ip default-gateway is something very different than ip route 0.0.0.0?

Regards,

Jorge