Identical subnets: How to route / NAT traffic to test environment

Unanswered Question
Mar 3rd, 2009
User Badges:

We have test environment that is a duplicate of our production environment. The test


and production environments both have hosts on two different subnets (172.16.12.0/24 and


172.16.22.0/24). We want to be able to access the test environment from the production


environment via natted addresses. It's not possible to change the actual IP addresses


of the hosts in the test environment in this case.


So from a workstation on the corporate LAN(172.16.40.0/24) we want to be able to access


Production server A on(172.16.22.50), and (identical)Test server A on say 172.26.22.50


which NAT translates back to 172.16.22.50 in the test environment.


Currently the test environment is built on a free-standing 3750 layer3 IOS switch using


EIGRP routing between subnets (on the same switch).


The production environment lives on a 6509 core also running layer3 IOS with EIGRP


between subnets.


Ideally we'd like to connect the 3750G (Test) switch to the product (6509) switch and


use EIGRP to route between them.


Any ideas or suggestions would be most welcome. We're open to dedicating a router to


this if necessary but it would be ideal to do this in layer3.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/03/2009 - 17:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Your going to have a problem with this because with Cisco switches only the 6500 supports NAT. What you need is for a device that connects to the 6500 to be able to advertise 172.26.22.0 and then NAT it to the real IP of 172.16.22.x in the test lab.


Do you have a spare router or pix/ASA handy ?


Jon

goodwinscott Tue, 03/03/2009 - 17:21
User Badges:

I have a 2851 Wan router with an unused GigE interface that is already in the same EIGRP group as the 6500. Would that work? We're going to be freeing up a couple of 2621's soon.

Jon Marshall Tue, 03/03/2009 - 17:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Anything that can sit between the 6500 and the 3750 switches will work.


How many addresses are you wanting to present to the production network. These will be static NAT's so that the router knows which one goes with which ie. if a packet arrives at the router from production with an address of 172.26.22.10 the router needs to know which 172.16.22.x address you want it translated to ?


The general idea would be -


6500 -> fa0/0 (2600) fa0/1 - 3750


on the 2600


int fa0/0

ip nat outside


int fa0/1

ip nat inside


ip nat inside source static 172.16.22.10 172.26.22.10

ip nat inside source static 172.16.22.11 172.26.22.11


etc.. for all 172.16.22.x addresses you want to present to production.


As for routing, if all production lives on the 6500 you may be better off just using a static route on the 6500 ie.


ip route 172.26.22.0 255.255.255.0 <2600 fa0/0 IP address>


And you would need route(s) on the 2600 pointing back to the 6500 for all the production vlans that are allowed to connect to test network.


Note that if you want to be able to connect to test address from a 172.16.22.x address in production you will have to do source NAT on the production addresses as well but you didn't specify this as a requirement.


You probably don't want to use EIGRP or any dynamic routing protocol because you will have to filter routes ie. you cannot have the 2600 receiving routes for 172.16.22.x from both the 6500 and the 3750.


Plus just using statics is a bit more secure and protects against someone making an error. Last thing you want is for all traffic to 172.16.22.x suddenly going to your test lab !


Jon



goodwinscott Wed, 03/04/2009 - 13:16
User Badges:

Thanks Jon. I will try this and let you know how it goes. Great suggestion on the use of static routing for this -- sounds much safer!

Jon Marshall Wed, 03/04/2009 - 13:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Scott


No problem. Be interested to hear how you get on.


Jon

Actions

This Discussion