Identical subnets: How to route / NAT traffic to test environment

Unanswered Question
Mar 3rd, 2009

We have test environment that is a duplicate of our production environment. The test

and production environments both have hosts on two different subnets ( and We want to be able to access the test environment from the production

environment via natted addresses. It's not possible to change the actual IP addresses

of the hosts in the test environment in this case.

So from a workstation on the corporate LAN( we want to be able to access

Production server A on(, and (identical)Test server A on say

which NAT translates back to in the test environment.

Currently the test environment is built on a free-standing 3750 layer3 IOS switch using

EIGRP routing between subnets (on the same switch).

The production environment lives on a 6509 core also running layer3 IOS with EIGRP

between subnets.

Ideally we'd like to connect the 3750G (Test) switch to the product (6509) switch and

use EIGRP to route between them.

Any ideas or suggestions would be most welcome. We're open to dedicating a router to

this if necessary but it would be ideal to do this in layer3.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 03/03/2009 - 17:03

Your going to have a problem with this because with Cisco switches only the 6500 supports NAT. What you need is for a device that connects to the 6500 to be able to advertise and then NAT it to the real IP of 172.16.22.x in the test lab.

Do you have a spare router or pix/ASA handy ?


goodwinscott Tue, 03/03/2009 - 17:21

I have a 2851 Wan router with an unused GigE interface that is already in the same EIGRP group as the 6500. Would that work? We're going to be freeing up a couple of 2621's soon.

Jon Marshall Tue, 03/03/2009 - 17:36

Anything that can sit between the 6500 and the 3750 switches will work.

How many addresses are you wanting to present to the production network. These will be static NAT's so that the router knows which one goes with which ie. if a packet arrives at the router from production with an address of the router needs to know which 172.16.22.x address you want it translated to ?

The general idea would be -

6500 -> fa0/0 (2600) fa0/1 - 3750

on the 2600

int fa0/0

ip nat outside

int fa0/1

ip nat inside

ip nat inside source static

ip nat inside source static

etc.. for all 172.16.22.x addresses you want to present to production.

As for routing, if all production lives on the 6500 you may be better off just using a static route on the 6500 ie.

ip route <2600 fa0/0 IP address>

And you would need route(s) on the 2600 pointing back to the 6500 for all the production vlans that are allowed to connect to test network.

Note that if you want to be able to connect to test address from a 172.16.22.x address in production you will have to do source NAT on the production addresses as well but you didn't specify this as a requirement.

You probably don't want to use EIGRP or any dynamic routing protocol because you will have to filter routes ie. you cannot have the 2600 receiving routes for 172.16.22.x from both the 6500 and the 3750.

Plus just using statics is a bit more secure and protects against someone making an error. Last thing you want is for all traffic to 172.16.22.x suddenly going to your test lab !


goodwinscott Wed, 03/04/2009 - 13:16

Thanks Jon. I will try this and let you know how it goes. Great suggestion on the use of static routing for this -- sounds much safer!


This Discussion