NAT issues

Unanswered Question
Mar 4th, 2009
User Badges:

Hi Cisco,


Our Head Office and remote sites in Sydney is setup as Hub/Spoke network. All Internet traffic via Head Office border router. We are using a point-to-point Ethernet connection from Hub to Spokes and /30 Public IP Address per access link. All public IP is assign from our pool.

We do not want to setup GRE Tunnel or DMVPN for this Hub/Spoke setup as I think it is not neccesary because Remote sites only have one path to the Internet, which is via Head Office.


Behind the Spoke sites is a 10.x.x.x/24 network which hold a Domain Controller server for our team to login too so we can manage their PC via Active Directory.


Below is a sample configuration of each Cisco node and also attached network diagram.


-----------------------------------------------------

HUB Config:

Cisco IOS Software, 3700 Software (C3725-ADVSECURITYK9-M), Version 12.4(7c), RELEASE SOFTWARE (fc2)


interface FastEthernet0/0

description TRUNK FROM REMOTE 1

bandwidth 102400

no ip address

load-interval 30

speed 100

full-duplex

no mop enabled

no clns route-cache

!

interface FastEthernet0/0.10

description TO REMOTE 1 -- 4Mbps ETHERNET

bandwidth 4096

encapsulation dot1Q 10

ip address 202.203.204.1 255.255.255.252

no snmp trap link-status

!

interface FastEthernet0/1

description TRUNK FROM REMOTE 2

bandwidth 102400

no ip address

no ip mroute-cache

load-interval 30

speed 100

full-duplex

no mop enabled

no clns route-cache

!

interface FastEthernet0/1.20

description TO REMOTE 2 -- 4Mbps ETHERNET

bandwidth 4096

encapsulation dot1Q 20

ip address 202.203.204.5 255.255.255.252

no snmp trap link-status


ip route 0.0.0.0 0.0.0.0 name DEFAULT-ROUTE-INTERNET

ip route 10.10.10.0 255.255.255.0 202.203.204.2 name REMOTE_1-INTERNAL-NETWORK

ip route 10.20.20.0 255.255.255.0 202.203.204.6 name REMOTE_2-INTERNAL-NETWORK


REMOTE 1 Config: (Remote 2 config is identical with the appropriate IP Address)

Cisco IOS Software, 3700 Software (C3725-ADVSECURITYK9-M), Version 12.4(7b), RELEASE SOFTWARE (fc2)


interface FastEthernet0/0

description Link to Head Office - 4Mbps Ethernet

bandwidth 4096

ip address 202.203.204.2 255.255.255.252

ip accounting output-packets

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

no ip mroute-cache

load-interval 30

speed 100

full-duplex

!

interface FastEthernet0/1

description TO SWITCH STACK - 3560 SWITCHES

no ip address

ip virtual-reassembly

no ip mroute-cache

load-interval 30

speed 100

full-duplex

!

interface FastEthernet0/1.998

description Remote 1 Team Network

encapsulation dot1Q 998

ip address 10.10.10.1 255.255.255.0

ip accounting output-packets

ip inspect mktfw in

ip nat inside

ip virtual-reassembly

no ip mroute-cache

no snmp trap link-status

!

ip route 0.0.0.0 0.0.0.0 202.203.204.1 name DEFAULT-ROUTE-HEAD-OFFICE

ip route 10.0.0.0 255.0.0.0 202.203.204.1 name 10-ADDRESS-RANGES

!

ip nat pool REMOTE1 202.202.202.1 202.202.202.2 netmask 255.255.255.252

ip nat inside source list NAT_ACL pool REMOTE1 overload

!

ip access-list extended NAT_ACL

remark DENY NAT FOR REMOTE 1 TEAM ACCESSING 10 NETWORKS

deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

remark PERMIT IP ACCESS FROM SERVCORP NETWORKS

permit ip 10.10.10.0 0.0.0.255 any

-----------------------------------------------------

The problem we are currerntly facing is from time, when the DC at Remote 1 needs to connect to DC at Remote 2, it gets NATed on the router close to the source. When this problem occurs, I see 2 NAT entries from the show ip nat translation command which is why communication between the 2 DC goes down for replication.

We have a NAT ACL applied to the NAT pool which should be denying this traffic from 10.10.10.x to 10.20.20.x. 95% of the time the traffic from one DC to the other is working perfect, where the NAT rule denies NATing and uses the static route to send data to the other 10.20.20.x via HUB.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion