IOS NAT: NAT for server fail for ws directly connected to NAT-outside IF

Answered Question
Oct 23rd, 2009

I have a configuration similar to the following:

(1.1.1.0/24)---(NATinside)Router1(NAToutside)---(2.2.2.0/24)---Router2---(3.3.3.0/24)

server actual ip:1.1.1.11 (inside local)

server NAT'ed ip: 2.2.2.11 (inside global)

workstation 1: 3.3.3.101

workstation 2: 2.2.2.101

Things work for workstation 1 but not for workstation 2. E.g. when workstation 2 telnet to 2.2.2.11, the telnet session timeout. 3.3.3.11 can telnet to 2.2.2.11.

The arp table of Router2 contains the arp entry of 2.2.2.11, the MAC is the NAT-outside interface of Router1. Router1 and Router2 run OSPF and routing seems not a problem.

I don't understand why things doesn't work for workstation in the segment directly connected to the NAT-outside interface. Any information would be welcome.

Config of Router1:

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.202

ip address 2.2.2.1 255.255.255.0

ip nat outside

!

ip nat inside source static 1.1.1.11 2.2.2.11

Correct Answer by dhananjoy chowdhury about 7 years 4 months ago

Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ct_yau Fri, 10/23/2009 - 02:29

The default gateway of the server 1.1.1.11 is Router1 (1.1.1.1).

ct_yau Tue, 10/27/2009 - 19:41

It turned out that the server 1.1.1.11 did have a wrong static route to 2.2.2.0/24 and that is the cause of the problem. I did not notice it because I had no control of the server and relied on second-hand information from other people.

Thank you for your wise advice that I had overlooked.

lgijssel Fri, 10/23/2009 - 02:23

The outside interface FastEthernet0/1.202 is a sub-interface. What encapsulation is in use on this interface?

This should be native / untagged to allow nodes on the same subnet to connect without vlan tagging.

regards,

Leo

ct_yau Fri, 10/23/2009 - 02:45

The router interface fa0/1.202 run dot1q encapsulation and on VLAN 202.i.e.

interface FastEthernet0/1.202

encapsulation dot1Q 202

ip address 2.2.2.1 255.255.255.0

ip nat outside

It is connected to a switch not drawn, the connecting switch port is in dot1q trunk. Workstation2 and Router2 connect to the switch and the switch ports are put in the correct VLAN, i.e. 202. Workstation2 can ping Router1 on 2.2.2.1 as well as Router2 (say 2.2.2.2) and Workstation1 (3.3.3.101).

ct_yau Mon, 10/26/2009 - 18:12

Hi Leo,

Thank you; especially for your kindness to spend a while looking up things for my problem.

I read that document before but I think the answer is not there.

CT

Actions

This Discussion