cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
7
Replies

IOS NAT: NAT for server fail for ws directly connected to NAT-outside IF

ct_yau
Level 1
Level 1

I have a configuration similar to the following:

(1.1.1.0/24)---(NATinside)Router1(NAToutside)---(2.2.2.0/24)---Router2---(3.3.3.0/24)

server actual ip:1.1.1.11 (inside local)

server NAT'ed ip: 2.2.2.11 (inside global)

workstation 1: 3.3.3.101

workstation 2: 2.2.2.101

Things work for workstation 1 but not for workstation 2. E.g. when workstation 2 telnet to 2.2.2.11, the telnet session timeout. 3.3.3.11 can telnet to 2.2.2.11.

The arp table of Router2 contains the arp entry of 2.2.2.11, the MAC is the NAT-outside interface of Router1. Router1 and Router2 run OSPF and routing seems not a problem.

I don't understand why things doesn't work for workstation in the segment directly connected to the NAT-outside interface. Any information would be welcome.

Config of Router1:

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.202

ip address 2.2.2.1 255.255.255.0

ip nat outside

!

ip nat inside source static 1.1.1.11 2.2.2.11

1 Accepted Solution

Accepted Solutions

Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?

View solution in original post

7 Replies 7

Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?

The default gateway of the server 1.1.1.11 is Router1 (1.1.1.1).

It turned out that the server 1.1.1.11 did have a wrong static route to 2.2.2.0/24 and that is the cause of the problem. I did not notice it because I had no control of the server and relied on second-hand information from other people.

Thank you for your wise advice that I had overlooked.

lgijssel
Level 9
Level 9

The outside interface FastEthernet0/1.202 is a sub-interface. What encapsulation is in use on this interface?

This should be native / untagged to allow nodes on the same subnet to connect without vlan tagging.

regards,

Leo

The router interface fa0/1.202 run dot1q encapsulation and on VLAN 202.i.e.

interface FastEthernet0/1.202

encapsulation dot1Q 202

ip address 2.2.2.1 255.255.255.0

ip nat outside

It is connected to a switch not drawn, the connecting switch port is in dot1q trunk. Workstation2 and Router2 connect to the switch and the switch ports are put in the correct VLAN, i.e. 202. Workstation2 can ping Router1 on 2.2.2.1 as well as Router2 (say 2.2.2.2) and Workstation1 (3.3.3.101).

Hi ct,

It took a while because I had to look up a document that relates to your question.

This document describes the order of operation for inside and outside nat:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1

I think this will help to answer your question.

regards,

Leo

Hi Leo,

Thank you; especially for your kindness to spend a while looking up things for my problem.

I read that document before but I think the answer is not there.

CT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco