10-23-2009 01:44 AM - edited 03-06-2019 08:16 AM
I have a configuration similar to the following:
(1.1.1.0/24)---(NATinside)Router1(NAToutside)---(2.2.2.0/24)---Router2---(3.3.3.0/24)
server actual ip:1.1.1.11 (inside local)
server NAT'ed ip: 2.2.2.11 (inside global)
workstation 1: 3.3.3.101
workstation 2: 2.2.2.101
Things work for workstation 1 but not for workstation 2. E.g. when workstation 2 telnet to 2.2.2.11, the telnet session timeout. 3.3.3.11 can telnet to 2.2.2.11.
The arp table of Router2 contains the arp entry of 2.2.2.11, the MAC is the NAT-outside interface of Router1. Router1 and Router2 run OSPF and routing seems not a problem.
I don't understand why things doesn't work for workstation in the segment directly connected to the NAT-outside interface. Any information would be welcome.
Config of Router1:
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.202
ip address 2.2.2.1 255.255.255.0
ip nat outside
!
ip nat inside source static 1.1.1.11 2.2.2.11
Solved! Go to Solution.
10-23-2009 02:14 AM
Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?
10-23-2009 02:14 AM
Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?
10-23-2009 02:29 AM
The default gateway of the server 1.1.1.11 is Router1 (1.1.1.1).
10-27-2009 07:41 PM
It turned out that the server 1.1.1.11 did have a wrong static route to 2.2.2.0/24 and that is the cause of the problem. I did not notice it because I had no control of the server and relied on second-hand information from other people.
Thank you for your wise advice that I had overlooked.
10-23-2009 02:23 AM
The outside interface FastEthernet0/1.202 is a sub-interface. What encapsulation is in use on this interface?
This should be native / untagged to allow nodes on the same subnet to connect without vlan tagging.
regards,
Leo
10-23-2009 02:45 AM
The router interface fa0/1.202 run dot1q encapsulation and on VLAN 202.i.e.
interface FastEthernet0/1.202
encapsulation dot1Q 202
ip address 2.2.2.1 255.255.255.0
ip nat outside
It is connected to a switch not drawn, the connecting switch port is in dot1q trunk. Workstation2 and Router2 connect to the switch and the switch ports are put in the correct VLAN, i.e. 202. Workstation2 can ping Router1 on 2.2.2.1 as well as Router2 (say 2.2.2.2) and Workstation1 (3.3.3.101).
10-23-2009 04:27 AM
Hi ct,
It took a while because I had to look up a document that relates to your question.
This document describes the order of operation for inside and outside nat:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1
I think this will help to answer your question.
regards,
Leo
10-26-2009 06:12 PM
Hi Leo,
Thank you; especially for your kindness to spend a while looking up things for my problem.
I read that document before but I think the answer is not there.
CT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: