How does NAT work from the 'outside'?

Unanswered Question
Dec 9th, 2009

Hello,

Having a problem, here is the situation.

We have a 2800 router that was set up to perform nat between an internal FA interface (192.x.x.x) and and external GIG interface to the internet.  All works fine and has been for some time.

We recently configured another gig port on the router to handle routed traffic coming from another internal site with a different subnet (10.100.x.x).  This also works fine.  We can access the internet from this remote site and access devices on the 192 network.

IMPORTANT:  The 10 network access the internet by going to through the 192 interface to a proxy on the 192 network.  they do not use the internet connection on this router

Here is the issue:

From the 10 network when a workstation tries to access a destination on the internet using port 12500 it never connects.  I did a packeet trace and can see the packets going to the 192 network but they never return.

Is the traffic NATted when traversing from the 10 to the 192 network?  How is that affecting a device on the 10 network trying to access a device on the internet going thru the 192 network with port 12500?

Thanks,

Kerry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/09/2009 - 07:12

k.moser wrote:

Hello,

Having a problem, here is the situation.

We have a 2800 router that was set up to perform nat between an internal FA interface (192.x.x.x) and and external GIG interface to the internet.  All works fine and has been for some time.

We recently configured another gig port on the router to handle routed traffic coming from another internal site with a different subnet (10.100.x.x).  This also works fine.  We can access the internet from this remote site and access devices on the 192 network.

IMPORTANT:  The 10 network access the internet by going to through the 192 interface to a proxy on the 192 network.  they do not use the internet connection on this router

Here is the issue:

From the 10 network when a workstation tries to access a destination on the internet using port 12500 it never connects.  I did a packeet trace and can see the packets going to the 192 network but they never return.

Is the traffic NATted when traversing from the 10 to the 192 network?  How is that affecting a device on the 10 network trying to access a device on the internet going thru the 192 network with port 12500?

Thanks,

Kerry

Kerry

"Is the traffic NATted when traversing from the 10 to 192 network ?"

Well without the configs only you can say. Do you have any NAT statements on the branch router or the gigabit interface connecting it to the main site ?

If internet access works for the remote site using the proxy then it looks like it is either

1) an issue with your router/firewall config - are you allowing port 12500 out ?

2) an issue with the internet server - have you tried connecting to that server on port 12500 from the main site ?

Jon

k.moser Thu, 12/10/2009 - 08:28

Jon,

I've uploaded the config and added come clarification below.

Internan FA interface is FA 0/0, internet is not GIG port, it is FA 0/1.

Additional GIG port to remote sote (10 network) GIG 0/1/0.

Although a connection to the internet exists on this router (FA 0/1) internet traffic for the 10 network goes through a proxy sitting on the 192 network (FA 0/0).

Answer to your questions:

1.)  port 12500 is allowed by proxy/FW.

2.)  Access to sites (on the internet) using this port works from the 192 network.

Additonal question / clarification:

I know an Ip would be natted when going from FA 0/0 to FA 0/1 but what happens when a packet initiates from the 10 network (gig 0/1/0) and traverses through the 192 network (FA 0/0)?

Kerry

Actions

This Discussion