Inter Vlan NAT

Unanswered Question
Apr 27th, 2010

Thanks in advance for your thoughts on how I tackle this issue. 

I have 2 vlans with an 877 providing the routing and a DSL for Internet access.  I have a device on Vlan 2 which I can ping from Vlan 1 so routing is working and devices are setup correctly.  For Nat purposes Vlan 1 and 2 are set to inside and the Dialer for the DSL is the outside.

My issue is that the device I'm trying to query has a web interface that is locally accessible on the same Vlan (Vlan 2) but I'm unable to access it from the other Vlan (Vlan 1). I suspect it is something to do with the device and how the interface is written as ping/telnet work fine from Vlan 1.  I was proposing to setup a NAT statement to provide a local Vlan 1 address to latch onto that will do the translation so that I can get to the web interface.    When I debug the NAT statements the NAT seems to want to always latch onto the Outside (Dialer).  Can anyone provide some gems of wisdom on how I may overcome the problem? or an alternative approach other than NAT?

PS: Vlans need to be maintained as the device on Vlan 2 broadcasts like crazy.

Thanks again

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gaurav Gambhir Tue, 04/27/2010 - 17:25

there can be multiple things,

1. how are you trying to access the web page. URL or IP address?

          1.1. If URL, where is your DNS server located inside or outside?

                    1.1.1 . URL resolves to which ip internal private of public ip?

          1.2 If IP address internal private address or public ip?

2. Have you been able to verify that the http packets does make it to the server with the use of packet captures, if not use one(wireshark)

3. When you have two vlans configured as NAT INSIDE nat will not occur. Nat works from either inside to outside or vice versa.

4. Incase there is any possiblity to resolve this using nat try NAT NVI.

couple of links with sample config and good explanation

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

http://inetpro.org/wiki/NAT:_access_outside_global_address_from_the_inside

http://ccie-in-3-months.blogspot.com/2008/12/nat-hairpinning-using-nat-pools-pbr.html

Hope this helps.

Ganesh Hariharan Tue, 04/27/2010 - 22:35

Thanks in advance for your thoughts on how I tackle this issue. 

I have 2 vlans with an 877 providing the routing and a DSL for Internet access.  I have a device on Vlan 2 which I can ping from Vlan 1 so routing is working and devices are setup correctly.  For Nat purposes Vlan 1 and 2 are set to inside and the Dialer for the DSL is the outside.

My issue is that the device I'm trying to query has a web interface that is locally accessible on the same Vlan (Vlan 2) but I'm unable to access it from the other Vlan (Vlan 1). I suspect it is something to do with the device and how the interface is written as ping/telnet work fine from Vlan 1.  I was proposing to setup a NAT statement to provide a local Vlan 1 address to latch onto that will do the translation so that I can get to the web interface.    When I debug the NAT statements the NAT seems to want to always latch onto the Outside (Dialer).  Can anyone provide some gems of wisdom on how I may overcome the problem? or an alternative approach other than NAT?

PS: Vlans need to be maintained as the device on Vlan 2 broadcasts like crazy.

Thanks again

Dave

Hi Dave,

If you want to communicate from one vlan to another you need intervlan routing just check ip routing is enabled in your cisco 877.Then only your vlan1 member can access the vlan2 webser locally.

Hope to Help !!

Ganesh.H

Remember to rate helpful post

shailesh.h Wed, 04/28/2010 - 10:20
  • Vlan 2 which I can ping from Vlan 1 so routing is working and devices are setup correctly - It shows that routing and configuration is OK
  • NAT is done to allow inside network talk to outside (VLAN-2) but i think it may be PAT

What could be possible problem

  • Possible NAT problem - you can configure one-to-one NAT
  • Access problem - you have to check the access-list if any
  • Problem with Web server - may be antivirus or windows firewall on system not allowing to communicate

Hope this may help u suggest to pinpoint

Shailesh

Actions

This Discussion