05-22-2010 08:56 PM - edited 03-04-2019 08:34 AM
Hello everyone -
Im a bit confused as to why my NAT overload seems to be working correctly from my router when sourcing from the router LAN interface 192.168.253.254, but the Servers connected to my private VLAN3 are all unable to telnet to the specified destination target 64.29.104.73 port 12222.
I am trying to implement NAT overload because we have many local IP's and very few outside addresses. Previous to installing the 3825 NAT ROUTER, my servers connect perfectly via a Cisco 3560G switch (EMI), but since the 3560 does not do NAT I was asked to place a router in front of the switch out to our client.
Current setup:
The servers have two NIC's, one NIC for the Private LAN 192.168.253.0 /24 and one NIC for the Public network 64.29.104.64 /27. The 3560G switch has only two VLAN's setup (VLAN 3 192.168.253.1 and VLAN 5 IP 64.29.104.94). Port G0/27 is where the SFP is located and the circuit is directly connected into the switch. There are no static routes configured on the switch at all!.Nothing saying in order to get to the 64.29.104.64 /27 network go out of 64.29.104.94...the servers just connect perfectly. I would say because the circuit is directly connected and of course my switch is learning that as a directly connected network.
Next step: On the 3560 switch I shut down VLAN 5 with IP 64.229.104.94, so the servers can not go out that path anymore. Then I unplugged the circuit from Port 27 and reconfigured like this:
interface G0/27
description UPLINK TO 3825-NAT-ROUTER
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3
switchport mode trunk
speed 1000
duplex full
spanning-tree portfast trunk
!
!
interface Vlan3
ip address 192.168.253.2 255.255.255.0
!
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 192.168.253.254 ( i added a default route to send any traffic to the router gateway interface)
!
ip route 64.29.104.64 255.255.255.224 64.29.104.94 (??then I added a route saying in order to get to the 64.29.104.64 network go to the router .94 NATTED outside interface.(should this be changed because the target address for my servers will always be 64.29.104.73??)
My servers have a route saying in order to get to the 64.29.104.64 255.255.255.224 64.29.104.94 or should it be the Natted inside interface 192.168.253.254???? Im so confused at this point.
My machines always target the 64.29.104.73 destination host and port 12222.
*********************************************************************************************************************************************************
Next step I configured my NAT router:
3825-NAT-ROUTER#sh run
Building configuration...
Current configuration : 1214 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3825-NAT-ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
!
!
interface GigabitEthernet0/0
description directly connected to Cisco 3560G switch - LAN SEGMENT
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.253.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
!
interface GigabitEthernet0/0/0
ip address 64.29.104.94 255.255.255.224
ip nat outside
ip virtual-reassembly
negotiation auto
!
ip http server
no ip http secure-server
ip nat pool DBS 64.29.104.94 64.29.104.94 prefix-length 27
ip nat inside source list 1 pool DBS overload
!
access-list 1 permit 192.168.253.0 0.0.0.255 log
!
!
end
3825-NAT-ROUTER#telnet 64.29.104.73 12222 /source-interface g0/0.3
Trying 64.29.104.73, 10200 ... Open
TTServerIPs172.30.14.202, 172.30.84.123compression_level3compression_resettruecompression_typedeflatehwc_ssc1PuTTY
[Connection to 64.29.104.73 closed by foreign host]
MQP-NAT-ROUTER#
*May 21 21:25:37.179: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62476]
*May 21 21:25:37.179: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [44937]
*May 21 21:25:37.179: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62477]
*May 21 21:25:37.179: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62478]
*May 21 21:25:37.183: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [44941]
*May 21 21:25:37.251: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62479]
*May 21 21:25:37.255: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [45022]
*May 21 21:25:37.255: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62480]
*May 21 21:25:37.255: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62481]
*May 21 21:25:37.255: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [45023]
ANY IDEAS OR HELP WOULD BE GREATLY APPRECIATED. SHOULD I ADD A STATIC ROUTE SOMEWHERE?
Thanks
Maria Esturao
Solved! Go to Solution.
05-22-2010 09:13 PM
On the server when you disabled the public NIC interface, you should have a default gateway pointing towards VLAN 3 interface (192.168.253.2), or you can even point the default gateway directly to the router interface (192.168.253.254) as the server is in the same subnet as the router.
Then I would suggest that you clear the ARP table on the server itself since it has public NIC on the same interface prior to being shutdown.
Also do not add specific route "64.29.104.64 255.255.255.224 64.29.104.94" on the server as you are trying to force the traffic towards 192.168.253.254, not the public interface.
On the switch, you can't configure the following route:
ip route 64.29.104.64 255.255.255.224 64.29.104.94
Because you already have a default gateway, and if you would need to NAT, then it needs to go through the router GigabitEthernet0/0.3 interface.
Hence, please remove the above route on the switch. Then, go ahead and "clear arp" as well on this switch after removing the route.
On the router, after all the above changes, clear the translation table as well as clear arp.
Hope that helps.
05-22-2010 09:13 PM
On the server when you disabled the public NIC interface, you should have a default gateway pointing towards VLAN 3 interface (192.168.253.2), or you can even point the default gateway directly to the router interface (192.168.253.254) as the server is in the same subnet as the router.
Then I would suggest that you clear the ARP table on the server itself since it has public NIC on the same interface prior to being shutdown.
Also do not add specific route "64.29.104.64 255.255.255.224 64.29.104.94" on the server as you are trying to force the traffic towards 192.168.253.254, not the public interface.
On the switch, you can't configure the following route:
ip route 64.29.104.64 255.255.255.224 64.29.104.94
Because you already have a default gateway, and if you would need to NAT, then it needs to go through the router GigabitEthernet0/0.3 interface.
Hence, please remove the above route on the switch. Then, go ahead and "clear arp" as well on this switch after removing the route.
On the router, after all the above changes, clear the translation table as well as clear arp.
Hope that helps.
05-22-2010 09:34 PM
Hello Halijen- Thank you for the response, now I have a better understanding... I will try this on Monday. How did my configuration look on the 3825? Look correct right? I do not need any static routes, right?
05-22-2010 09:55 PM
On the server:
the route should be 64.29.104.64 255.255.255.224 192.168.253.254?
The servers will be on a private network, but the target will always be 64.29.104.73 port 12222.
Just making sure my routes are right :-))
05-22-2010 10:04 PM
Yes, you are absolutely correct.
On the server, the route should say: 64.29.104.64 255.255.255.224 192.168.253.254
The router configuration looks correct too.
05-22-2010 10:26 PM
Ok got it, but one last check. So the static routes will be as follows:
SERVER
64.29.104.64 255.255.255.224 192.168.253.254
SWITCH
Only a default route
0.0.0.0 0.0.0.0 192.168.253.254
This switch is only used for that private VLAN 3.
ROUTER
No static routes correct?? circuit and switch connect directly to router
Just making sure ;-))
05-22-2010 10:40 PM
Spot on.. absolutely right.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide