Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS NAT: NAT for server fail for ws directly connected to NAT-outside IF

I have a configuration similar to the following:

(1.1.1.0/24)---(NATinside)Router1(NAToutside)---(2.2.2.0/24)---Router2---(3.3.3.0/24)

server actual ip:1.1.1.11 (inside local)

server NAT'ed ip: 2.2.2.11 (inside global)

workstation 1: 3.3.3.101

workstation 2: 2.2.2.101

Things work for workstation 1 but not for workstation 2. E.g. when workstation 2 telnet to 2.2.2.11, the telnet session timeout. 3.3.3.11 can telnet to 2.2.2.11.

The arp table of Router2 contains the arp entry of 2.2.2.11, the MAC is the NAT-outside interface of Router1. Router1 and Router2 run OSPF and routing seems not a problem.

I don't understand why things doesn't work for workstation in the segment directly connected to the NAT-outside interface. Any information would be welcome.

Config of Router1:

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.202

ip address 2.2.2.1 255.255.255.0

ip nat outside

!

ip nat inside source static 1.1.1.11 2.2.2.11

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IOS NAT: NAT for server fail for ws directly connected to NA

Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?

7 REPLIES

Re: IOS NAT: NAT for server fail for ws directly connected to NA

Do you have route on the server 1.1.1.11 for reaching 2.2.2.101 (workstation2) ?

New Member

Re: IOS NAT: NAT for server fail for ws directly connected to NA

The default gateway of the server 1.1.1.11 is Router1 (1.1.1.1).

New Member

Re: IOS NAT: NAT for server fail for ws directly connected to NA

It turned out that the server 1.1.1.11 did have a wrong static route to 2.2.2.0/24 and that is the cause of the problem. I did not notice it because I had no control of the server and relied on second-hand information from other people.

Thank you for your wise advice that I had overlooked.

Re: IOS NAT: NAT for server fail for ws directly connected to NA

The outside interface FastEthernet0/1.202 is a sub-interface. What encapsulation is in use on this interface?

This should be native / untagged to allow nodes on the same subnet to connect without vlan tagging.

regards,

Leo

New Member

Re: IOS NAT: NAT for server fail for ws directly connected to NA

The router interface fa0/1.202 run dot1q encapsulation and on VLAN 202.i.e.

interface FastEthernet0/1.202

encapsulation dot1Q 202

ip address 2.2.2.1 255.255.255.0

ip nat outside

It is connected to a switch not drawn, the connecting switch port is in dot1q trunk. Workstation2 and Router2 connect to the switch and the switch ports are put in the correct VLAN, i.e. 202. Workstation2 can ping Router1 on 2.2.2.1 as well as Router2 (say 2.2.2.2) and Workstation1 (3.3.3.101).

Re: IOS NAT: NAT for server fail for ws directly connected to NA

Hi ct,

It took a while because I had to look up a document that relates to your question.

This document describes the order of operation for inside and outside nat:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1

I think this will help to answer your question.

regards,

Leo

New Member

Re: IOS NAT: NAT for server fail for ws directly connected to NA

Hi Leo,

Thank you; especially for your kindness to spend a while looking up things for my problem.

I read that document before but I think the answer is not there.

CT

127
Views
0
Helpful
7
Replies
CreatePlease login to create content