08-28-2008 07:25 AM - edited 03-06-2019 01:03 AM
Hi,
I've tried several different setups including a standard NAT configuration and have also tried to use NVI.
Here's what I have and would like to achieve:
- A Main Internal Network that has several hosts NATed to the external world (i.e. Mail Server, Web Server, etc)
- A Guest Network (i.e. Wireless Access) that restricts access to all the internal IP addresses on our main network, but allows access to our 'public services' (i.e. Mail Server, Web Server, etc)
- An additional internal network for a different workgroup that can access all hosts on the main network.
- VPN Access to the Internal Network
I first set this up using a traditional NAT configuration. 'ip nat inside' on the three internal networks, 'ip nat outside' on the external network, and several static nat statements. Problems arose with this setup. On the guest network, users were unable to access the external IP addresses of our hosts. I needed to setup a ACLs to allow traffic to the internal IP addresses. VPN users were also unable to access hosts that had Static NAT setup at their internal IP addresses. NAT would kick into effect before the return packets were encrypted and would never reach their destination.
I have found NVI's and thought it would solve our problems. It has solved our guest network problem. Now hosts on the Guest network can access the external IP addresses of our hosts. External users can still access the Static NAT hosts. However now users from the second internal network can no longer access the internal IP addresses of our mail and web servers. They can however access them at their external IP addresses.
What seems to be happening is that with no concept of 'inside' and 'outside' networks traffic from a machine at 172.17.13.1 is sent to a host on our main network at 172.17.11.200. That host at 172.17.11.200 has a static nat mapping that maps it to 1.2.3.4. The host at 172.17.11.200 gets the packet and responds to the machine at 172.17.13.1. The router see's the packet from 172.17.11.200, performs a lookup, sees it has a mapping 1.2.3.4 and forwards the packet onto 172.17.13.1 with a source of 1.2.3.4. This is of course not the host it expects it to come from. I would typically set up a route-map to prevent the static nat statement from applying to internal <-> internal traffic however NVI's do not support route-maps.
Some sample configuration:
interface FastEthernet0
description Internet Access
ip address 1.1.1.1 255.255.255.252
ip nat enable
!
interface FastEthernet1.11
description Main Office Network
encapsulation dot1Q 11
ip address 172.17.11.254 255.255.255.0
ip nat enable
!
interface FastEthernet1.13
description Boot Hill Network
encapsulation dot1Q 13
ip address 172.17.13.254 255.255.255.0
ip nat enable
!
interface FastEthernet1.15
description Guest Network
encapsulation dot1Q 15
ip address 172.17.15.254 255.255.255.0
ip access-group guestnet-in in
ip nat enable
!
ip nat source list nat interface FastEthernet0
ip nat source static 172.17.11.200 1.2.3.4
ip nat source static 172.17.11.201 1.2.3.4
!
ip access-list extended guestnet-in
deny ip any 172.16.0.0 0.15.255.255
permit ip any any
ip access-list extended nat
deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
permit ip 172.17.0.0 0.0.255.255 any
Simply enough, I want to prevent NAT from occurring on any 172.16/12 to 172.16/12 traffic except for traffic destined for the external IP addresses of the statically NATed hosts.
Thanks,
James
08-29-2008 10:43 AM
Hello James,
I would suggest to use a route-map and then reference the extended named ACL inside it:
ip nat source route-map NAT_select int f0 overload
route-map NAT_select permit 10
match ip address nat
Hope to help
Giuseppe
08-29-2008 11:10 AM
I was running into trouble just like this at my last company... I finally setup a firewall and let it do all of the NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide