I've tried several different setups including a standard NAT configuration and have also tried to use NVI.
Here's what I have and would like to achieve:
- A Main Internal Network that has several hosts NATed to the external world (i.e. Mail Server, Web Server, etc)
- A Guest Network (i.e. Wireless Access) that restricts access to all the internal IP addresses on our main network, but allows access to our 'public services' (i.e. Mail Server, Web Server, etc)
- An additional internal network for a different workgroup that can access all hosts on the main network.
- VPN Access to the Internal Network
I first set this up using a traditional NAT configuration. 'ip nat inside' on the three internal networks, 'ip nat outside' on the external network, and several static nat statements. Problems arose with this setup. On the guest network, users were unable to access the external IP addresses of our hosts. I needed to setup a ACLs to allow traffic to the internal IP addresses. VPN users were also unable to access hosts that had Static NAT setup at their internal IP addresses. NAT would kick into effect before the return packets were encrypted and would never reach their destination.
I have found NVI's and thought it would solve our problems. It has solved our guest network problem. Now hosts on the Guest network can access the external IP addresses of our hosts. External users can still access the Static NAT hosts. However now users from the second internal network can no longer access the internal IP addresses of our mail and web servers. They can however access them at their external IP addresses.
What seems to be happening is that with no concept of 'inside' and 'outside' networks traffic from a machine at 172.17.13.1 is sent to a host on our main network at 172.17.11.200. That host at 172.17.11.200 has a static nat mapping that maps it to 22.214.171.124. The host at 172.17.11.200 gets the packet and responds to the machine at 172.17.13.1. The router see's the packet from 172.17.11.200, performs a lookup, sees it has a mapping 126.96.36.199 and forwards the packet onto 172.17.13.1 with a source of 188.8.131.52. This is of course not the host it expects it to come from. I would typically set up a route-map to prevent the static nat statement from applying to internal <-> internal traffic however NVI's do not support route-maps.
Some sample configuration:
description Internet Access
ip address 184.108.40.206 255.255.255.252
ip nat enable
description Main Office Network
encapsulation dot1Q 11
ip address 172.17.11.254 255.255.255.0
ip nat enable
description Boot Hill Network
encapsulation dot1Q 13
ip address 172.17.13.254 255.255.255.0
ip nat enable
description Guest Network
encapsulation dot1Q 15
ip address 172.17.15.254 255.255.255.0
ip access-group guestnet-in in
ip nat enable
ip nat source list nat interface FastEthernet0
ip nat source static 172.17.11.200 220.127.116.11
ip nat source static 172.17.11.201 18.104.22.168
ip access-list extended guestnet-in
deny ip any 172.16.0.0 0.15.255.255
permit ip any any
ip access-list extended nat
deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
permit ip 172.17.0.0 0.0.255.255 any
Simply enough, I want to prevent NAT from occurring on any 172.16/12 to 172.16/12 traffic except for traffic destined for the external IP addresses of the statically NATed hosts.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...