Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Enabling all internal devices to be reachable through NAT on cisco 861

Hi guys,

I need to connect 10 branches to a datacenter using cisco 861 routers because the ethernet sollution the provider gave us can't assign more than 32 MAC addresses for whe whole network. So we have all our servers at the datacenter with a central firewall/router and all remote branches with a static route to this router. We would like to make all branches local networks available through NAT or another better solution so network devices at the datacenter network can communicate with all local devices accross all the brances.

I've tried to set up a dynamic NAT from outside to inside the network and didn't work, set up static ip routes for both datancenter and remote branchs and also didn't work, so I'm not sure if I'm approaching this issue with the right idea.

What kind of solution would you guys recommend is this situation?

I just would like to make the routers work in a transparent way, no blocking of anything, passing all traffic in and out the network.

Regards,

Alex

Everyone's tags (1)
7 REPLIES
Hall of Fame Super Bronze

Enabling all internal devices to be reachable through NAT on cis

You should look into GETVPN or DMVPN with IPSec to circumvent the provider's limitation and allow transparency between locations.

New Member

Enabling all internal devices to be reachable through NAT on cis

Hi mate,

I didn't want to use any VPN related tool becuase this cirtuit is a private one, there is no "ISP" , it is just a lan circuit delivered to all branches so I simply would like the router to accept all incoming traffic on the WAN port and forward it to the internal switch ports. Is possible to achieve this with some sort of NAT?

Regards,

Alex

Hall of Fame Super Bronze

Enabling all internal devices to be reachable through NAT on cis

Based on your requirements, I doubt it.

New Member

Enabling all internal devices to be reachable through NAT on cis

Well, if I am not missing anything, it should be a routing question...

You don't need to use NAT, just configure static routes for each of the other site's internal networks in each of the 10 routers.

If you are in site 1 and the local net is 10.1.0.0/16, site 2 is 10.2.0.0/16, site 3 is 10.3.0.0/16 and so on,

site 1 router's wan address is 10.99.0.1, site 2 is 10.99.0.2 and so on,

your routing config in site 1 should look as:

ip route 10.2.0.0 0.0.255.255 10.99.0.2

ip route 10.3.0.0 0.0.255.255 10.99.0.3

ip route 10.4.0.0 0.0.255.255 10.99.0.4

ip route 10.5.0.0 0.0.255.255 10.99.0.5

ip route 10.6.0.0 0.0.255.255 10.99.0.6

ip route 10.7.0.0 0.0.255.255 10.99.0.7

ip route 10.8.0.0 0.0.255.255 10.99.0.8

ip route 10.9.0.0 0.0.255.255 10.99.0.9

ip route 10.10.0.0 0.0.255.255 10.99.0.10

In the other sites just adapt to leave out the local network and create static routes for all the others.

If you want a more scalable solution, just implement something like OSPF and as you add new sites and routers, you won't need to change the config of every other router.

New Member

Enabling all internal devices to be reachable through NAT on cis

We tested static routes from another physical machine to the routers and no ping or access could be made to the internal network addresses on each branch, looks like the router is blocking it even though all security settings were disabled.

New Member

Enabling all internal devices to be reachable through NAT on cis

Hi guys,

I was reading some stuff about VPLS, would be possible to implement this with the cisco 861 routers?

Thanks

Hall of Fame Super Silver

Enabling all internal devices to be reachable through NAT on cis

Hello Alex,

no VPLS is not supported on branch routers like C861.

You don't need NAT, you need to route between the branch routers and the central router so that less then 32 MAC addresses are seen in the provider network, that is just those of the router LAN interfaces connected to the service.

From your description your WAN service is already a form of VPLS that you can use.

You just need to run a routing protocol over a common IP subnet mapped to the WAN service, where the central site router  and all the branch routers are connected each with a LAN interface and you should be fine.

If you want to add encryption you can run DMVPN over it as already suggested by Edison.

Hope to help

Giuseppe

652
Views
0
Helpful
7
Replies