I manage a development network here that accesses its internet via our corporate firewall.
We have a DSL connection as well for traffic that must bypass the firewall. Typically, we plug directly into the DSL switch, get an IP address from the DSL modem (192.168.1.x) and access it that way. Well, I have a special case where a certain destination should get routed over the DSL connection, but the rest of the traffic needs to go over the standard internet connection.
What I want is for the bulk of the traffic to exit via 172.23.8.1, but for traffic destined for 184.108.40.206 (obfuscated) to exit via the DSL gateway of 192.168.1.1. Unfortunately, we have to NAT this traffic because we don't have management of the modem to tell it where the 10.x.x.x and 172.x.x.x networks are.
The routing part works fine. If I run a traceroute from the router itself, the 220.127.116.11 traffic goes over the DSL connection, and all of the general web traffic on the LANs work. I can ping 192.168.1.163. However, it appears that the NAT isn't working right because I can't ping 18.104.22.168 or 192.168.1.1 from inside the 10.x.x.x or 172.x.x.x networks.
I'd be extremely grateful for any help.
Here is the relevant config:
Current configuration : 4378 bytes ! interface GigabitEthernet0/0 no ip address duplex auto speed auto !
! This is a router-on-a-stick for the development network, hence the sub interfaces
! interface GigabitEthernet0/0.1 encapsulation dot1Q 1 native ip address 172.23.8.3 255.255.0.0 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/0.2 encapsulation dot1Q 6 ip address 192.168.1.163 255.255.255.0 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.1 encapsulation dot1Q 100 ip address 10.7.0.254 255.255.255.0 ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 172.23.8.1 ip route 22.214.171.124 255.255.255.255 192.168.1.1 ! ip nat inside source route-map dsl_traffic interface GigabitEthernet0/0.2 overload ip nat inside source route-map general_traffic interface GigabitEthernet0/0.1 overload ! ! Deny statements are used to prevent NAT from occuring on traffic destined for local LANs ! access-list 100 deny ip any 10.7.0.0 0.0.255.255 access-list 100 deny ip any 172.23.0.0 0.0.255.255 access-list 100 permit ip any any ! route-map general_traffic permit 10 match ip address 100 match interface GigabitEthernet0/0.1 ! route-map dsl_traffic permit 10 match ip address 100 match interface GigabitEthernet0/0.2 ! ! end
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...