Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   NAT and chained subnet (http://www.velocityreviews.com/forums/t29797-nat-and-chained-subnet.html)

bomba 10-28-2003 02:10 PM

NAT and chained subnet
 
We've got a chained subnet that is having problems accessing the Internet.
I have a fair idea of the problem (and the solution), but my knowledge
of VLSM routing is a bit weak, so I'm just looking for confirmation before
I make changes.

The setup is as below.

Internet---NAT-----LAN/25---Router1---Router2---LAN/28
Router

LAN/25 = 192.168.1.0/25
LAN/28 = 192.168.1.160/28
Int i/f of NAT router = 192.168.1.1/25
Router1 i/f = 192.168.1.3/25
Router2 i/f = 192.168.1.161/28

Connection between the two LANs is not a problem. Similarly, LAN/25 can
access the Internet. The only problem is that a user in LAN/28 can not
access the Internet.

My guess is that because the internal interface of the NAT router is
configured with a 25 bit subnet mask, it is not NATing the addresses from
the LAN/28. Correct?

If I change the internal i/f of the NAT router so that it uses a 24 bit
subnet mask will this solve the problem? All the other machines should
still be able to access it, even though the router now sits in the 24 bit
subnet and the workstations and router still sit in the 25 bit subnet. Correct?

Erik Tamminga 10-28-2003 03:21 PM

Re: NAT and chained subnet
 
Changing the NAT router i/f to have a /24 subnet mask will NOT work. That
way the router will think the host on the lan/28 is directly connected to
the NAT router's i/f, which it is not.

What you're probably missing is a route in the NAT router back to the lan/28
network. Try adding a route to the nat router. the route should be for
lan/28 and it's next hop should be router1's i/f.
If the nat router is cisco; the command looks like: "ip route 192.168.160.0
255.255.255.240 192.168.1.3"
Pleas confirm this to be the problem by first pinging the nat-router i/f
from lan/28.
If this is not the problem (and pinging actually works before you've made
the change), than you're probably missing a nat statement on the nat router
to also nat traffic for lan/28.

Erik

"bomba" <myarse247@hotmail.com> wrote in message
news:pan.2003.10.28.14.10.17.142276@hotmail.com...
> We've got a chained subnet that is having problems accessing the Internet.
> I have a fair idea of the problem (and the solution), but my knowledge
> of VLSM routing is a bit weak, so I'm just looking for confirmation before
> I make changes.
>
> The setup is as below.
>
> Internet---NAT-----LAN/25---Router1---Router2---LAN/28
> Router
>
> LAN/25 = 192.168.1.0/25
> LAN/28 = 192.168.1.160/28
> Int i/f of NAT router = 192.168.1.1/25
> Router1 i/f = 192.168.1.3/25
> Router2 i/f = 192.168.1.161/28
>
> Connection between the two LANs is not a problem. Similarly, LAN/25 can
> access the Internet. The only problem is that a user in LAN/28 can not
> access the Internet.
>
> My guess is that because the internal interface of the NAT router is
> configured with a 25 bit subnet mask, it is not NATing the addresses from
> the LAN/28. Correct?
>
> If I change the internal i/f of the NAT router so that it uses a 24 bit
> subnet mask will this solve the problem? All the other machines should
> still be able to access it, even though the router now sits in the 24 bit
> subnet and the workstations and router still sit in the 25 bit subnet.

Correct?



bomba 10-28-2003 05:02 PM

Re: NAT and chained subnet
 
On Tue, 28 Oct 2003 16:21:16 +0100, Erik Tamminga wrote:

> Changing the NAT router i/f to have a /24 subnet mask will NOT work. That
> way the router will think the host on the lan/28 is directly connected to
> the NAT router's i/f, which it is not.


Ok, thanks.

> What you're probably missing is a route in the NAT router back to the lan/28
> network. Try adding a route to the nat router. the route should be for
> lan/28 and it's next hop should be router1's i/f.
> If the nat router is cisco; the command looks like: "ip route 192.168.160.0
> 255.255.255.240 192.168.1.3"
> Pleas confirm this to be the problem by first pinging the nat-router i/f
> from lan/28.


No, this is already set up.

> If this is not the problem (and pinging actually works before you've made
> the change), than you're probably missing a nat statement on the nat router
> to also nat traffic for lan/28.


This could be the problem. How does one go about setting up NAT for two
subnets on the same interface? (Router is Netscreen, which is based on
Cisco IOS, I believe)

Erik Tamminga 10-28-2003 10:14 PM

Re: NAT and chained subnet
 
Didn't know (if) netscreen is IOS related; but here's how it's done in IOS:

ip nat inside source list 1 ...

where 1 is the access-list number that specifies what traffic should be
included in the nat-process. In your case the access list whould look
something like:
access-list 1 permit 192.168.0.0 0.0.0.128
access-list 1 permit 192.168.0.160 0.0.0.15

Erik

"bomba" <myarse247@hotmail.com> wrote in message
news:pan.2003.10.28.17.02.15.904064@hotmail.com...
> On Tue, 28 Oct 2003 16:21:16 +0100, Erik Tamminga wrote:
>
> > Changing the NAT router i/f to have a /24 subnet mask will NOT work.

That
> > way the router will think the host on the lan/28 is directly connected

to
> > the NAT router's i/f, which it is not.

>
> Ok, thanks.
>
> > What you're probably missing is a route in the NAT router back to the

lan/28
> > network. Try adding a route to the nat router. the route should be for
> > lan/28 and it's next hop should be router1's i/f.
> > If the nat router is cisco; the command looks like: "ip route

192.168.160.0
> > 255.255.255.240 192.168.1.3"
> > Pleas confirm this to be the problem by first pinging the nat-router i/f
> > from lan/28.

>
> No, this is already set up.
>
> > If this is not the problem (and pinging actually works before you've

made
> > the change), than you're probably missing a nat statement on the nat

router
> > to also nat traffic for lan/28.

>
> This could be the problem. How does one go about setting up NAT for two
> subnets on the same interface? (Router is Netscreen, which is based on
> Cisco IOS, I believe)




Bob Marcan 10-29-2003 09:24 AM

Re: NAT and chained subnet
 
bomba wrote:
> We've got a chained subnet that is having problems accessing the Internet.
> I have a fair idea of the problem (and the solution), but my knowledge
> of VLSM routing is a bit weak, so I'm just looking for confirmation before
> I make changes.
>
> The setup is as below.
>
> Internet---NAT-----LAN/25---Router1---Router2---LAN/28
> Router
>
> LAN/25 = 192.168.1.0/25
> LAN/28 = 192.168.1.160/28
> Int i/f of NAT router = 192.168.1.1/25
> Router1 i/f = 192.168.1.3/25
> Router2 i/f = 192.168.1.161/28
>
> Connection between the two LANs is not a problem. Similarly, LAN/25 can
> access the Internet. The only problem is that a user in LAN/28 can not
> access the Internet.
>
> My guess is that because the internal interface of the NAT router is
> configured with a 25 bit subnet mask, it is not NATing the addresses from
> the LAN/28. Correct?
>
> If I change the internal i/f of the NAT router so that it uses a 24 bit
> subnet mask will this solve the problem? All the other machines should
> still be able to access it, even though the router now sits in the 24 bit
> subnet and the workstations and router still sit in the 25 bit subnet. Correct?


If i understand this properly, the NAT router is Netscreen.
Netscreen is a firewall, not only router.
If you dont filter anything, the default rule is pass anything from
trust to untrust.
Your problem is routing.

telnet to Netscreen:
ping 192.168.1.161
trace-route 192.168.1.161

Does this works?
If not, add route 192.168.1.160/28 gw 192.168.1.3.

Regards, Bob

--
Bob Marcan mailto:bob.marcan@hermes-plus.si
Aster^H^H...HermesPlus^H^H^H...S&T
Slandrova ul. 2 tel: +386 (1) 5895-200
1000 Ljubljana, Slovenia http://www.hermes-plus.si


bomba 10-29-2003 02:07 PM

Re: NAT and chained subnet
 
On Tue, 28 Oct 2003 23:14:04 +0100, Erik Tamminga wrote:

> Didn't know (if) netscreen is IOS related;


I was told it at a training seminar. Not sure it's true.

> but here's how it's done in IOS:
>
> ip nat inside source list 1 ...
>
> where 1 is the access-list number that specifies what traffic should be
> included in the nat-process. In your case the access list whould look
> something like:
> access-list 1 permit 192.168.0.0 0.0.0.128
> access-list 1 permit 192.168.0.160 0.0.0.15


Thanks, I'll try and work out a way of implementing it on Netscreen.


bomba 10-29-2003 02:09 PM

Re: NAT and chained subnet
 
On Wed, 29 Oct 2003 10:24:14 +0100, Bob Marcan wrote:

> If i understand this properly, the NAT router is Netscreen.
> Netscreen is a firewall, not only router.
> If you dont filter anything, the default rule is pass anything from
> trust to untrust.
> Your problem is routing.


I agree.

> telnet to Netscreen:
> ping 192.168.1.161
> trace-route 192.168.1.161
>
> Does this works?


Yes.

> If not, add route 192.168.1.160/28 gw 192.168.1.3.


Route already exists.




All times are GMT. The time now is 06:11 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.