NAT and chained subnet

Discussion in 'Cisco' started by bomba, Oct 28, 2003.

  1. bomba

    bomba Guest

    We've got a chained subnet that is having problems accessing the Internet.
    I have a fair idea of the problem (and the solution), but my knowledge
    of VLSM routing is a bit weak, so I'm just looking for confirmation before
    I make changes.

    The setup is as below.

    Internet---NAT-----LAN/25---Router1---Router2---LAN/28
    Router

    LAN/25 = 192.168.1.0/25
    LAN/28 = 192.168.1.160/28
    Int i/f of NAT router = 192.168.1.1/25
    Router1 i/f = 192.168.1.3/25
    Router2 i/f = 192.168.1.161/28

    Connection between the two LANs is not a problem. Similarly, LAN/25 can
    access the Internet. The only problem is that a user in LAN/28 can not
    access the Internet.

    My guess is that because the internal interface of the NAT router is
    configured with a 25 bit subnet mask, it is not NATing the addresses from
    the LAN/28. Correct?

    If I change the internal i/f of the NAT router so that it uses a 24 bit
    subnet mask will this solve the problem? All the other machines should
    still be able to access it, even though the router now sits in the 24 bit
    subnet and the workstations and router still sit in the 25 bit subnet. Correct?
    bomba, Oct 28, 2003
    #1
    1. Advertising

  2. Changing the NAT router i/f to have a /24 subnet mask will NOT work. That
    way the router will think the host on the lan/28 is directly connected to
    the NAT router's i/f, which it is not.

    What you're probably missing is a route in the NAT router back to the lan/28
    network. Try adding a route to the nat router. the route should be for
    lan/28 and it's next hop should be router1's i/f.
    If the nat router is cisco; the command looks like: "ip route 192.168.160.0
    255.255.255.240 192.168.1.3"
    Pleas confirm this to be the problem by first pinging the nat-router i/f
    from lan/28.
    If this is not the problem (and pinging actually works before you've made
    the change), than you're probably missing a nat statement on the nat router
    to also nat traffic for lan/28.

    Erik

    "bomba" <> wrote in message
    news:p...
    > We've got a chained subnet that is having problems accessing the Internet.
    > I have a fair idea of the problem (and the solution), but my knowledge
    > of VLSM routing is a bit weak, so I'm just looking for confirmation before
    > I make changes.
    >
    > The setup is as below.
    >
    > Internet---NAT-----LAN/25---Router1---Router2---LAN/28
    > Router
    >
    > LAN/25 = 192.168.1.0/25
    > LAN/28 = 192.168.1.160/28
    > Int i/f of NAT router = 192.168.1.1/25
    > Router1 i/f = 192.168.1.3/25
    > Router2 i/f = 192.168.1.161/28
    >
    > Connection between the two LANs is not a problem. Similarly, LAN/25 can
    > access the Internet. The only problem is that a user in LAN/28 can not
    > access the Internet.
    >
    > My guess is that because the internal interface of the NAT router is
    > configured with a 25 bit subnet mask, it is not NATing the addresses from
    > the LAN/28. Correct?
    >
    > If I change the internal i/f of the NAT router so that it uses a 24 bit
    > subnet mask will this solve the problem? All the other machines should
    > still be able to access it, even though the router now sits in the 24 bit
    > subnet and the workstations and router still sit in the 25 bit subnet.

    Correct?
    Erik Tamminga, Oct 28, 2003
    #2
    1. Advertising

  3. bomba

    bomba Guest

    On Tue, 28 Oct 2003 16:21:16 +0100, Erik Tamminga wrote:

    > Changing the NAT router i/f to have a /24 subnet mask will NOT work. That
    > way the router will think the host on the lan/28 is directly connected to
    > the NAT router's i/f, which it is not.


    Ok, thanks.

    > What you're probably missing is a route in the NAT router back to the lan/28
    > network. Try adding a route to the nat router. the route should be for
    > lan/28 and it's next hop should be router1's i/f.
    > If the nat router is cisco; the command looks like: "ip route 192.168.160.0
    > 255.255.255.240 192.168.1.3"
    > Pleas confirm this to be the problem by first pinging the nat-router i/f
    > from lan/28.


    No, this is already set up.

    > If this is not the problem (and pinging actually works before you've made
    > the change), than you're probably missing a nat statement on the nat router
    > to also nat traffic for lan/28.


    This could be the problem. How does one go about setting up NAT for two
    subnets on the same interface? (Router is Netscreen, which is based on
    Cisco IOS, I believe)
    bomba, Oct 28, 2003
    #3
  4. Didn't know (if) netscreen is IOS related; but here's how it's done in IOS:

    ip nat inside source list 1 ...

    where 1 is the access-list number that specifies what traffic should be
    included in the nat-process. In your case the access list whould look
    something like:
    access-list 1 permit 192.168.0.0 0.0.0.128
    access-list 1 permit 192.168.0.160 0.0.0.15

    Erik

    "bomba" <> wrote in message
    news:p...
    > On Tue, 28 Oct 2003 16:21:16 +0100, Erik Tamminga wrote:
    >
    > > Changing the NAT router i/f to have a /24 subnet mask will NOT work.

    That
    > > way the router will think the host on the lan/28 is directly connected

    to
    > > the NAT router's i/f, which it is not.

    >
    > Ok, thanks.
    >
    > > What you're probably missing is a route in the NAT router back to the

    lan/28
    > > network. Try adding a route to the nat router. the route should be for
    > > lan/28 and it's next hop should be router1's i/f.
    > > If the nat router is cisco; the command looks like: "ip route

    192.168.160.0
    > > 255.255.255.240 192.168.1.3"
    > > Pleas confirm this to be the problem by first pinging the nat-router i/f
    > > from lan/28.

    >
    > No, this is already set up.
    >
    > > If this is not the problem (and pinging actually works before you've

    made
    > > the change), than you're probably missing a nat statement on the nat

    router
    > > to also nat traffic for lan/28.

    >
    > This could be the problem. How does one go about setting up NAT for two
    > subnets on the same interface? (Router is Netscreen, which is based on
    > Cisco IOS, I believe)
    Erik Tamminga, Oct 28, 2003
    #4
  5. bomba

    Bob Marcan Guest

    bomba wrote:
    > We've got a chained subnet that is having problems accessing the Internet.
    > I have a fair idea of the problem (and the solution), but my knowledge
    > of VLSM routing is a bit weak, so I'm just looking for confirmation before
    > I make changes.
    >
    > The setup is as below.
    >
    > Internet---NAT-----LAN/25---Router1---Router2---LAN/28
    > Router
    >
    > LAN/25 = 192.168.1.0/25
    > LAN/28 = 192.168.1.160/28
    > Int i/f of NAT router = 192.168.1.1/25
    > Router1 i/f = 192.168.1.3/25
    > Router2 i/f = 192.168.1.161/28
    >
    > Connection between the two LANs is not a problem. Similarly, LAN/25 can
    > access the Internet. The only problem is that a user in LAN/28 can not
    > access the Internet.
    >
    > My guess is that because the internal interface of the NAT router is
    > configured with a 25 bit subnet mask, it is not NATing the addresses from
    > the LAN/28. Correct?
    >
    > If I change the internal i/f of the NAT router so that it uses a 24 bit
    > subnet mask will this solve the problem? All the other machines should
    > still be able to access it, even though the router now sits in the 24 bit
    > subnet and the workstations and router still sit in the 25 bit subnet. Correct?


    If i understand this properly, the NAT router is Netscreen.
    Netscreen is a firewall, not only router.
    If you dont filter anything, the default rule is pass anything from
    trust to untrust.
    Your problem is routing.

    telnet to Netscreen:
    ping 192.168.1.161
    trace-route 192.168.1.161

    Does this works?
    If not, add route 192.168.1.160/28 gw 192.168.1.3.

    Regards, Bob

    --
    Bob Marcan mailto:
    Aster^H^H...HermesPlus^H^H^H...S&T
    Slandrova ul. 2 tel: +386 (1) 5895-200
    1000 Ljubljana, Slovenia http://www.hermes-plus.si
    Bob Marcan, Oct 29, 2003
    #5
  6. bomba

    bomba Guest

    On Tue, 28 Oct 2003 23:14:04 +0100, Erik Tamminga wrote:

    > Didn't know (if) netscreen is IOS related;


    I was told it at a training seminar. Not sure it's true.

    > but here's how it's done in IOS:
    >
    > ip nat inside source list 1 ...
    >
    > where 1 is the access-list number that specifies what traffic should be
    > included in the nat-process. In your case the access list whould look
    > something like:
    > access-list 1 permit 192.168.0.0 0.0.0.128
    > access-list 1 permit 192.168.0.160 0.0.0.15


    Thanks, I'll try and work out a way of implementing it on Netscreen.
    bomba, Oct 29, 2003
    #6
  7. bomba

    bomba Guest

    On Wed, 29 Oct 2003 10:24:14 +0100, Bob Marcan wrote:

    > If i understand this properly, the NAT router is Netscreen.
    > Netscreen is a firewall, not only router.
    > If you dont filter anything, the default rule is pass anything from
    > trust to untrust.
    > Your problem is routing.


    I agree.

    > telnet to Netscreen:
    > ping 192.168.1.161
    > trace-route 192.168.1.161
    >
    > Does this works?


    Yes.

    > If not, add route 192.168.1.160/28 gw 192.168.1.3.


    Route already exists.
    bomba, Oct 29, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Vass

    Subnet a subnet mask?

    Vass, Aug 26, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    710
  2. spec
    Replies:
    2
    Views:
    1,430
    Walter Roberson
    May 25, 2006
  3. Mama Bear

    Can USB be daisy chained?

    Mama Bear, Nov 25, 2006, in forum: Computer Support
    Replies:
    11
    Views:
    1,493
  4. Amadej

    Cisco 1812 subnet to subnet NAT

    Amadej, Sep 3, 2007, in forum: Cisco
    Replies:
    1
    Views:
    3,158
  5. Frank Winkler

    Chained RDP over chained VPN

    Frank Winkler, Jun 19, 2008, in forum: Cisco
    Replies:
    2
    Views:
    509
    Frank Winkler
    Jun 20, 2008
Loading...

Share This Page