NAT and chained subnet

Discussion in 'Cisco' started by bomba, Oct 28, 2003.

  1. bomba

    bomba Guest

    We've got a chained subnet that is having problems accessing the Internet.
    I have a fair idea of the problem (and the solution), but my knowledge
    of VLSM routing is a bit weak, so I'm just looking for confirmation before
    I make changes.

    The setup is as below.

    Internet---NAT-----LAN/25---Router1---Router2---LAN/28
    Router

    LAN/25 = 192.168.1.0/25
    LAN/28 = 192.168.1.160/28
    Int i/f of NAT router = 192.168.1.1/25
    Router1 i/f = 192.168.1.3/25
    Router2 i/f = 192.168.1.161/28

    Connection between the two LANs is not a problem. Similarly, LAN/25 can
    access the Internet. The only problem is that a user in LAN/28 can not
    access the Internet.

    My guess is that because the internal interface of the NAT router is
    configured with a 25 bit subnet mask, it is not NATing the addresses from
    the LAN/28. Correct?

    If I change the internal i/f of the NAT router so that it uses a 24 bit
    subnet mask will this solve the problem? All the other machines should
    still be able to access it, even though the router now sits in the 24 bit
    subnet and the workstations and router still sit in the 25 bit subnet. Correct?
     
    bomba, Oct 28, 2003
    #1
    1. Advertisements

  2. Changing the NAT router i/f to have a /24 subnet mask will NOT work. That
    way the router will think the host on the lan/28 is directly connected to
    the NAT router's i/f, which it is not.

    What you're probably missing is a route in the NAT router back to the lan/28
    network. Try adding a route to the nat router. the route should be for
    lan/28 and it's next hop should be router1's i/f.
    If the nat router is cisco; the command looks like: "ip route 192.168.160.0
    255.255.255.240 192.168.1.3"
    Pleas confirm this to be the problem by first pinging the nat-router i/f
    from lan/28.
    If this is not the problem (and pinging actually works before you've made
    the change), than you're probably missing a nat statement on the nat router
    to also nat traffic for lan/28.

    Erik

    Correct?
     
    Erik Tamminga, Oct 28, 2003
    #2
    1. Advertisements

  3. bomba

    bomba Guest

    Ok, thanks.
    No, this is already set up.
    This could be the problem. How does one go about setting up NAT for two
    subnets on the same interface? (Router is Netscreen, which is based on
    Cisco IOS, I believe)
     
    bomba, Oct 28, 2003
    #3
  4. Didn't know (if) netscreen is IOS related; but here's how it's done in IOS:

    ip nat inside source list 1 ...

    where 1 is the access-list number that specifies what traffic should be
    included in the nat-process. In your case the access list whould look
    something like:
    access-list 1 permit 192.168.0.0 0.0.0.128
    access-list 1 permit 192.168.0.160 0.0.0.15

    Erik
     
    Erik Tamminga, Oct 28, 2003
    #4
  5. bomba

    Bob Marcan Guest

    If i understand this properly, the NAT router is Netscreen.
    Netscreen is a firewall, not only router.
    If you dont filter anything, the default rule is pass anything from
    trust to untrust.
    Your problem is routing.

    telnet to Netscreen:
    ping 192.168.1.161
    trace-route 192.168.1.161

    Does this works?
    If not, add route 192.168.1.160/28 gw 192.168.1.3.

    Regards, Bob
     
    Bob Marcan, Oct 29, 2003
    #5
  6. bomba

    bomba Guest

    I was told it at a training seminar. Not sure it's true.
    Thanks, I'll try and work out a way of implementing it on Netscreen.
     
    bomba, Oct 29, 2003
    #6
  7. bomba

    bomba Guest

    I agree.
    Route already exists.
     
    bomba, Oct 29, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.