Mailing List Archive: NAT / routing /IP fwd issue

Hello!
I have an 8port ServerIron XL (Forwarding Traffic to/from multiple
sub-nets In separate broadcast domains)

(For this email, I substitute my real ip range with aa.bb.cc.0/27)

Setup
====
vlan1 - public IPs aa.bb.cc.0/27 - ve1
vlan2 - private IPs 10.0.0.0/24 - ve2
vlan3 - private IPs 192.168.0.0/24 - ve3
The server-iron is the default gateway for hosts on both private
networks

it load-balances traffic from 10.0.0.0/24 to 192.168.0.0/24
And aa.bb.cc.0/27 -> 10.0.0.0/24
And aa.bb.cc.0/27 -> 192.168.0.0/24

Problem
=======
I NAT a host 192.168.0.15, to a public IP, so it can have Internet
access.

My problem is that the server-iron also NATs 192.168.0.15 when it
connects with 10.0.0.0 network. Resulting in a source address of
aa.bb.cc.10
The same happens if I give a public host NAT mapping to a host in the
10.0.0.0 network, If it then connects with a host in the 192.168.0.0
network it is also natted with a public address.

Is there I can configure the server-iron to only NAT for access to
0.0.0.0 (Internet access) and not 10.0.0.0/192.168.0.0

Thanks in advance!
ells..

helpful config extracts ?
=================

SW: Version 07.3.03T12

#sh ip route
Destination NetMask Gateway Port Cost
Type
1 10.0.0.0 255.255.255.0 0.0.0.0 Ve 2 1
D
2 aa.bb.cc.0 255.255.255.224 0.0.0.0 Ve 1 1
D
3 192.168.0.0 255.255.255.0 0.0.0.0 Ve 3 1
D
4 0.0.0.0 0.0.0.0 aa.bb.cc.1 Ve 1 1
S

ip forward
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip nat inside source static 192.168.0.15 aa.bb.cc.10

Thank you very much
That did the trick!

ip nat pool MYPOOL abc.efg.hij.10 abc.efg.hij.10 netmask
255.255.255.224
ip nat inside source list 100 pool MYPOOL overload

access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 10.0.0.0 0.0.0.255 any

ells..
/me pats his Foundry!

On 6 Dec 2004, at 21:24, Gerlof.Dijk wrote:

>
> You have to define a extended ACL
>
> ip nat inside source list 100 pool Nat-Pool overload
> ip nat pool Nat-Pool a.b.c.x a.b.c.x netmask 255.255.255.224
>
> access-list 100 deny 192.168.0.0/24 10.0.0.0/24
> access-list 100 deny 10.0.0.0/24 192.168.0.0/24
> access-list 100 permit 192.168.0.0/24 any
> access-list 100 deny 10.0.0.0/24 any
>
> BTW: you can better use a NAT pool instead of an Static NAT address
> because
> static NAT is bidirectional.
>
>
>
> -----Oorspronkelijk bericht-----
> Van: foundry-nsp-bounces@puck.nether.net
> [mailto:foundry-nsp-bounces@puck.nether.net] Namens elliot moore
> Verzonden: maandag 6 december 2004 18:37
> Aan: foundry-nsp@puck.nether.net
> Onderwerp: [f-nsp] NAT / routing /IP fwd issue
>
> Hello!
> I have an 8port ServerIron XL (Forwarding Traffic to/from multiple
> sub-nets
> In separate broadcast domains)
>
> (For this email, I substitute my real ip range with aa.bb.cc.0/27)
>
> Setup
> ====
> vlan1 - public IPs aa.bb.cc.0/27 - ve1
> vlan2 - private IPs 10.0.0.0/24 - ve2
> vlan3 - private IPs 192.168.0.0/24 - ve3
> The server-iron is the default gateway for hosts on both private
> networks
>
> it load-balances traffic from 10.0.0.0/24 to 192.168.0.0/24 And
> aa.bb.cc.0/27 -> 10.0.0.0/24 And aa.bb.cc.0/27 -> 192.168.0.0/24
>
>
> Problem
> =======
> I NAT a host 192.168.0.15, to a public IP, so it can have Internet
> access.
>
> My problem is that the server-iron also NATs 192.168.0.15 when it
> connects
> with 10.0.0.0 network. Resulting in a source address of aa.bb.cc.10
> The same
> happens if I give a public host NAT mapping to a host in the 10.0.0.0
> network, If it then connects with a host in the 192.168.0.0 network it
> is
> also natted with a public address.
>
> Is there I can configure the server-iron to only NAT for access to
> 0.0.0.0
> (Internet access) and not 10.0.0.0/192.168.0.0
>
>
> Thanks in advance!
> ells..
>
>
>
>
> helpful config extracts ?
> =================
>
> SW: Version 07.3.03T12
>
> #sh ip route
> Destination NetMask Gateway Port
> Cost
> Type
> 1 10.0.0.0 255.255.255.0 0.0.0.0
> Ve 2 1
> D
> 2 aa.bb.cc.0 255.255.255.224 0.0.0.0 Ve 1
> 1
> D
> 3 192.168.0.0 255.255.255.0 0.0.0.0
> Ve 3 1
> D
> 4 0.0.0.0 0.0.0.0 aa.bb.cc.1
> Ve 1 1
> S
>
> ip forward
> ip address 192.168.0.254 255.255.255.0
> ip nat inside
> ip nat inside source static 192.168.0.15 aa.bb.cc.10
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>