I have a question dealing with a project I am working on. It may seem unconventional and that is probably why it is not working the way I want it to.
What i would like to do is set up NAT on a router so that both sides o the networks look as though the machine they are connecting to looks local. I have a cisco 2500 router with 2 ethernet ports 172.16.32.0 (255.255.240.0) being the internal and 192.168.200.0 being the external. I would like anyone on the external to be able to connect to an internal server 192.168.200.30 and be forwared to 172.16.42.196 by the router. Plus I want that traffic to look like it came from 172.16.32.22 (or other ip address from a pool).
The way I have it set up now it appears to work. I see the translations work and the internal server (172.16.42.196) sees the connection (ping right now) and see that the request came from 172.16.32.22 (which is actually 192.168.200.62). The internal server sends back to the reply to the 172.16.32.22 address and the router gets it. Here is the problem, the router seems to swallow up the reply and not forward it to the 192.168.200.62 machine.
Am I totally wrong in my Assumption that this should work?
Any thoughts, ideas, suggestions would be greatly appreciated.
Let me know if you require anything else..
Thanks in advance to respond,
Ken
Here is the config it is pretty basic as I stripped it all down jsut to figure out why it isn't working:
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service tcp-small-servers
!
hostname Vlan11-200
!
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 172.16.32.20 255.255.240.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Ethernet1
ip address 192.168.200.31 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip nat pool NAT_POOL 172.16.32.21 172.16.32.30 netmask 255.255.240.0
ip nat inside source static 172.16.42.196 192.168.200.30
ip nat outside source list 1 pool NAT_POOL
ip classless
ip route 172.16.48.0 255.255.240.0 172.16.32.1
ip route 172.16.194.48 255.255.255.255 172.16.32.1
no ip http server
!
access-list 1 permit 192.168.200.0 0.0.0.255
!
end
----------------------------------------
Here is what I see with DEBUG IP NAT and DEBUG IP ICMP on
Vlan11-200#show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 306 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 306 messages logged
Trap logging: level informational, 24 message lines logged
Log Buffer (4096 bytes):
01:56:11: NAT: s=192.168.200.62->172.16.32.22, d=192.168.200.30 [15495]
01:56:11: NAT: s=172.16.32.22, d=192.168.200.30->172.16.42.196 [15495]
01:56:11: ICMP: echo reply rcvd, src 172.16.42.196, dst 172.16.32.22
---------------------------------------
Here is my nat trans table:
Pro Inside global Inside local Outside local Outside global
--- 192.168.200.30 172.16.42.196 --- ---
--- --- --- 172.16.32.21 192.168.200.62
--- 192.168.200.30 172.16.42.196 172.16.32.21 192.168.200.62
--------------------------------------------------------
What i would like to do is set up NAT on a router so that both sides o the networks look as though the machine they are connecting to looks local. I have a cisco 2500 router with 2 ethernet ports 172.16.32.0 (255.255.240.0) being the internal and 192.168.200.0 being the external. I would like anyone on the external to be able to connect to an internal server 192.168.200.30 and be forwared to 172.16.42.196 by the router. Plus I want that traffic to look like it came from 172.16.32.22 (or other ip address from a pool).
The way I have it set up now it appears to work. I see the translations work and the internal server (172.16.42.196) sees the connection (ping right now) and see that the request came from 172.16.32.22 (which is actually 192.168.200.62). The internal server sends back to the reply to the 172.16.32.22 address and the router gets it. Here is the problem, the router seems to swallow up the reply and not forward it to the 192.168.200.62 machine.
Am I totally wrong in my Assumption that this should work?
Any thoughts, ideas, suggestions would be greatly appreciated.
Let me know if you require anything else..
Thanks in advance to respond,
Ken
Here is the config it is pretty basic as I stripped it all down jsut to figure out why it isn't working:
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service tcp-small-servers
!
hostname Vlan11-200
!
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 172.16.32.20 255.255.240.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Ethernet1
ip address 192.168.200.31 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip nat pool NAT_POOL 172.16.32.21 172.16.32.30 netmask 255.255.240.0
ip nat inside source static 172.16.42.196 192.168.200.30
ip nat outside source list 1 pool NAT_POOL
ip classless
ip route 172.16.48.0 255.255.240.0 172.16.32.1
ip route 172.16.194.48 255.255.255.255 172.16.32.1
no ip http server
!
access-list 1 permit 192.168.200.0 0.0.0.255
!
end
----------------------------------------
Here is what I see with DEBUG IP NAT and DEBUG IP ICMP on
Vlan11-200#show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 306 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 306 messages logged
Trap logging: level informational, 24 message lines logged
Log Buffer (4096 bytes):
01:56:11: NAT: s=192.168.200.62->172.16.32.22, d=192.168.200.30 [15495]
01:56:11: NAT: s=172.16.32.22, d=192.168.200.30->172.16.42.196 [15495]
01:56:11: ICMP: echo reply rcvd, src 172.16.42.196, dst 172.16.32.22
---------------------------------------
Here is my nat trans table:
Pro Inside global Inside local Outside local Outside global
--- 192.168.200.30 172.16.42.196 --- ---
--- --- --- 172.16.32.21 192.168.200.62
--- 192.168.200.30 172.16.42.196 172.16.32.21 192.168.200.62
--------------------------------------------------------
