InterVLAN and Static NAT

I have configured two clients on a Cisco 1841 router and Cisco Catalyst 2960 Switch using InterVLAN and static NAT. The problem is that from Client 2 Server I cannot access the internet whereas I can from Client 1 Server. Client 1 Server is acting as a DNS server for the entire network. But if I remove the Client 2 Server static NAT both Servers can go through to the internet.

My configurations are as follows:

2960 Switch:

no file verify auto spanning-tree mode pvst spanning-tree extend system- id ! vlan internal allocation policy ascending ! interface FastEthernet0/7 switchport access vlan

10 spanning-tree portfast ! interface FastEthernet0/13 switchport access vlan 20 ! interface FastEthernet0/24 switchport mode trunk ! interface Vlan1 ip address 192.168.1.3 255.255.255.0 no ip route- cache ! ip default-gateway 192.168.1.1

Cisco 1841 Router: ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $FW_INSIDE $ no ip address no ip redirects no ip unreachables no ip proxy- arp ip nbar protocol- discovery ip nat inside ip virtual- reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/0.10 description $ Client 1 $ encapsulation dot1Q

10 ip address 192.168.10.1 255.255.255.0 ip nat inside ! interface FastEthernet0/0.20 description $ Client 2 $ encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ! interface FastEthernet0/0.100 description Management NATIVE VLAN encapsulation dot1Q 1 native ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface FastEthernet0/1 description $ User Access Network $ ip address 192.168.2.1 255.255.255.0 ip nat inside ! interface Serial0/0/0 description Link to the Internet bandwidth 512 ip address 196.X.X.98 255.255.255.252 ip nat outside ! ip route 0.0.0.0 0.0.0.0 196.X.X. 97 ! ip nat inside source list 10 interface Serial0/0/0 overload ip nat inside source static 192.168.10.2 196.1X.X.35 (Client 1 Mail Server, using 192.168.10.1 as gateway) ip nat inside source static 192.168.20.2 196.2X.X.18 (Client 2 Mail Server, using 192.168.20.1 as gateway) ! access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit 192.168.2.0 0.0.0.255 access-list 10 permit 192.168.10.0 0.0.0.255 access-list 10 permit 192.168.20.0 0.0.0.255 !

Thanks for the well described problem and decent initial data - something to work with.

The one thing that looks awry is that you will be NATting the traffic between the two servers when they are doing DNS.

You need to change the NAT list to an extended ACL and exclude 192.168.10.x 192.168.20.x traffic.

Ah no - they are both ip NAT inside and so that should not be the case. Hmmm.

I would have a look at "sh ip nat tr" to check that you were not getting some strange NAT going on anyway.

There is a new NAT scheme (single interface NAT - let me call it) available now so maybe the router is confused.

When you say "from Client 2 Server I cannot access the internet" I assume you mean browse the web. the only possible flaw in your initial description is that you could have tested with a numeric traceroute and or ping and posted the results. This would have allowed readers to determine if it was likely a DNS problem or a basic communications problem.

So:- Ping between the two servers to see if they can comunicate. Determine if IP communications is working to the internet with ping and or traceroute (tracert on windows). Determine if DNS is working on Client 2. Post software version of router. Look at - sh ip nat tr after you have seen failure debug ip nat is very good as long as you can isolate the traffic - i.e.there is not too much.

report on above if you need further assistance