Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
3
Replies

Dynamic NAT (inside to outside) only works on one VLAN

rtis_cisco
Level 1
Level 1

‎07-09-2007 10:34 AM - edited ‎03-03-2019 05:46 PM

I am configuring two 1811s (1811 and 1811W) and have run into the same problem on both. Configuration has started out with SDM, but debugging and "final" config is through the console.

I have 4 private nets (192.168.1.1, .2,.3,.4) that are running on their own vlans (1,2,3,4). I want each of them to dynamically NAT through the single WAN ip address on the WAN port (FastEthernet0).

DHCP servers on all 4 VLANS work correctly, but only VLAN 1 (native, BTW) appears to be getting NAT'd. I have turned on "debug ip nat" and seen NAT activity when coming out of VLAN 1....but there is no apparent NAT activity when I use other VLANs.

I also have an easy VPN ipsec channel open and, therefore, have route maps for all the NATs. I think they are correct; but, even if not, I would expect to be able to see some "deny" matches from non VLAN 1 activity....but I don't.

Config file, sorry about the length, is attached for reference. I had my old 1711 configured properly, but that was several IOS's ago. Both of these routers are on 12.4.

Any help would be appreciated....I'm guessing this is a simple config oversight on my part.

Labels:
Preview file
34 KB
0 Helpful
3 Replies 3

paolo bevilacqua
Hall of Fame
Hall of Fame

‎07-09-2007 11:21 AM

Hi,

I have opened the config was surprised by the lenght of the access-lsit for NAT.

I don't think that is really necessary. Neither necessary to use route maps. Just one single nat stamement like "ip nat inside source list", with the a simple four-lines access list that permits the four VLANs subnets, and that's it.

If this unnecessarily complex configuration is the result of using SDM, that just confirm the general opinion that the tool is unable to generate understandable, professional configurations for anything just beyond the most basic scenarios.

If you want to block some IP to go to the internet, you should use an interface access-group instead.

Hope this helps, please rate post if it does!

0 Helpful

rtis_cisco
Level 1
Level 1
In response to paolo bevilacqua

‎07-09-2007 11:56 AM

Good point. I think you're right about SDM producing some really "obscure" access-list entries. This will get reworked for the final config.

Having said that, I still don't see why I can't NAT from VLANs 2,3, or 4. Or, at the least, see which access-list entry is denying NAT operations.

Thanks

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to rtis_cisco

‎07-09-2007 12:54 PM

Why don't you take the short route of using what is know to work and easy to understand.

ip nat inside source list 101 interface ...

ip access-list 101 permit 192.168.1.0 0.0.0.255 any

Then remove the access-group under the VLAN interfaces unless you need them for whatever other reason.

You could even optimize the ACL by using a larger mask instead of separate entries for each network, but I think is not worth to take such a small optimization that would again sacrifice config readability.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card