NAT between two vlans in 6509

Unanswered Question
Dec 12th, 2007
User Badges:

Hello,


I was trying to establish NAT between two vlans. The configuration is:


interface vlan 14

ip address 10.2.100.254 255.255.255.0

ip nat inside

!

interface vlan 7

ip address 1xx.xxx.xxx.126 255.255.255.192

ip nat outside

!

ip nat pool CONVERSION 1xx.xx.xx.105 1xx.xx.xx.110 netmask 255.255.255.192

ip nat inside source list 10 pool CONVERSION overload!

!

access-list 10 permit 10.2.100.0 0.0.0.255


I have tried on 6509 with:

Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(27b)E, RELEASE SOFTWARE (fc2



I am not going outside the box and I can't see translation.


When I do:

#sh ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

Vlan7

Inside interfaces:

Vlan14

Hits: 0 Misses: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

access-list 10 pool CONVERSION refcount 0

pool CONVERSION: netmask 255.255.255.192

start 19x.xxx.xxx.105 end 1xx.xxx.xxx.110

type generic, total addresses 6, allocated 0 (0%), misses 0

Can you help me?

Thanks in advanced.


Jose Goncalves

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 12/12/2007 - 13:19
User Badges:
  • Green, 3000 points or more

Hi, have you applied access list 10 to interface?


e.g

interface vlan 7

ip access-group 10 in

ip access-group 10 out


HTH

Jorge

Jon Marshall Wed, 12/12/2007 - 13:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Jorge


The access-list is used to match traffic for NAT so you don't need to apply it to the interface do you ?


Jose


What is the source ip address and what is the destination address.


Is the destination address reached out of vlan 7.


Have you tried a "debug ip nat". Obviously you need to be careful with any debugging if this is a production switch.


Jon

JORGE RODRIGUEZ Wed, 12/12/2007 - 14:19
User Badges:
  • Green, 3000 points or more

This is correct john what was I thinking! there is not statics . thanks for correcting..


I just labed this out , the configuration from Jose seems fine, I agree with John " debug IP nat " ..


Jorge



jose.m.goncalves Thu, 12/13/2007 - 03:43
User Badges:

I have a PC with the IP 10.2.100.55 connects to vlan 14. I want to ping a host outside from my network, using the IPs in vlan 7, that have connection to outside (Internet, for example).


I activate the command debug ip nat, but don't appear anything in console.


Can you help me with any suggestion?


Thanks again for your help.


Jose


JORGE RODRIGUEZ Thu, 12/13/2007 - 09:08
User Badges:
  • Green, 3000 points or more

Jose, if you have a local console connection onto the router issue the following:


router(config)#logging buffered debugging

router(config)#logging console

router(config)#exit

router#terminal monitor


turn on ip nat debugging and try connecting to host 10.2.100.55 on vlan 14 , you should be able to see debugging output on the local console connection.


to turn off debugging issue " no debug all ". As in any debugging configuration use these commands with caution, best to use during non-business hours .


Jorge



jose.m.goncalves Thu, 12/13/2007 - 09:30
User Badges:

Jorge


Nothing about NAT appears in console, but there are other messages that I can see in console.


It seems that the router don't recognize the commands about NAT.

Have you some idea?


Thanks in advanced.


Jose

JORGE RODRIGUEZ Thu, 12/13/2007 - 10:17
User Badges:
  • Green, 3000 points or more

Jose, could you in addition of ip nat debug do icmp as well "debugg ip icmp " and try pinging host again.., have you ensured that host on vlan 14 does not have any firewalls turned on ..


post any output debug results .


[edit] can you also verify interface vlan14 is up/up do " show ip interface brief "



Jorge

jose.m.goncalves Fri, 12/14/2007 - 02:22
User Badges:

Jorge,


I did this:


#debug ip nat

IP NAT debugging is on

#debug ip icmp

ICMP packet debugging is on

#terminal monitor

#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Vlan7 1xx.xxx.xxx.126 YES NVRAM up up

Vlan14 10.2.100.254 YES manual up


#sh debugging

Generic IP:

ICMP packet debugging is on

IP NAT debugging is on

IP NAT detailed debugging is on


When I do a ping from host 10.2.100.55 to the interface vlan14 10.2.100.254, in logs appear:


#sh logging | include 2.100

Dec 14 10:14:48: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:49: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:50: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:51: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55


But if do a ping to other ip, don't appear anything.


None entry about NAT appears in logs.

Can you help me, one more once?


Thanks in advanced


Jose


Jon Marshall Fri, 12/14/2007 - 02:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


Can you post output of a "show ip route"


and also tell us what the other ip address you are trying to ping is ?


Jon

jose.m.goncalves Fri, 12/14/2007 - 02:51
User Badges:

Jorge


I do "sh ip route"


Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is 172.16.240.1 to network 0.0.0.0


O IA 192.168.12.0/24 [110/3] via 172.16.240.1, 00:51:09, Vlan540

O 192.168.209.0/24 [110/2] via 172.16.131.4, 00:51:09, Vlan200

[110/2] via 172.16.131.3, 00:51:09, Vlan200

193.132.09.0/24 is variably subnetted, 7 subnets, 2 masks

O E2 192.168.73.96 [110/1] via 172.16.240.1, 00:51:09, Vlan540

84.0.0.0/20 is subnetted, 1 subnets

O 192.168.121.0 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.32 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.64 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.96 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.212.0/24 [110/2] via 172.16.131.4, 00:52:14, Vlan200

[110/2] via 172.16.131.3, 00:52:14, Vlan200

O IA 192.168.10.0/24 [110/3] via 172.16.240.1, 00:52:14, Vlan540

C 192.168.228.0/24 is directly connected, Vlan41

C 192.168.246.0/24 is directly connected, Vlan18

O E2 192.168.245.0/24 [110/20] via 172.16.131.2, 00:53:04, Vlan200

O IA 192.168.11.0/24 [110/2] via 172.16.240.1, 00:53:04, Vlan540

192.168.56.0/27 is subnetted, 2 subnets

O IA 192.168.56.0 [110/4] via 172.16.240.1, 00:53:04, Vlan540

O IA 192.168.56.32 [110/4] via 172.16.240.1, 00:53:04, Vlan540

O*E2 0.0.0.0/0 [110/1] via 172.16.240.1, 00:53:31, Vlan540



I try ping to:


ping 192.168.121.55 - Didn't ping to host and didn't appear anything in logs (this is outside from my network)

ping 192.168.246.254 - Did the ping to host and appear in logs (This is in a vlan in my router)


Thanks in advanced


Jose


Jon Marshall Fri, 12/14/2007 - 02:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


You have an "ip nat outside" statement under vlan 7 but you have no routes pointing out of vlan 7.


So unless you are trying to ping an IP address on vlan 7 then NAT will not happen.


Jon

jose.m.goncalves Fri, 12/14/2007 - 03:18
User Badges:

Jorge


Yes, it true.


Now I do this:


#router ospf 1

network 1xx.xxx.xx.0 0.0.0.255 area 2


#sh ip route | include Vlan7

C 1xx.xxx.xx.96/27 is directly connected, Vlan7


I ping 1xx.xxx.xx.126 and this is the replay:

Dec 14 11:10:05: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:06: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:07: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:08: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55


But everything the remaining portion is remained equal


Thanks in advanced


Jose

Jon Marshall Fri, 12/14/2007 - 03:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


It's Jon not Jorge although i'm sure Jorge will be along soon :)


Could you tell me exactly what you are trying to achieve and what is the source and destination.


If you ping a packet from vlan 14 and that packet is reachable via vlan 540 in your routing table then you will use the "ip nat outside" statement on your vlan 7 interface.


Jon

jose.m.goncalves Fri, 12/14/2007 - 03:51
User Badges:

Jon,


Sorry for the Jorge .


I have a lot of PCs in vlan 14 that have internal IPs (10.2.100.0/24).

I have vlan7 that have international IPs.


What I want to do is that the PCs in vlan 14 accede to the Internet, without using a proxy.


It is therefore that I want to use the NAT.

I wait that it has perceived.


Thanks in advanced

Jose


Jon Marshall Fri, 12/14/2007 - 03:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


No problem.


Can you tell me what is the default route used on this switch to get to the Internet ?


Jon

jose.m.goncalves Fri, 12/14/2007 - 03:59
User Badges:

Jon,


Gateway of last resort is 172.16.240.1 to network 0.0.0.0


interface Vlan540

description Ligacao WAN

ip address 172.16.240.4 255.255.255.0



Thanks in advanced

Jose


Jon Marshall Fri, 12/14/2007 - 04:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


That is your problem then. When you go out to the internet you go out of vlan 540 but you have the ip nat outside statement under vlan 7 which is why you are never getting any NAT translations.


Jon

jose.m.goncalves Fri, 12/14/2007 - 04:20
User Badges:

Jon,


Thanks a lot for your aid.


It has then some method I to make what I intend in the 6509?


I go to have to use one other to router for this, really?


Thanks in advanced

Jose



Jon Marshall Fri, 12/14/2007 - 04:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


You can use the 6500 for this but you need to be careful. You have a lot of routes pointing out of vlan 540.


Do you want to NAT all traffic going out of the vlan 540 interface because that won't just be internet traffic it will also be any subnets using vlan 540 as their gateway eg.


do you want to NAT vlan 14 ip addresses if a client on vlan 14 wants to communicate with any of these subnets ?


O 192.168.121.0 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.32 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.64 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.96 [110/3] via 172.16.240.1, 00:51:55, Vlan540


Jon


jose.m.goncalves Fri, 12/14/2007 - 04:29
User Badges:

Jon


No, I don't want to NAT all traffic going out of the vlan 540 interface.


Yes, I want to NAT vlan 14 ip addresses if a client on vlan 14 wants to communicate with any of these subnets.


Thanks in advandec


Jose

jose.m.goncalves Mon, 12/17/2007 - 01:27
User Badges:

Jon,


With my configuration of the nerwork, isn't possible to do NAT, right?


Thanks in advanced.


Jose


Actions

This Discussion