12-12-2007 07:40 AM - edited 03-05-2019 07:58 PM
Hello,
I was trying to establish NAT between two vlans. The configuration is:
interface vlan 14
ip address 10.2.100.254 255.255.255.0
ip nat inside
!
interface vlan 7
ip address 1xx.xxx.xxx.126 255.255.255.192
ip nat outside
!
ip nat pool CONVERSION 1xx.xx.xx.105 1xx.xx.xx.110 netmask 255.255.255.192
ip nat inside source list 10 pool CONVERSION overload!
!
access-list 10 permit 10.2.100.0 0.0.0.255
I have tried on 6509 with:
Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(27b)E, RELEASE SOFTWARE (fc2
I am not going outside the box and I can't see translation.
When I do:
#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Vlan7
Inside interfaces:
Vlan14
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 10 pool CONVERSION refcount 0
pool CONVERSION: netmask 255.255.255.192
start 19x.xxx.xxx.105 end 1xx.xxx.xxx.110
type generic, total addresses 6, allocated 0 (0%), misses 0
Can you help me?
Thanks in advanced.
Jose Goncalves
12-12-2007 01:19 PM
Hi, have you applied access list 10 to interface?
e.g
interface vlan 7
ip access-group 10 in
ip access-group 10 out
HTH
Jorge
12-12-2007 01:27 PM
Hi Jorge
The access-list is used to match traffic for NAT so you don't need to apply it to the interface do you ?
Jose
What is the source ip address and what is the destination address.
Is the destination address reached out of vlan 7.
Have you tried a "debug ip nat". Obviously you need to be careful with any debugging if this is a production switch.
Jon
12-12-2007 02:19 PM
This is correct john what was I thinking! there is not statics . thanks for correcting..
I just labed this out , the configuration from Jose seems fine, I agree with John " debug IP nat " ..
Jorge
12-13-2007 03:43 AM
I have a PC with the IP 10.2.100.55 connects to vlan 14. I want to ping a host outside from my network, using the IPs in vlan 7, that have connection to outside (Internet, for example).
I activate the command debug ip nat, but don't appear anything in console.
Can you help me with any suggestion?
Thanks again for your help.
Jose
12-13-2007 09:08 AM
Jose, if you have a local console connection onto the router issue the following:
router(config)#logging buffered debugging
router(config)#logging console
router(config)#exit
router#terminal monitor
turn on ip nat debugging and try connecting to host 10.2.100.55 on vlan 14 , you should be able to see debugging output on the local console connection.
to turn off debugging issue " no debug all ". As in any debugging configuration use these commands with caution, best to use during non-business hours .
Jorge
12-13-2007 09:30 AM
Jorge
Nothing about NAT appears in console, but there are other messages that I can see in console.
It seems that the router don't recognize the commands about NAT.
Have you some idea?
Thanks in advanced.
Jose
12-13-2007 10:17 AM
Jose, could you in addition of ip nat debug do icmp as well "debugg ip icmp " and try pinging host again.., have you ensured that host on vlan 14 does not have any firewalls turned on ..
post any output debug results .
[edit] can you also verify interface vlan14 is up/up do " show ip interface brief "
Jorge
12-14-2007 02:22 AM
Jorge,
I did this:
#debug ip nat
IP NAT debugging is on
#debug ip icmp
ICMP packet debugging is on
#terminal monitor
#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan7 1xx.xxx.xxx.126 YES NVRAM up up
Vlan14 10.2.100.254 YES manual up
#sh debugging
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
IP NAT detailed debugging is on
When I do a ping from host 10.2.100.55 to the interface vlan14 10.2.100.254, in logs appear:
#sh logging | include 2.100
Dec 14 10:14:48: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55
Dec 14 10:14:49: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55
Dec 14 10:14:50: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55
Dec 14 10:14:51: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55
But if do a ping to other ip, don't appear anything.
None entry about NAT appears in logs.
Can you help me, one more once?
Thanks in advanced
Jose
12-14-2007 02:27 AM
Jose
Can you post output of a "show ip route"
and also tell us what the other ip address you are trying to ping is ?
Jon
12-14-2007 02:51 AM
Jorge
I do "sh ip route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.16.240.1 to network 0.0.0.0
O IA 192.168.12.0/24 [110/3] via 172.16.240.1, 00:51:09, Vlan540
O 192.168.209.0/24 [110/2] via 172.16.131.4, 00:51:09, Vlan200
[110/2] via 172.16.131.3, 00:51:09, Vlan200
193.132.09.0/24 is variably subnetted, 7 subnets, 2 masks
O E2 192.168.73.96 [110/1] via 172.16.240.1, 00:51:09, Vlan540
84.0.0.0/20 is subnetted, 1 subnets
O 192.168.121.0 [110/3] via 172.16.240.1, 00:51:55, Vlan540
O 192.168.121.32 [110/3] via 172.16.240.1, 00:51:55, Vlan540
O 192.168.121.64 [110/3] via 172.16.240.1, 00:51:55, Vlan540
O 192.168.121.96 [110/3] via 172.16.240.1, 00:51:55, Vlan540
O 192.168.212.0/24 [110/2] via 172.16.131.4, 00:52:14, Vlan200
[110/2] via 172.16.131.3, 00:52:14, Vlan200
O IA 192.168.10.0/24 [110/3] via 172.16.240.1, 00:52:14, Vlan540
C 192.168.228.0/24 is directly connected, Vlan41
C 192.168.246.0/24 is directly connected, Vlan18
O E2 192.168.245.0/24 [110/20] via 172.16.131.2, 00:53:04, Vlan200
O IA 192.168.11.0/24 [110/2] via 172.16.240.1, 00:53:04, Vlan540
192.168.56.0/27 is subnetted, 2 subnets
O IA 192.168.56.0 [110/4] via 172.16.240.1, 00:53:04, Vlan540
O IA 192.168.56.32 [110/4] via 172.16.240.1, 00:53:04, Vlan540
O*E2 0.0.0.0/0 [110/1] via 172.16.240.1, 00:53:31, Vlan540
I try ping to:
ping 192.168.121.55 - Didn't ping to host and didn't appear anything in logs (this is outside from my network)
ping 192.168.246.254 - Did the ping to host and appear in logs (This is in a vlan in my router)
Thanks in advanced
Jose
12-14-2007 02:59 AM
Jose
You have an "ip nat outside" statement under vlan 7 but you have no routes pointing out of vlan 7.
So unless you are trying to ping an IP address on vlan 7 then NAT will not happen.
Jon
12-14-2007 03:18 AM
Jorge
Yes, it true.
Now I do this:
#router ospf 1
network 1xx.xxx.xx.0 0.0.0.255 area 2
#sh ip route | include Vlan7
C 1xx.xxx.xx.96/27 is directly connected, Vlan7
I ping 1xx.xxx.xx.126 and this is the replay:
Dec 14 11:10:05: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55
Dec 14 11:10:06: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55
Dec 14 11:10:07: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55
Dec 14 11:10:08: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55
But everything the remaining portion is remained equal
Thanks in advanced
Jose
12-14-2007 03:31 AM
Jose
It's Jon not Jorge although i'm sure Jorge will be along soon :)
Could you tell me exactly what you are trying to achieve and what is the source and destination.
If you ping a packet from vlan 14 and that packet is reachable via vlan 540 in your routing table then you will use the "ip nat outside" statement on your vlan 7 interface.
Jon
12-14-2007 03:51 AM
Jon,
Sorry for the Jorge .
I have a lot of PCs in vlan 14 that have internal IPs (10.2.100.0/24).
I have vlan7 that have international IPs.
What I want to do is that the PCs in vlan 14 accede to the Internet, without using a proxy.
It is therefore that I want to use the NAT.
I wait that it has perceived.
Thanks in advanced
Jose
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: