12-31-2008 03:50 AM - edited 03-04-2019 03:17 AM
HI all,
im using Cisco 877 (c870-advipservicesk9-mz.124-2.T2) at a location
this location has a (last mile) radio bridge based internet connection (ethernet port)
i made 2 vlans on the 877
Step 1 : Vlan database
vlan 2
vlan 3
exit
Step 2 : int vlan 2
10.204.100.1 255.255.255.224
ip nat inside
int vlan 3
124.29.12x.2 255.255.255.252
ip nat outside
Step 3 : Int Fastethernet 0
switchport access vlan 2
Int fastethernet 3
switchport access vlan 3
vlan 2 connects the LAN users via Fastethernet0
vlan 3 connects to the internet device via Fastethernet 3
Then made NAT rule
ip nat inside source list 100 interface vlan3 overload
ACL 100
access-list 100 permit ip 10.204.100.0 0.0.0.31 any
Default Route
ip route 0.0.0.0 0.0.0.0 125.29.12x.1
now this config works on an old 2611 with 2 real etehrnet ports
my workstation 10.204.100.2 can connect to the internet just fine with 2611
but i cant seem to have it work with the new 877
any idea where im going wrong ..
i know its gota be a vlan config problem or vlan limitation .. cause the nat works fine with the other router..
plz help
12-31-2008 09:15 AM
Is the default route you entered here a typo? it is not a part of the network you have defined on VLAN 3
01-01-2009 05:04 AM
it was a typo..
the funny thing is that i installed a 837 (which has 2 etherrnets eth2 mapped on fastethernet4 and ethernet1 mapped on fastethernet 1,2,3)
and it seems to work fine...
877 is giving problems with natting with 2 vlans defined as per my first post..
any resolution ?????????
cisco i need help..
01-01-2009 07:41 AM
I had a similar issue a while back with overloading to virtual interfaces but I forget the exact details now.
I found that instead of overloading to the interface if I created a NAT pool with the one external address in and overloaded to the NAT pool then it worked.
Worth a shot.
01-01-2009 11:13 AM
Zaid
I have a suggestion to change your NAT configuration. Since your NAT rule is only checking the source address you do not really need an extended access list in the NAT. I suggest changing the access list from extended to standard.
So the config would look something like this:
ip nat inside source list 10 interface vlan3 overload
access-list 10 permit ip 10.204.100.0 0.0.0.31
Give it a try and let us know if it helps.
HTH
Rick
01-02-2009 12:10 AM
Hi Rick,
did that as well but doesnt seem to work ..
could it be an ISP issue ??
really gotten me confised now..
01-02-2009 05:09 AM
Zaid
One way to check on possible issues is to attempt to ping some Internet resources from the router itself. Can you ping www.cisco.com from the router?
HTH
Rick
01-02-2009 07:28 AM
I would try to change your nat statement to a physical interface (Fa3) instead of the vlan.
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide