×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT Issues (Cisco 3745 Router)

Answered Question
Mar 7th, 2014
User Badges:

I need some help sorting out a NAT issue. I am newbie on NAT and I think I am confused on the wildcard to nat all my vlans. I am setting up a home lab for various porpuses vm and home network NAT is only working for 1 Vlan 224= 10.23.224.0\24.   The rest wont get to the internet 225-229 10.23.225-229\24


Scenario:  Cisco 3745 config below providing NAT and interconnected to a Cisco 3560 L3 with Vlan range 224-229. All vlan interfaces end with .254 for L3 gateways.


I believe my issue is on the NAT_ADDRESSES ACL below and the wilcard got me all confused.  I thought this wild card

10.23.0.0 0.0.0.255 would take care of anything on the 10.23.0.0 range, however only vlan 224 works the rest wont get to the internet.  I am able to ping 4.2.2.2 from the router and the L3 switch.


help will be apreciated.


Building configuration...



Current configuration : 1179 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname seuz-rt1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$6m/i$kUvyAZxg9rOOgK0Zqcv8a.

!

no aaa new-model

ip cef

!

!

!

!

ip name-server 4.2.2.2

ip name-server 4.2.2.3

!

username admin secret 5 $1$vCCq$C9eAcSNHojSHFLuRFPVRq0

!

!

!

!

interface FastEthernet0/0

ip address 192.168.10.252 255.255.255.0

ip nat outside

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 10.23.224.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.10.1

!

no ip http server

ip nat pool PUBLIC_NAT_IPS 192.168.10.249 192.168.10.250 netmask 255.255.255.0

ip nat inside source list NAT_ADDRESSES pool PUBLIC_NAT_IPS overload

!

ip access-list extended NAT_ADDRESSES

permit ip 10.23.0.0 0.0.0.255 any

permit ip 10.23.0.0 0.0.255.255 any

!

!

control-plane

!

banner motd ^C

DO NOT LOGIN ^C

!

line con 0

exec-timeout 180 0

password cisco

logging synchronous

line aux 0

password password

line vty 0 4

password password

login local

transport input telnet

!

ntp server 64.73.32.135

!

end

Correct Answer by John Blakley about 3 years 5 months ago

I'm not sure you're understanding. You don't set a route next hop to the same subnet as the next hop. Your next hop is a directly connected interface. You have one interface at 10.23.224.1 on the router. The next hop is the core switch in the same subnet of 10.23.224.254. All of your routes go to the next hop of 10.23.224.254 because the switch knows how to get to everything else.


So, for your router, put in:


ip route 10.23.225.0 255.255.255.0 10.23.224.254


As I said in my previous post...




HTH,
John

*** Please rate all useful posts ***

Correct Answer by Jon Marshall about 3 years 5 months ago

ip access-list extended NAT_ADDRESSES

permit ip 10.23.0.0 0.0.0.255 any

permit ip 10.23.0.0 0.0.255.255 any

the second line covers all 10.23.x.0/24 networks so it's not your NAT.


The issue may well be that you have no routes on the router for the other IP subnets so your router does not know how to send traffic back to those subnets. You need -


ip route 10.23.225.0 255.255.255.0    <-- where next hop is the IP address of the vlan interface on the L3 switch for the 10.23.224.x network


you need a route for each network or you could just summarise the networks in one route entry, bit like you did with your NAT but using a subnet mask and not a wildcard mask


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 03/07/2014 - 09:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ip access-list extended NAT_ADDRESSES

permit ip 10.23.0.0 0.0.0.255 any

permit ip 10.23.0.0 0.0.255.255 any

the second line covers all 10.23.x.0/24 networks so it's not your NAT.


The issue may well be that you have no routes on the router for the other IP subnets so your router does not know how to send traffic back to those subnets. You need -


ip route 10.23.225.0 255.255.255.0    <-- where next hop is the IP address of the vlan interface on the L3 switch for the 10.23.224.x network


you need a route for each network or you could just summarise the networks in one route entry, bit like you did with your NAT but using a subnet mask and not a wildcard mask


Jon

Aaron Alvarado Fri, 03/07/2014 - 10:51
User Badges:

John, Thanks for the advise. So I added the routes and removed the unneeded ACL line and no luck.


added: 

ip route 10.23.225.0 255.255.255.0 10.23.225.254


Cant ping int:

seuz-rt1#ping 10.23.225.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.23.225.254, timeout is 2 seconds:

.U.U.

Success rate is 0 percent (0/5)


Removed line above:

ip access-list extended NAT_ADDRESSES

permit ip 10.23.0.0 0.0.255.255 any


I added my pc to vlan225 harcoded the a 225 address and still no internet.

John Blakley Fri, 03/07/2014 - 11:36
User Badges:
  • Purple, 4500 points or more

The 10.23.225.0/24 route points to a next hop address that's not in the same subnet as the lan interface of the router. Jon is absolutely correct though. What is the address of the vlan on the core switch? Let's say that this lan interface on the router connects to vlan 1. On the switch, vlan 1 is addressed at 10.23.224.2. Also on the switch are 3 other vlans at 10.30.x.x, 10.40.x.x, and 10.50.x.x. On the router, your routes would be:


ip route 10.30.0.0 255.255.255.0 10.23.224.2

ip route 10.40.0.0 255.255.255.0 10.23.224.2

ip route 10.50.0.0 255.255.255.0 10.23.224.2


So your next hop has to be in the same subnet as your lan interface on the router, which is usually the address of the core switch.


HTH,
John

*** Please rate all useful posts ***

Aaron Alvarado Fri, 03/07/2014 - 12:12
User Badges:

John B. I see my problems go beyond of what I thought. All Vlan Interfaces in the 3560 end with 254 and the next hope is the router fas0/1 =10.23.224.1 shown above,


Should I set this on the router for each vlan:  ip route  10.23.225.0 255.255.255.0 10.23.224.1 and so on ?


this is the 3560 routing peace:

interface GigabitEthernet0/2

description LINK TO RT 3745

switchport trunk encapsulation dot1q

switchport trunk native vlan 224

switchport mode trunk

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/4

description LINK SG200 UNTAGGED

switchport trunk encapsulation dot1q

switchport trunk native vlan 224

switchport trunk allowed vlan 224-229

switchport mode trunk

!

interface Vlan1

no ip address

!

interface Vlan192

ip address 192.168.10.254 255.255.255.0

!

interface Vlan224

description iSCSI

ip address 10.23.224.254 255.255.255.0

!

interface Vlan225

description ESX

ip address 10.23.225.254 255.255.255.0

!

interface Vlan226

description VM_SERVERS

ip address 10.23.226.254 255.255.255.0

ip helper-address 10.23.226.2

!

interface Vlan227

description VIEWDESKTOPS

ip address 10.23.227.254 255.255.255.0

!

interface Vlan228

description vCloudDir

ip address 10.23.228.254 255.255.255.0

!

interface Vlan229

description SERVERS

ip address 10.23.229.254 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.23.224.1

John Blakley Fri, 03/07/2014 - 12:15
User Badges:
  • Purple, 4500 points or more

Yes, on the router, make a route for the 10.23.224.254.


ip route 10.23.225.0 255.255.255.0 10.23.224.254

ip route 10.23.227.0 255.255.255.0 10.23.224.254

etc.


For all of your vlans. Then they'll be natted/routed correctly...



HTH,
John

*** Please rate all useful posts ***

Aaron Alvarado Fri, 03/07/2014 - 12:20
User Badges:

tried  10.23.224.1 not possible "

%Invalid next hop address (it's this router)


As i previously tried this should be correct route for the router but how can i make the router recongnize this subnet?

ip route 10.23.225.0 255.255.255.0 10.23.225.254


same error not able to ping the address after added the route

Correct Answer
John Blakley Fri, 03/07/2014 - 12:23
User Badges:
  • Purple, 4500 points or more

I'm not sure you're understanding. You don't set a route next hop to the same subnet as the next hop. Your next hop is a directly connected interface. You have one interface at 10.23.224.1 on the router. The next hop is the core switch in the same subnet of 10.23.224.254. All of your routes go to the next hop of 10.23.224.254 because the switch knows how to get to everything else.


So, for your router, put in:


ip route 10.23.225.0 255.255.255.0 10.23.224.254


As I said in my previous post...




HTH,
John

*** Please rate all useful posts ***

Aaron Alvarado Fri, 03/07/2014 - 12:30
User Badges:

Oopss!! I missed the last peace where the next hope had to be 224.254.. not 225.254.


Just tested nat and routing and success in all vlans!!


Thank you so much Gentleman

John Blakley Fri, 03/07/2014 - 12:36
User Badges:
  • Purple, 4500 points or more

Glad to hear



HTH,
John

*** Please rate all useful posts ***

Actions

This Discussion