03-07-2014 09:25 AM - edited 03-07-2019 06:35 PM
I need some help sorting out a NAT issue. I am newbie on NAT and I think I am confused on the wildcard to nat all my vlans. I am setting up a home lab for various porpuses vm and home network NAT is only working for 1 Vlan 224= 10.23.224.0\24. The rest wont get to the internet 225-229 10.23.225-229\24
Scenario: Cisco 3745 config below providing NAT and interconnected to a Cisco 3560 L3 with Vlan range 224-229. All vlan interfaces end with .254 for L3 gateways.
I believe my issue is on the NAT_ADDRESSES ACL below and the wilcard got me all confused. I thought this wild card
10.23.0.0 0.0.0.255 would take care of anything on the 10.23.0.0 range, however only vlan 224 works the rest wont get to the internet. I am able to ping 4.2.2.2 from the router and the L3 switch.
help will be apreciated.
Building configuration...
Current configuration : 1179 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname seuz-rt1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$6m/i$kUvyAZxg9rOOgK0Zqcv8a.
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 4.2.2.2
ip name-server 4.2.2.3
!
username admin secret 5 $1$vCCq$C9eAcSNHojSHFLuRFPVRq0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.252 255.255.255.0
ip nat outside
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 10.23.224.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
no ip http server
ip nat pool PUBLIC_NAT_IPS 192.168.10.249 192.168.10.250 netmask 255.255.255.0
ip nat inside source list NAT_ADDRESSES pool PUBLIC_NAT_IPS overload
!
ip access-list extended NAT_ADDRESSES
permit ip 10.23.0.0 0.0.0.255 any
permit ip 10.23.0.0 0.0.255.255 any
!
!
control-plane
!
banner motd ^C
DO NOT LOGIN ^C
!
line con 0
exec-timeout 180 0
password cisco
logging synchronous
line aux 0
password password
line vty 0 4
password password
login local
transport input telnet
!
ntp server 64.73.32.135
!
end
Solved! Go to Solution.
03-07-2014 09:40 AM
ip access-list extended NAT_ADDRESSES
permit ip 10.23.0.0 0.0.0.255 any
permit ip 10.23.0.0 0.0.255.255 any
the second line covers all 10.23.x.0/24 networks so it's not your NAT.
The issue may well be that you have no routes on the router for the other IP subnets so your router does not know how to send traffic back to those subnets. You need -
ip route 10.23.225.0 255.255.255.0
you need a route for each network or you could just summarise the networks in one route entry, bit like you did with your NAT but using a subnet mask and not a wildcard mask
Jon
03-07-2014 12:23 PM
I'm not sure you're understanding. You don't set a route next hop to the same subnet as the next hop. Your next hop is a directly connected interface. You have one interface at 10.23.224.1 on the router. The next hop is the core switch in the same subnet of 10.23.224.254. All of your routes go to the next hop of 10.23.224.254 because the switch knows how to get to everything else.
So, for your router, put in:
ip route 10.23.225.0 255.255.255.0 10.23.224.254
As I said in my previous post...
HTH,
John
*** Please rate all useful posts ***
03-07-2014 09:40 AM
ip access-list extended NAT_ADDRESSES
permit ip 10.23.0.0 0.0.0.255 any
permit ip 10.23.0.0 0.0.255.255 any
the second line covers all 10.23.x.0/24 networks so it's not your NAT.
The issue may well be that you have no routes on the router for the other IP subnets so your router does not know how to send traffic back to those subnets. You need -
ip route 10.23.225.0 255.255.255.0
you need a route for each network or you could just summarise the networks in one route entry, bit like you did with your NAT but using a subnet mask and not a wildcard mask
Jon
03-07-2014 10:51 AM
John, Thanks for the advise. So I added the routes and removed the unneeded ACL line and no luck.
added:
ip route 10.23.225.0 255.255.255.0 10.23.225.254
Cant ping int:
seuz-rt1#ping 10.23.225.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.225.254, timeout is 2 seconds:
.U.U.
Success rate is 0 percent (0/5)
Removed line above:
ip access-list extended NAT_ADDRESSES
permit ip 10.23.0.0 0.0.255.255 any
I added my pc to vlan225 harcoded the a 225 address and still no internet.
03-07-2014 11:36 AM
The 10.23.225.0/24 route points to a next hop address that's not in the same subnet as the lan interface of the router. Jon is absolutely correct though. What is the address of the vlan on the core switch? Let's say that this lan interface on the router connects to vlan 1. On the switch, vlan 1 is addressed at 10.23.224.2. Also on the switch are 3 other vlans at 10.30.x.x, 10.40.x.x, and 10.50.x.x. On the router, your routes would be:
ip route 10.30.0.0 255.255.255.0 10.23.224.2
ip route 10.40.0.0 255.255.255.0 10.23.224.2
ip route 10.50.0.0 255.255.255.0 10.23.224.2
So your next hop has to be in the same subnet as your lan interface on the router, which is usually the address of the core switch.
HTH,
John
*** Please rate all useful posts ***
03-07-2014 12:12 PM
John B. I see my problems go beyond of what I thought. All Vlan Interfaces in the 3560 end with 254 and the next hope is the router fas0/1 =10.23.224.1 shown above,
Should I set this on the router for each vlan: ip route 10.23.225.0 255.255.255.0 10.23.224.1 and so on ?
this is the 3560 routing peace:
interface GigabitEthernet0/2
description LINK TO RT 3745
switchport trunk encapsulation dot1q
switchport trunk native vlan 224
switchport mode trunk
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
description LINK SG200 UNTAGGED
switchport trunk encapsulation dot1q
switchport trunk native vlan 224
switchport trunk allowed vlan 224-229
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan192
ip address 192.168.10.254 255.255.255.0
!
interface Vlan224
description iSCSI
ip address 10.23.224.254 255.255.255.0
!
interface Vlan225
description ESX
ip address 10.23.225.254 255.255.255.0
!
interface Vlan226
description VM_SERVERS
ip address 10.23.226.254 255.255.255.0
ip helper-address 10.23.226.2
!
interface Vlan227
description VIEWDESKTOPS
ip address 10.23.227.254 255.255.255.0
!
interface Vlan228
description vCloudDir
ip address 10.23.228.254 255.255.255.0
!
interface Vlan229
description SERVERS
ip address 10.23.229.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.23.224.1
03-07-2014 12:15 PM
Yes, on the router, make a route for the 10.23.224.254.
ip route 10.23.225.0 255.255.255.0 10.23.224.254
ip route 10.23.227.0 255.255.255.0 10.23.224.254
etc.
For all of your vlans. Then they'll be natted/routed correctly...
HTH,
John
*** Please rate all useful posts ***
03-07-2014 12:20 PM
tried 10.23.224.1 not possible "
%Invalid next hop address (it's this router)
As i previously tried this should be correct route for the router but how can i make the router recongnize this subnet?
ip route 10.23.225.0 255.255.255.0 10.23.225.254
same error not able to ping the address after added the route
03-07-2014 12:23 PM
I'm not sure you're understanding. You don't set a route next hop to the same subnet as the next hop. Your next hop is a directly connected interface. You have one interface at 10.23.224.1 on the router. The next hop is the core switch in the same subnet of 10.23.224.254. All of your routes go to the next hop of 10.23.224.254 because the switch knows how to get to everything else.
So, for your router, put in:
ip route 10.23.225.0 255.255.255.0 10.23.224.254
As I said in my previous post...
HTH,
John
*** Please rate all useful posts ***
03-07-2014 12:30 PM
Oopss!! I missed the last peace where the next hope had to be 224.254.. not 225.254.
Just tested nat and routing and success in all vlans!!
Thank you so much Gentleman
03-07-2014 12:36 PM
Glad to hear
HTH,
John
*** Please rate all useful posts ***
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: