Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
2
Replies

Two VLANs on same Switch with NAT problem.

ecabrera81
Level 1
Level 1

‎04-19-2015 10:56 AM - edited ‎03-07-2019 11:37 PM

Hello all.

I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.

NAT Solution 1

ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool INET overload
access-list 1 permit any

NAT Solution 2

ip nat inside source list 100 interface fa1/0 overload
access-list 100 permit ip any any

Router config

R1#sh run
Building configuration...

Current configuration : 1470 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5 native
 ip address 172.16.1.6 255.255.255.248
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 172.20.0.254 255.255.255.0
 ip nat inside
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 172.20.1.254 255.255.255.0
 ip nat inside
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
interface Serial0/2
 no ip address
 shutdown
!
interface Serial0/3
 no ip address
 shutdown
!
interface FastEthernet1/0
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
 no cdp enable
!
router ospf 1
 log-adjacency-changes
 network 172.16.1.0 0.0.0.7 area 0
 network 172.20.0.0 0.0.0.255 area 0
 network 172.20.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
no ip http server
ip classless
!
line con 0
 exec-timeout 0 0
 password
 logging synchronous
 login
line aux 0
line vty 0 4
 exec-timeout 0 0
 password
 logging synchronous
 login
line vty 5 181
 exec-timeout 0 0
 password
 logging synchronous
 login
!
!
end

Switch Config

SW1#sh run
Building configuration...

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW1
!
ip subnet-zero
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 5
 switchport trunk allowed vlan 1,5,10,20,1002-1005
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport access vlan 10
!
interface FastEthernet0/5
 switchport access vlan 10
!
interface FastEthernet0/6
 switchport access vlan 10
!
interface FastEthernet0/7
 switchport access vlan 10
!
interface FastEthernet0/8
 switchport access vlan 10
!
interface FastEthernet0/9
 switchport access vlan 10
!
interface FastEthernet0/10
 switchport access vlan 10
!
interface FastEthernet0/11
 switchport access vlan 10
!
interface FastEthernet0/12
 switchport access vlan 20
!
interface FastEthernet0/13
 switchport access vlan 20
!
interface FastEthernet0/14
 switchport access vlan 20
!
interface FastEthernet0/15
 switchport access vlan 20
!
interface FastEthernet0/16
 switchport access vlan 20
!
interface FastEthernet0/17
 switchport access vlan 20
!
interface FastEthernet0/18
 switchport access vlan 20
!
interface FastEthernet0/19
 switchport access vlan 20
!
interface FastEthernet0/20
 switchport access vlan 20
!
interface FastEthernet0/21
 switchport access vlan 20
!
interface FastEthernet0/22
 switchport access vlan 20
!
interface FastEthernet0/23
 shutdown
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/24
 shutdown
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
 no ip address
 no ip directed-broadcast
 no ip route-cache
 shutdown
!
interface VLAN5
 ip address 172.16.1.1 255.255.255.248
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 172.16.1.6
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
end

 

 

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎04-20-2015 03:42 AM

You need to change your acl because NAT doesn't usually work with "any" as the source.

I tend to use extended acls so -

access-list 101 permit 172.20.0.0 255.255.255.0 any
access-list 101 permit 172.20.1.0 255.255.255.0 any

and then use your second solution ie. overload on the interface.

If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.

Jon

0 Helpful

ecabrera81
Level 1
Level 1
In response to Jon Marshall

‎04-20-2015 05:08 PM

Thanks for the reply back on this.  I got just about the same answer on another forum.

 

access-list 100 deny   ip 172.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 172.20.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.20.0.0 0.0.0.255 any
access-list 100 permit ip 172.20.1.0 0.0.0.255 any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card