Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT between two vlans in 6509

Hello,

I was trying to establish NAT between two vlans. The configuration is:

interface vlan 14

ip address 10.2.100.254 255.255.255.0

ip nat inside

!

interface vlan 7

ip address 1xx.xxx.xxx.126 255.255.255.192

ip nat outside

!

ip nat pool CONVERSION 1xx.xx.xx.105 1xx.xx.xx.110 netmask 255.255.255.192

ip nat inside source list 10 pool CONVERSION overload!

!

access-list 10 permit 10.2.100.0 0.0.0.255

I have tried on 6509 with:

Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(27b)E, RELEASE SOFTWARE (fc2

I am not going outside the box and I can't see translation.

When I do:

#sh ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

Vlan7

Inside interfaces:

Vlan14

Hits: 0 Misses: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

access-list 10 pool CONVERSION refcount 0

pool CONVERSION: netmask 255.255.255.192

start 19x.xxx.xxx.105 end 1xx.xxx.xxx.110

type generic, total addresses 6, allocated 0 (0%), misses 0

Can you help me?

Thanks in advanced.

Jose Goncalves

21 REPLIES

Re: NAT between two vlans in 6509

Hi, have you applied access list 10 to interface?

e.g

interface vlan 7

ip access-group 10 in

ip access-group 10 out

HTH

Jorge

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Hi Jorge

The access-list is used to match traffic for NAT so you don't need to apply it to the interface do you ?

Jose

What is the source ip address and what is the destination address.

Is the destination address reached out of vlan 7.

Have you tried a "debug ip nat". Obviously you need to be careful with any debugging if this is a production switch.

Jon

Re: NAT between two vlans in 6509

This is correct john what was I thinking! there is not statics . thanks for correcting..

I just labed this out , the configuration from Jose seems fine, I agree with John " debug IP nat " ..

Jorge

New Member

Re: NAT between two vlans in 6509

I have a PC with the IP 10.2.100.55 connects to vlan 14. I want to ping a host outside from my network, using the IPs in vlan 7, that have connection to outside (Internet, for example).

I activate the command debug ip nat, but don't appear anything in console.

Can you help me with any suggestion?

Thanks again for your help.

Jose

Re: NAT between two vlans in 6509

Jose, if you have a local console connection onto the router issue the following:

router(config)#logging buffered debugging

router(config)#logging console

router(config)#exit

router#terminal monitor

turn on ip nat debugging and try connecting to host 10.2.100.55 on vlan 14 , you should be able to see debugging output on the local console connection.

to turn off debugging issue " no debug all ". As in any debugging configuration use these commands with caution, best to use during non-business hours .

Jorge

New Member

Re: NAT between two vlans in 6509

Jorge

Nothing about NAT appears in console, but there are other messages that I can see in console.

It seems that the router don't recognize the commands about NAT.

Have you some idea?

Thanks in advanced.

Jose

Re: NAT between two vlans in 6509

Jose, could you in addition of ip nat debug do icmp as well "debugg ip icmp " and try pinging host again.., have you ensured that host on vlan 14 does not have any firewalls turned on ..

post any output debug results .

[edit] can you also verify interface vlan14 is up/up do " show ip interface brief "

Jorge

New Member

Re: NAT between two vlans in 6509

Jorge,

I did this:

#debug ip nat

IP NAT debugging is on

#debug ip icmp

ICMP packet debugging is on

#terminal monitor

#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Vlan7 1xx.xxx.xxx.126 YES NVRAM up up

Vlan14 10.2.100.254 YES manual up

#sh debugging

Generic IP:

ICMP packet debugging is on

IP NAT debugging is on

IP NAT detailed debugging is on

When I do a ping from host 10.2.100.55 to the interface vlan14 10.2.100.254, in logs appear:

#sh logging | include 2.100

Dec 14 10:14:48: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:49: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:50: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:51: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

But if do a ping to other ip, don't appear anything.

None entry about NAT appears in logs.

Can you help me, one more once?

Thanks in advanced

Jose

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Jose

Can you post output of a "show ip route"

and also tell us what the other ip address you are trying to ping is ?

Jon

New Member

Re: NAT between two vlans in 6509

Jorge

I do "sh ip route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 172.16.240.1 to network 0.0.0.0

O IA 192.168.12.0/24 [110/3] via 172.16.240.1, 00:51:09, Vlan540

O 192.168.209.0/24 [110/2] via 172.16.131.4, 00:51:09, Vlan200

[110/2] via 172.16.131.3, 00:51:09, Vlan200

193.132.09.0/24 is variably subnetted, 7 subnets, 2 masks

O E2 192.168.73.96 [110/1] via 172.16.240.1, 00:51:09, Vlan540

84.0.0.0/20 is subnetted, 1 subnets

O 192.168.121.0 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.32 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.64 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.96 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.212.0/24 [110/2] via 172.16.131.4, 00:52:14, Vlan200

[110/2] via 172.16.131.3, 00:52:14, Vlan200

O IA 192.168.10.0/24 [110/3] via 172.16.240.1, 00:52:14, Vlan540

C 192.168.228.0/24 is directly connected, Vlan41

C 192.168.246.0/24 is directly connected, Vlan18

O E2 192.168.245.0/24 [110/20] via 172.16.131.2, 00:53:04, Vlan200

O IA 192.168.11.0/24 [110/2] via 172.16.240.1, 00:53:04, Vlan540

192.168.56.0/27 is subnetted, 2 subnets

O IA 192.168.56.0 [110/4] via 172.16.240.1, 00:53:04, Vlan540

O IA 192.168.56.32 [110/4] via 172.16.240.1, 00:53:04, Vlan540

O*E2 0.0.0.0/0 [110/1] via 172.16.240.1, 00:53:31, Vlan540

I try ping to:

ping 192.168.121.55 - Didn't ping to host and didn't appear anything in logs (this is outside from my network)

ping 192.168.246.254 - Did the ping to host and appear in logs (This is in a vlan in my router)

Thanks in advanced

Jose

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Jose

You have an "ip nat outside" statement under vlan 7 but you have no routes pointing out of vlan 7.

So unless you are trying to ping an IP address on vlan 7 then NAT will not happen.

Jon

New Member

Re: NAT between two vlans in 6509

Jorge

Yes, it true.

Now I do this:

#router ospf 1

network 1xx.xxx.xx.0 0.0.0.255 area 2

#sh ip route | include Vlan7

C 1xx.xxx.xx.96/27 is directly connected, Vlan7

I ping 1xx.xxx.xx.126 and this is the replay:

Dec 14 11:10:05: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:06: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:07: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:08: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

But everything the remaining portion is remained equal

Thanks in advanced

Jose

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Jose

It's Jon not Jorge although i'm sure Jorge will be along soon :)

Could you tell me exactly what you are trying to achieve and what is the source and destination.

If you ping a packet from vlan 14 and that packet is reachable via vlan 540 in your routing table then you will use the "ip nat outside" statement on your vlan 7 interface.

Jon

New Member

Re: NAT between two vlans in 6509

Jon,

Sorry for the Jorge .

I have a lot of PCs in vlan 14 that have internal IPs (10.2.100.0/24).

I have vlan7 that have international IPs.

What I want to do is that the PCs in vlan 14 accede to the Internet, without using a proxy.

It is therefore that I want to use the NAT.

I wait that it has perceived.

Thanks in advanced

Jose

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Jose

No problem.

Can you tell me what is the default route used on this switch to get to the Internet ?

Jon

New Member

Re: NAT between two vlans in 6509

Jon,

Gateway of last resort is 172.16.240.1 to network 0.0.0.0

interface Vlan540

description Ligacao WAN

ip address 172.16.240.4 255.255.255.0

Thanks in advanced

Jose

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Jose

That is your problem then. When you go out to the internet you go out of vlan 540 but you have the ip nat outside statement under vlan 7 which is why you are never getting any NAT translations.

Jon

New Member

Re: NAT between two vlans in 6509

Jon,

Thanks a lot for your aid.

It has then some method I to make what I intend in the 6509?

I go to have to use one other to router for this, really?

Thanks in advanced

Jose

Hall of Fame Super Blue

Re: NAT between two vlans in 6509

Jose

You can use the 6500 for this but you need to be careful. You have a lot of routes pointing out of vlan 540.

Do you want to NAT all traffic going out of the vlan 540 interface because that won't just be internet traffic it will also be any subnets using vlan 540 as their gateway eg.

do you want to NAT vlan 14 ip addresses if a client on vlan 14 wants to communicate with any of these subnets ?

O 192.168.121.0 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.32 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.64 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.96 [110/3] via 172.16.240.1, 00:51:55, Vlan540

Jon

New Member

Re: NAT between two vlans in 6509

Jon

No, I don't want to NAT all traffic going out of the vlan 540 interface.

Yes, I want to NAT vlan 14 ip addresses if a client on vlan 14 wants to communicate with any of these subnets.

Thanks in advandec

Jose

New Member

Re: NAT between two vlans in 6509

Jon,

With my configuration of the nerwork, isn't possible to do NAT, right?

Thanks in advanced.

Jose

510
Views
0
Helpful
21
Replies