Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT for logical interface

I've got the following setup

interface GigabitEthernet0/0

description Outside Interface

speed 100

duplex full

nameif outside

security-level 0

ip address (removed) 255.255.255.240

!

interface GigabitEthernet0/2

description Inside interface

nameif inside

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface GigabitEthernet0/2.64

vlan 64

nameif WiFi

security-level 100

ip address 10.33.64.1 255.255.255.0

The inside interface is tunneled to another location & we added the new subnet (10.33.64.0/24) to the cryptomap

Clients on the 64 VLAN can successfully ping across the tunnel & vica versa.

However people on the 64 VLAN cannot access the internet via the outside interface.

I have the following NAT rules:

nat (inside,outside) source static obj_10.33.64.0-24 obj_10.33.64.0-24 destination static BLDCorpNetwork BLDCorpNetwork route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.33.1.0_24 NETWORK_OBJ_10.33.1.0_24 destination static BLDCorpNetwork BLDCorpNetwork no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.33.1.0_24 NETWORK_OBJ_10.33.1.0_24 destination static NETWORK_OBJ_10.33.1.0_24 NETWORK_OBJ_10.33.1.0_24 route-lookup

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.11.0_24 NETWORK_OBJ_10.11.11.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.11.0_29 NETWORK_OBJ_10.11.11.0_29 no-proxy-arp route-lookup

nat (inside,any) source static obj-10.33.1.0 obj-10.33.1.0 destination static obj-10.33.64.0 obj-10.33.64.0 no-proxy-arp

I tried adding the following rule

nat (WiFi,outside) 9 source dynamic any interface

This allows clients on the 64 VLAN to browse the internet, but then they can't send traffic across the tunnel.

I'm thinking I need another NAT rule but can't seem to get it configured correctly.

1 REPLY
New Member

NAT for logical interface

I was able to get it working with the following via NAT Exemption.

nat (WiFi,outside) source static obj_10.33.64.0-24 obj_10.33.64.0-24 destination static BLDCorpNetwork BLDCorpNetwork no-proxy-arp

nat (WiFi,outside) source dynamic any interface

182
Views
0
Helpful
1
Replies
CreatePlease to create content