Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT of the network that is not directly connected

Hello,

I have a CAT 3560 connected to a ISR 2911

The 3560 has 2 subnets ( 192.168.1.0 /24 and 10.10.10.0 /24)

The 2911 has interface GigabitEthernet0/1 on the 192.168.1.0 /24 and another GigabitEthernet0/0 on a WAN connection 172.16.7.246

I need to NAT both the 192.168.1.0 /24 and the 10.10.10.0 /24 to the single address 172.16.7.246

I have to use route-maps .  I have IPSec VPN's and ZBF on the 2911

My problem is the NAT does not work for the 10.10.10.0 /24 network!

Why?

Is my only option to use trunking  between the 3560 and 2911 and subinterfaces on the 2911?

I want to avoid subinterfacing.

Thanks,

AA

=================

On the ISR 2911
=================

!
interface GigabitEthernet0/0
description Outside WAN
ip address 172.16.7.246 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!
interface GigabitEthernet0/1
description Inside Data
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map clientmap
!
!
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 172.16.7.245
ip route 10.10.10.0 255.255.255.0 192.168.1.4
!
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
==================================================================================================


On the Cat 3560
=====================
!
vlan 40
name the 192.168.1.0 /24 subnet
!
vlan 60
name the 10.10.10.0 /24 subnet
!
interface FastEthernet0/7
description Connection to Router Gig0/1
switchport access vlan 40
!
interface FastEthernet0/16
description Connection pc host on the 10.10.10.0 /24 subnet
switchport access vlan 60
!
interface Vlan1
no ip address
!
interface Vlan40
ip address 192.168.1.4 255.255.255.0
!
interface Vlan60
ip address 10.10.10.10 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1

=========================


The host on the 10.10.10.0 /24 network has the 10.10.10.10 address as it's default gateway

The host can not access the WAN thru NAT.... what's going on?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

NAT of the network that is not directly connected

Hi,

Also,  I thought that by using route-map with the access list 110 I could include specify any networks  I wanted NAT'd?

Yes you're right but the problem here is that the only link from switch to router is in  VLAN 40 so you'll have to:

-use a trunk to the router and configure subinterfaces and nat inside on both subinterfaces

or

- put another access port for VLAN 60  going to your router if it has another free ethernet interface and nat the 10 subnet on this interface

Regards.

Alain

Don't forget to rate helpful posts.
3 REPLIES

Re: NAT of the network that is not directly connected

When you use the IP Nat inside command on the interface, you are telling the router to NAT all incoming packets for that subnet.

10.10.10.0 Is not part of that subnet, thats why they are not being NAT'ed

You have 2 solutions:

1- Use Router on a stick, i dont see any problem creating a subinterface over there (Of course, if you have a layer 3 switch that interface wont be necessary, only for accesing the wan)

2- Create a Separate vlan Only for internet access... Example:

VLAN 90 (Internet access)

Switch ip: 192.168.90.1/30

Router ip: 192.168.90.2/30

And apply nat

I would go for the first 1 (1 hop less), No problems with that trunk, and you could Apply security (ACL's, Route Maps) To both subnets on your Edge equipment (Your router)

New Member

NAT of the network that is not directly connected

eduardopozo56,

Thanks for the reply.  I would like to avoid option 1 for now unless there is no choice.

Can you explain how option two would work?  Would I not still need to NAT the 192.168.90.0/30 inorder to get WAN access for the 10.10.10.0/24?

Also,  I thought that by using route-map with the access list 110 I could include specify any networks  I wanted NAT'd?

Thanks,

AA

See:

=======

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload


!
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any

!

!

route-map nonat permit 10

match ip address 110

Purple

NAT of the network that is not directly connected

Hi,

Also,  I thought that by using route-map with the access list 110 I could include specify any networks  I wanted NAT'd?

Yes you're right but the problem here is that the only link from switch to router is in  VLAN 40 so you'll have to:

-use a trunk to the router and configure subinterfaces and nat inside on both subinterfaces

or

- put another access port for VLAN 60  going to your router if it has another free ethernet interface and nat the 10 subnet on this interface

Regards.

Alain

Don't forget to rate helpful posts.
975
Views
0
Helpful
3
Replies