Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SRP527W-U nat trouble

Hi,

I am having trouble setting nat rules on device SRP527W-U with the  latest firmware 1.2.4 (003). The latest firmware 1.2.4 has introduced  the possibility to create specific nat rules via "ACL policy rules". I  am trying to use this "new feature" not available in the older  releases  to get my network configuration done. The configuration I  would like to do is to have two different vlan. In the vlan1 I would  like to nat the PCs via the point_to_point interface and in the vlan2 I  don't want use nat feature so each computer will be reachable via public  ip address.

I have configured two different PVCs on the device let's say:

ADSL_PVC0:

encapsulation: IPoA

multiplexing: LLC

qos type: UBR

VPI/VCI auto detect: disable

virtual circuit VPI:8 VCI:35

ip settings:

ip: 2.2.2.2 (it is not my real ip it is just to make an example)

netmask: 255.255.255.252

gateway: 2.2.2.1

mtu: auto

ADSL_PVC1:

encapsulation: PPPoA

multiplexing: VC

qos type: UBR

VPI/VCI auto detect: disable

virtual circuit VPI:8 VCI:40

PPPoA settings:

username: test@providertest.com

pass: xxxxxxx

connection: keep alive

mtu: auto

in the Internet_setup_menu i have chosen:

system default route via ADSL_PVC0

default voice route ADSL_PVC1

after that I have enabled under menu interface_setup->LAN->VLAN_settings two different vlans:

vlan1 (default vlan):

private_lan:

id: 1

address_type: DHCP_server_pool

DHCP pool: DHCPRule_1 (VLAN1)

voice: disabled

membership: LAN_port1, LAN_port3, LAN_port4, SSID1

vlan2 (public vlan):

public_lan:

id: 2

address_type: DHCP_server_pool

DHCP pool: DHCPRule_2_public_ip (VLAN2)

voice: disabled

membership: LAN_port2, SSID2

and I have set two different DHCP rules:

DHCPRule_1

VLAN 1

local ip address/subnet 192.168.1.1/24

dhcp mode: dhcp server

gw: 192.168.1.1

dns proxy: enabled

DHCPRule_2_public_ip

VLAN 2

local ip address/subnet 3.3.3.1/27

dhcp mode: dhcp server

gw: 3.3.3.1

dns proxy: disabled

dns1: 8.8.8.8

after that I have set under menu network_setup->nat->global_nat:

address translation:

nat: disabled

instead I have added this policy under nat_bypass:

policy nat_lan

enabled: yes

inside interface: vlan1

outside interface: ADSL_PVC0

ip address: 2.2.2.2/30

if I try to attach a pc on lan port 1 I am able to get the ip  configuration via DHCPRule_1 I can  ping the gw 192.168.1.1 but I am not  able to ping 8.8.8.8.

if I try to attach a pc on lan port 2 I am able to get the ip  configuration via DHCPRule_2_public_ip I can  ping the gw 3.3.3.1 and I AM ABLE to ping 8.8.8.8 and of course surf the web.

From the wan side i am able to reach the router via the two different  pubblic ip address assigned to the  PVCs ADSL_PVC0, ADSL_PVC1

If I try to enable the nat under global_nat of course I am able to  browse the web and the device is using the public ip address of the pvc  ADSL_PVC0 to nat "myself".

I have tried the configuration many times and I have tried to apply many  different "flavor" configurations but I am still having trouble to get  the configuration done. From my point of view there is some sort of bug  related to the nat features or something is missing to this  configuration.

Any help will be really appreciated. 

thanks in advance for your reply.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

SRP527W-U nat trouble

Hi Paolo,

The default mode of operation for the SRP is to have NAT enabled.  If the global NAT setting is disabled, then the SRP will work in routing mode only (no NAT ever).

For your configuration, leave the global NAT setting as enabled and create a NAT bypass rule for traffic in VLAN 2 (effectively ensuring that this traffic is routed and not translated).

Use Policy Based Routing rules to define which PVC your local traffic should use.

Hope that helps.

Andy

2 REPLIES
Cisco Employee

SRP527W-U nat trouble

Hi Paolo,

The default mode of operation for the SRP is to have NAT enabled.  If the global NAT setting is disabled, then the SRP will work in routing mode only (no NAT ever).

For your configuration, leave the global NAT setting as enabled and create a NAT bypass rule for traffic in VLAN 2 (effectively ensuring that this traffic is routed and not translated).

Use Policy Based Routing rules to define which PVC your local traffic should use.

Hope that helps.

Andy

New Member

SRP527W-U nat trouble

thanks Andrew,

now it's working as I wanted.

thanks again

902
Views
0
Helpful
2
Replies
CreatePlease to create content