Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8746
Views
0
Helpful
10
Replies

NAT problems on a L3 3650 switch

kmerentitis
Level 1
Level 1

‎11-10-2014 06:37 AM - edited ‎03-05-2019 12:08 AM

So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE

This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT

My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):

Switch#ping 8.8.8.8 source 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
Switch#
*Nov 10 14:27:04.145: NAT: ICMP id=1->1025
*Nov 10 14:27:04.145: NAT: s=192.168.122.1->165.211.28.194, d=8.8.8.8 [5]
*Nov 10 14:27:04.210: NAT: ICMP id=1025->1
*Nov 10 14:27:04.210: NAT: s=8.8.8.8, d=165.211.28.194->192.168.122.1 [0]

....

Running Config:
! Last configuration change at 13:51:06 UTC Mon Nov 10 2014
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot system switch all flash:packages.conf
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family

!
no aaa new-model
switch 1 provision ws-c3650-48ps
!

ip routing
!
ip dhcp excluded-address 192.168.122.1
!
ip dhcp pool Pool14
 import all
 network 192.168.122.0 255.255.255.0
 dns-server 165.211.29.1 
 default-router 192.168.122.1 
 domain-name my.domain

crypto pki trustpoint TP-self-signed-1875358754
 .....
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
 mode sso
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
! 
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto

interface GigabitEthernet1/0/46
 description conf GW
 no switchport
 ip address 165.211.28.194 255.255.255.192
 ip nat outside
 !         
interface GigabitEthernet1/0/47
 switchport access vlan 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/48
 switchport access vlan 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 192.168.122.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 61 interface GigabitEthernet1/0/46 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 165.211.28.193
!
access-list 61 permit 192.168.122.0 0.0.0.255

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap group default-group
end

I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same results

Labels:
0 Helpful
10 Replies 10

devils_advocate
Level 7
Level 7

‎11-10-2014 07:13 AM

Can you post results of the following:

 

#show ip route - On the switch

tracert -d 8.8.8.8 - On a host

0 Helpful

kmerentitis
Level 1
Level 1
In response to devils_advocate

‎11-10-2014 07:20 AM

Switch#show ip route  
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 165.211.28.193 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 165.211.28.193
      192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.122.0/24 is directly connected, Vlan2
L        192.168.122.1/32 is directly connected, Vlan2
      165.211.28.0/24 is variably subnetted, 2 subnets, 2 masks
C        165.211.28.192/26 is directly connected, GigabitEthernet1/0/46
L        165.211.28.194/32 is directly connected, GigabitEthernet1/0/46

--------------

traceroute -n 8.8.8.8 (I am on a mac)
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  192.168.122.1  2.546 ms  3.291 ms  2.104 ms
 2  * * *
 3  * * *
 4  *

0 Helpful

Ela Snessjna
Level 1
Level 1
In response to kmerentitis

‎12-19-2014 02:09 PM

Did you get this fixed? I'm having the exact same problem..

 

Thanks!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Ela Snessjna

‎12-19-2014 03:46 PM

edited

0 Helpful

kmerentitis
Level 1
Level 1
In response to Ela Snessjna

‎12-22-2014 12:23 AM

I didn't manage to fix this. After digging into the documentation I found no sign about NAT support on the 3560 switch. I ended up using a router

0 Helpful

Reuben Farrelly
Level 3
Level 3
In response to kmerentitis

‎12-27-2014 09:55 PM

NAT is not supported on any Catalyst switches except some very high end switches (and even then, the NAT support on those is limited).

If it works at all it will be processed switched (not in hardware) which will result in high CPU under any sort of load.  TAC will insist you remove it as these devices were not designed to do this function.

You really need a router to do NAT.  It's not a function of switching and has never been supported on these platforms, even if the CLI commands appear to exist.

0 Helpful

Mukesh Kumar
Level 3
Level 3

‎11-10-2014 07:31 AM

Hello kmerentitis

Your configuration is looking correct. I have tested the same topology and its working. You have to check the ip address and default gateway on the host connected in vlan 2.
 

 

Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services

0 Helpful

kmerentitis
Level 1
Level 1
In response to Mukesh Kumar

‎11-10-2014 07:37 AM

Thank u both for your help

The ip configuration should be correct as it retrieved from the dhcp server running on the switch.

I post the ip configuration from my (dhcp) client:

ip addr: 192.168.122.2

subnet mask: 255.255.255.0

router: 192.168.122.1

0 Helpful

paul driver
VIP
VIP

‎11-10-2014 12:44 PM

Hello 1) Can you confirm the public addressing is supposed to be static and is the subet mask correct? 2) Ip routing enabled? 3) sdm template being used? - sh sdm prefer res Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

kmerentitis
Level 1
Level 1
In response to paul driver

‎11-11-2014 12:22 AM

Hello Paul, 

 

1)yes the public addressing is correct. Our gateway is 165.211.28.193/26 and my public is setup 165.211.28.194/26.

2) Ip routing is enabled on the switch as you can see on my configuration

3)Switch#sh sdm prefer 

Showing SDM Template Info

 

This is the Advanced (low scale) template.

  Number of VLANs:                                 4094

  Unicast MAC addresses:                           32768

  Overflow Unicast MAC addresses:                  512

  IGMP and Multicast groups:                       4096

  Overflow IGMP and Multicast groups:              512

  Directly connected routes:                       16384

  Indirect routes:                                 7680

  Security Access Control Entries:                 1536

  QoS Access Control Entries:                      3072

  Policy Based Routing ACEs:                       1024

  Netflow ACEs:                                    768

  Wireless Input Microflow policer ACEs:           256

  Wireless Output Microflow policer ACEs:          256

  Flow SPAN ACEs:                                  512

  Tunnels:                                         256

  Control Plane Entries:                           512

  Input Netflow flows:                             8192

  Output Netflow flows:                            16384

  SGT/DGT entries:                                 4096

  SGT/DGT Overflow entries:                        512

These numbers are typical for L2 and IPv4 features.

Some features such as IPv6, use up double the entry size;

so only half as many entries can be created.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card