Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT problems on a L3 3650 switch

So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE

This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT

My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):

Switch#ping 8.8.8.8 source 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
Switch#
*Nov 10 14:27:04.145: NAT: ICMP id=1->1025
*Nov 10 14:27:04.145: NAT: s=192.168.122.1->165.211.28.194, d=8.8.8.8 [5]
*Nov 10 14:27:04.210: NAT: ICMP id=1025->1
*Nov 10 14:27:04.210: NAT: s=8.8.8.8, d=165.211.28.194->192.168.122.1 [0]

....

Running Config:
! Last configuration change at 13:51:06 UTC Mon Nov 10 2014
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot system switch all flash:packages.conf
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family

!
no aaa new-model
switch 1 provision ws-c3650-48ps
!

ip routing
!
ip dhcp excluded-address 192.168.122.1
!
ip dhcp pool Pool14
 import all
 network 192.168.122.0 255.255.255.0
 dns-server 165.211.29.1 
 default-router 192.168.122.1 
 domain-name my.domain

crypto pki trustpoint TP-self-signed-1875358754
 .....
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
 mode sso
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
! 
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto

interface GigabitEthernet1/0/46
 description conf GW
 no switchport
 ip address 165.211.28.194 255.255.255.192
 ip nat outside
 !         
interface GigabitEthernet1/0/47
 switchport access vlan 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/48
 switchport access vlan 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 192.168.122.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 61 interface GigabitEthernet1/0/46 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 165.211.28.193
!
access-list 61 permit 192.168.122.0 0.0.0.255

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap group default-group
end

I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same results

10 REPLIES

Can you post results of the

Can you post results of the following:

 

#show ip route - On the switch

tracert -d 8.8.8.8 - On a host

New Member

Switch#show ip route  Codes:

Switch#show ip route  
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 165.211.28.193 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 165.211.28.193
      192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.122.0/24 is directly connected, Vlan2
L        192.168.122.1/32 is directly connected, Vlan2
      165.211.28.0/24 is variably subnetted, 2 subnets, 2 masks
C        165.211.28.192/26 is directly connected, GigabitEthernet1/0/46
L        165.211.28.194/32 is directly connected, GigabitEthernet1/0/46

--------------

traceroute -n 8.8.8.8 (I am on a mac)
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  192.168.122.1  2.546 ms  3.291 ms  2.104 ms
 2  * * *
 3  * * *
 4  *

New Member

Did you get this fixed? I'm

Did you get this fixed? I'm having the exact same problem..

 

Thanks!

Hall of Fame Super Blue

Are you sure NAT is supported

edited

New Member

I didn't manage to fix this.

I didn't manage to fix this. After digging into the documentation I found no sign about NAT support on the 3560 switch. I ended up using a router

NAT is not supported on any

NAT is not supported on any Catalyst switches except some very high end switches (and even then, the NAT support on those is limited).

If it works at all it will be processed switched (not in hardware) which will result in high CPU under any sort of load.  TAC will insist you remove it as these devices were not designed to do this function.

You really need a router to do NAT.  It's not a function of switching and has never been supported on these platforms, even if the CLI commands appear to exist.

New Member

Hello kmerentitisYour

Hello kmerentitis

Your configuration is looking correct. I have tested the same topology and its working. You have to check the ip address and default gateway on the host connected in vlan 2.
 

 

Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services

New Member

Thank u both for your helpThe

Thank u both for your help

The ip configuration should be correct as it retrieved from the dhcp server running on the switch.

I post the ip configuration from my (dhcp) client:

ip addr: 192.168.122.2

subnet mask: 255.255.255.0

router: 192.168.122.1

Hello

Hello 1) Can you confirm the public addressing is supposed to be static and is the subet mask correct? 2) Ip routing enabled? 3) sdm template being used? - sh sdm prefer res Paul
Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hello Paul,  1)yes the public

Hello Paul, 

 

1)yes the public addressing is correct. Our gateway is 165.211.28.193/26 and my public is setup 165.211.28.194/26.

2) Ip routing is enabled on the switch as you can see on my configuration

3)Switch#sh sdm prefer 

Showing SDM Template Info

 

This is the Advanced (low scale) template.

  Number of VLANs:                                 4094

  Unicast MAC addresses:                           32768

  Overflow Unicast MAC addresses:                  512

  IGMP and Multicast groups:                       4096

  Overflow IGMP and Multicast groups:              512

  Directly connected routes:                       16384

  Indirect routes:                                 7680

  Security Access Control Entries:                 1536

  QoS Access Control Entries:                      3072

  Policy Based Routing ACEs:                       1024

  Netflow ACEs:                                    768

  Wireless Input Microflow policer ACEs:           256

  Wireless Output Microflow policer ACEs:          256

  Flow SPAN ACEs:                                  512

  Tunnels:                                         256

  Control Plane Entries:                           512

  Input Netflow flows:                             8192

  Output Netflow flows:                            16384

  SGT/DGT entries:                                 4096

  SGT/DGT Overflow entries:                        512

These numbers are typical for L2 and IPv4 features.

Some features such as IPv6, use up double the entry size;

so only half as many entries can be created.

3986
Views
0
Helpful
10
Replies
CreatePlease login to create content