So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE
This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT
My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):
Switch#ping 18.104.22.168 source 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
*Nov 10 14:27:04.145: NAT: ICMP id=1->1025
*Nov 10 14:27:04.145: NAT: s=192.168.122.1->126.96.36.199, d=188.8.131.52 
*Nov 10 14:27:04.210: NAT: ICMP id=1025->1
*Nov 10 14:27:04.210: NAT: s=184.108.40.206, d=220.127.116.11->192.168.122.1 
Running Config: ! Last configuration change at 13:51:06 UTC Mon Nov 10 2014 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname Switch ! boot-start-marker boot system switch all flash:packages.conf boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! no aaa new-model switch 1 provision ws-c3650-48ps ! ip routing ! ip dhcp excluded-address 192.168.122.1 ! ip dhcp pool Pool14 import all network 192.168.122.0 255.255.255.0 dns-server 18.104.22.168 default-router 192.168.122.1 domain-name my.domain crypto pki trustpoint TP-self-signed-1875358754 ..... diagnostic bootup level minimal spanning-tree mode pvst spanning-tree extend system-id hw-switch switch 1 logging onboard message level 3 ! redundancy mode sso ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto interface GigabitEthernet1/0/46 description conf GW no switchport ip address 22.214.171.124 255.255.255.192 ip nat outside ! interface GigabitEthernet1/0/47 switchport access vlan 2 spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/48 switchport access vlan 2 spanning-tree portfast spanning-tree bpduguard enable ! interface Vlan1 no ip address shutdown ! interface Vlan2 ip address 192.168.122.1 255.255.255.0 ip nat inside ! ip nat inside source list 61 interface GigabitEthernet1/0/46 overload ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ip route 0.0.0.0 0.0.0.0 126.96.36.199 ! access-list 61 permit 192.168.122.0 0.0.0.255 line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login line vty 5 15 login ! wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end
I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same results
Switch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 188.8.131.52 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 184.108.40.206
192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.122.0/24 is directly connected, Vlan2
L 192.168.122.1/32 is directly connected, Vlan2
220.127.116.11/24 is variably subnetted, 2 subnets, 2 masks
C 18.104.22.168/26 is directly connected, GigabitEthernet1/0/46
L 22.214.171.124/32 is directly connected, GigabitEthernet1/0/46
traceroute -n 126.96.36.199 (I am on a mac)
traceroute to 188.8.131.52 (184.108.40.206), 64 hops max, 52 byte packets
1 192.168.122.1 2.546 ms 3.291 ms 2.104 ms
2 * * *
3 * * *
I didn't manage to fix this. After digging into the documentation I found no sign about NAT support on the 3560 switch. I ended up using a router
NAT is not supported on any Catalyst switches except some very high end switches (and even then, the NAT support on those is limited).
If it works at all it will be processed switched (not in hardware) which will result in high CPU under any sort of load. TAC will insist you remove it as these devices were not designed to do this function.
You really need a router to do NAT. It's not a function of switching and has never been supported on these platforms, even if the CLI commands appear to exist.
Your configuration is looking correct. I have tested the same topology and its working. You have to check the ip address and default gateway on the host connected in vlan 2.
Spooster IT Services
Thank u both for your help
The ip configuration should be correct as it retrieved from the dhcp server running on the switch.
I post the ip configuration from my (dhcp) client:
ip addr: 192.168.122.2
subnet mask: 255.255.255.0
1)yes the public addressing is correct. Our gateway is 220.127.116.11/26 and my public is setup 18.104.22.168/26.
2) Ip routing is enabled on the switch as you can see on my configuration
3)Switch#sh sdm prefer
Showing SDM Template Info
This is the Advanced (low scale) template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 4096
Overflow IGMP and Multicast groups: 512
Directly connected routes: 16384
Indirect routes: 7680
Security Access Control Entries: 1536
QoS Access Control Entries: 3072
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Wireless Input Microflow policer ACEs: 256
Wireless Output Microflow policer ACEs: 256
Flow SPAN ACEs: 512
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT entries: 4096
SGT/DGT Overflow entries: 512
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.