Solved: Integrating ISR, FTD and Nexus - Page 5

TheGoob · ‎01-30-2024

Hello, so I am waiting to purchase CML but in the meantime curious about a possible scenario I want to implement. I am hoping the spacing and intentions come across, more so the spacing so the “hierarchy” makes sense, but we can work on that.

TheGoob · ‎02-09-2024

Hello. Alright so tonight I am going to implement my concept. For ease of process I dumbed it down to just 3 networks ISR to Nexus and not the other 3 ISR to FTD to Nexus. I wanna do it in baby steps. This is my concept and I am hoping when I get home I do this and it is correct.

Literary Topology

ISR
NAT (Dynamic)
    x.x.x.177 (WAN) 192.168.1.0 (LAN (Network))
    x.x.x.178 (WAN) 192.168.2.0 (LAN (Network))
    x.x.x.179 (WAN) 192.168.3.0 (LAN (Network))
ACL (Outbound Only for the 3 Networks)
    Would ACL’s be on ISR or Nexus?
STATIC ROUTE’s (ISR to route to Networks)
   192.168.1.0 255.255.255.0 192.168.11.2
   192.168.2.0 255.255.255.0 192.168.11.2
   192.168.3.0 255.255.255.0 192.168.11.2
ROUTE INTERFACE (To GE 1/1 on Nexus)
    GE 1/1 192.168.1.1 255.255.255.0

NEXUS
DHCP SERVERS (through ‘guestshell’)
    192.168.1.0, 192.168.1.2 - 192.168.1.128
    192.168.2.0, 192.168.2.2 - 192.168.2.128
    192.168.3.0, 192.168.3.2 - 192.168.3.128
VLANS (3)
    1,2,3
VLAN INTERFACES
    vlan 1  192.168.1.1
    vlan 2 192.169.2.1
    vlan 3 192.168.3.1
STATIC ROUTE (Nexus back to ISR)
     0.0.0.0 0.0.0.0 192.168.11.1
ROUTE INTERFACE (To GE 1/1 on ISR)
     GE 1/1 192.168.11.2 255.255.255.0
NAT (Done on ISR)
ACL (These are done on ISR, or on Nexus?)

TheGoob · ‎02-09-2024

Well that was short lived. Seems C1111 ISR has;

2 L3

1 WAN

1 Management

8 L2

All L2, can’t be changed.

So, my idea was to have 2 Interfaces in L3 for routing purposes. 1 to Nexus for vlan 1-3 and 1 to FPR for vlan 4 - 6.

Stinks, all this back and forth and I can’t even do it due to physical limitations.

liviu.gheorghe · ‎02-09-2024

That is correct.

Yiu can use the L2 interfaces, assign them in different vlans and use for routing the corresponding SVI:

interface Gi 0/1/1

switchport access vlan 10

interface Vlan 10

ip address 192.168.50.1 255.255.255.0

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-10-2024

Alright, so on my Nexus, all DHCP Servers are working. On ALL vlans on Nexus I can connect to the Internet. What seems to be happening is that all vlans are all using the same WAN IP. But each [6] vlans should have their own WAN IP. So, not sure if ACL or NAT issue. I will post both ISR and Nexus. To explain basic... ISR has the 6 NAT [WAN to NETWORK], has 6 ACL's allowing "network out", ALL Networks have static route from ISR to NEXUS using 192.168.8.2 (ip on Nexus 1/1) which is part of vlan 1 on ISR. I usually would route n an independent interface NOT associated to a vlan (i am assuming because I am using a vlan 1 ip from ISR, it is using that as it's WAN IP too). Like, if vlan1 on ISR is x.x.x.182, I assume any vlan on Nexus will still use it's [ISR] vlan 1 WAN IP regardless of any NAT?

Yeah, anyway, all vlans connect, but all are using same WAN IP but each vlan should have it's own.

ISR

Current configuration : 9032 bytes
!
! Last configuration change at 16:36:16 UTC Sat Feb 10 2024
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname HoM
!
boot-start-marker
boot system flash:c1100-universalk9.17.09.04a.SPA.bin
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 205.171.3.65 205.171.2.65
!
ip dhcp pool LAN
 network 192.168.8.0 255.255.255.0
 default-router 192.168.8.1
 dns-server 8.8.8.8
 lease infinite
!
!
!
no ip igmp snooping
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
vtp domain ''
vtp mode transparent
vtp version 1
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-4284067838
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4284067838
 revocation-check none
 rsakeypair TP-self-signed-4284067838
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-4284067838
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323834 30363738 3338301E 170D3234 30323037 30303033
  34305A17 0D333430 32303630 30303334 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383430
  36373833 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100CF63 E76384AF 6078E295 B087349B E465A89A B84A8E90 D13E52C5
  CB28BEF5 39387B19 1036EE98 89053B3D D42D6EB3 C5F305ED 9B2FD78A C699EA02
  3FE0C2F1 23F4A538 6278551D 3717D703 13024BB1 3D9BD85F 18310A3C 83F38191
  EA11D0D6 E35C16E7 F21E507D 2A94276A 8310E595 C88EB804 05166E4A 251A654B
  82A77BF3 D6AE009A 57B0783A 90D525D3 F6DA5080 7A05528B 1C4455C3 EFFFFBBD
  55859475 D26FCD7C 04F305EB 19733ED2 3FABFF22 5549BD82 2FFF0C8E BD81F2F8
  13615860 BB6EB874 FBBBD392 C0F3EAB8 8CF66214 34354F70 69A52D4F 922DE35E
  8964E54D C946A7E6 142E9C41 0458E6C3 FD6A8FCA A0EBE66B 87FFD40F 06DA3EC0
  CC4B739F BC410203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
  301F0603 551D2304 18301680 14D5EFD5 A40B0A02 5F830483 14D21A7C A9759BDD
  04301D06 03551D0E 04160414 D5EFD5A4 0B0A025F 83048314 D21A7CA9 759BDD04
  300D0609 2A864886 F70D0101 05050003 82010100 036BBEA4 BDEDE57A 0FD35041
  B30A2394 B79A8A01 2C87EBD4 D9A80DB7 E571FDD7 4275FDA1 55278B72 EF3236AC
  2FC6CDB5 22E67299 6079B347 E8E8F454 48AC7032 312AAC4E 02D415DC DB4D5D91
  C5490AE2 F653B0C4 A32E6369 734DBF79 98263F72 5B5F534E 06AB0049 FAC1D563
  763CB160 74093ACF 549423BB 0F5B5A6B 2B3C0802 E7C83861 ACE6E040 24A3D259
  55BCA7EC F446157C 6A6B270C EB91874B 41A4A2E9 F5C9A5AF 39E34112 EEBFB1C7
  BE0A215B 4586E7ED 20496190 A93FE5E1 63EFA300 B74DED30 E159573C B429A790
  9A2E9F1C E1A2A852 C9DC74C6 935D878A 7785C339 EEA6D219 172B13EE DB79986E
  C98E60B6 7899E8BA 3191ABE3 ED52432E 264B0F12
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
!
!
no license feature hseck9
license udi pid C1111-8PLTEEAWB sn FGL223493AJ
memory free low-watermark processor 71826
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
enable secret 9 $9$b/g5KPM9Y12dQU$crUmYT6b1Kd47wyvwsA8UgtHlwfVZ6GW21mtMTDrrG6
enable password jarjarbinks98
!
username admin privilege 15 password 0 [pass]
!
redundancy
 mode none
!
!
!
!
controller Cellular 0/2/0
!
!
vlan internal allocation policy ascending
!
vlan 94
 name JED_MOBILE
!
vlan 95
 name JED_AV
!
vlan 96
 name SPARE
!
vlan 97
 name JEDPRINTERGUEST
!
vlan 98
 name JEDUSERWIFI
!
vlan 99
 name JEDUSERVOICE
!
vlan 100
 name JEDUSERDATA
!
vlan 200
 name JEDSECURITYBMS
!
vlan 300
 name NATIVE_UNUSED
!
vlan 330
 name JEDGUESTWIFI
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1460
 ip nat outside
 ip tcp adjust-mss 1412
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
 spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
 ip address 10.0.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
 spanning-tree portfast disable
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Wlan-GigabitEthernet0/1/8
!
interface Cellular0/2/0
 no ip address
 shutdown
!
interface Cellular0/2/1
 no ip address
 shutdown
!
interface Vlan1
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 ip mtu 1460
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp mtu adaptive
 ppp authentication chap pap callin
 ppp chap hostname [user]
 ppp chap password 0 [pass]
 ppp pap sent-username [user] password 0 [pass]
 ppp ipcp dns request
 ppp ipcp route default
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat inside source static network 192.168.4.0 207.108.121.174 /32
ip nat inside source static network 192.168.6.0 207.108.121.177 /32
ip nat inside source static network 192.168.3.0 207.108.121.179 /32
ip nat inside source static network 192.168.1.0 207.108.121.180 /32
ip nat inside source static network 192.168.2.0 207.108.121.181 /32
ip nat inside source static network 192.168.5.0 207.108.121.182 /32
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source route-map track-primary-if interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 192.168.8.2
ip route 192.168.2.0 255.255.255.0 192.168.8.3
ip route 192.168.3.0 255.255.255.0 192.168.8.3
ip route 192.168.4.0 255.255.255.0 192.168.8.3
ip route 192.168.5.0 255.255.255.0 192.168.8.2
ip route 192.168.6.0 255.255.255.0 192.168.8.3
!
!
!
ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
 11 permit 192.168.2.0 0.0.0.255
 12 permit 192.168.1.0 0.0.0.255
 13 permit 192.168.3.0 0.0.0.255
 14 permit 192.168.4.0 0.0.0.255
 15 permit 192.168.5.0 0.0.0.255
 16 permit 192.168.6.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map track-primary-if permit 1
 match ip address 197
 set interface Dialer1
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password [password]
 login
 transport input ssh
line vty 5 30
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
!
end

NEXUS

!Command: show running-config
!No configuration change since last restart
!Time: Sat Feb 10 16:39:58 2024

version 9.3(10) Bios:version 07.69
switchname NexusHOM
vdc NexusHOM id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource vrf minimum 2 maximum 4096
  limit-resource port-channel minimum 0 maximum 256
  limit-resource u4route-mem minimum 248 maximum 248
  limit-resource u6route-mem minimum 96 maximum 96
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8

feature telnet
feature interface-vlan
feature dhcp

no password strength-check
username admin password 5 $5$IMMKLC$CupMwUYLPCuvsts8FDGOoTLNHoAISOcbD1.lqjo1NM5
 role network-admin
ip domain-lookup
copp profile strict
snmp-server user admin network-admin auth md5 215172AA8DF3EA6F144B141758F7652620
98 priv 043E7EB18BE4DB7B055E164057F66E217A95 localizedV2key

ip route 0.0.0.0/0 192.168.8.1
vlan 1-6

service dhcp
ip dhcp relay
ipv6 dhcp relay
vrf context management


interface Vlan1
  no shutdown
  ip address 192.168.5.1/24
  ip dhcp relay address 192.168.5.1

interface Vlan2
  no shutdown
  ip address 192.168.1.1/24
  ip dhcp relay address 192.168.1.1

interface Vlan3
  no shutdown
  ip address 192.168.2.1/24
  ip dhcp relay address 192.168.2.1

interface Vlan4
  no shutdown
  ip address 192.168.3.1/24
  ip dhcp relay address 192.168.3.1

interface Vlan5
  no shutdown
  ip address 192.168.4.1/24
  ip dhcp relay address 192.168.4.1

interface Vlan6
  no shutdown
  ip address 192.168.6.1/24
  ip dhcp relay address 192.168.6.1

interface Ethernet1/1
  no switchport
  ip address 192.168.8.2/24
  no shutdown

interface Ethernet1/2
  spanning-tree port type normal

interface Ethernet1/3
  spanning-tree port type normal

interface Ethernet1/4
  spanning-tree port type normal

interface Ethernet1/5
  spanning-tree port type normal

interface Ethernet1/6
  spanning-tree port type normal

interface Ethernet1/7
  spanning-tree port type normal

interface Ethernet1/8
  spanning-tree port type normal

interface Ethernet1/9
  spanning-tree port type normal

interface Ethernet1/10
  spanning-tree port type normal

interface Ethernet1/11
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/12
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/13
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/14
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/15
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/16
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/17
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/18
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/19
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/20
  switchport access vlan 2
  spanning-tree port type normal

interface Ethernet1/21
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/22
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/23
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/24
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/25
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/26
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/27
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/28
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/29
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/30
  switchport access vlan 3
  spanning-tree port type normal

interface Ethernet1/31
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/32
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/33
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/34
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/35
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/36
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/37
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/38
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/39
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/40
  switchport access vlan 4
  spanning-tree port type normal

interface Ethernet1/41
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/42
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/43
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/44
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/45
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/46
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/47
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/48
  switchport access vlan 5
  spanning-tree port type normal

interface Ethernet1/49
  no switchport
  ip address 192.168.12.2/24
  no shutdown

interface Ethernet1/50
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/51
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/52
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/53
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/54
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/55
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/56
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/57
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/58
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/59
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/60
  switchport access vlan 6
  spanning-tree port type normal

interface Ethernet1/61
  spanning-tree port type normal

interface Ethernet1/62
  spanning-tree port type normal

interface Ethernet1/63
  spanning-tree port type normal

interface Ethernet1/64
  spanning-tree port type normal


interface mgmt0
  vrf member management
  ip address 192.168.15.1/24
icam monitor scale

line console
line vty
boot nxos bootflash:/nxos.9.3.10.bin

Starting to think my NAT is wrong...Pic 1 shows NAT, but does not specify OUTSIDE Global IP. I tried doing a Dynamic NAT/PAT but it does not let me specify a global ip at all, so did the STATIC NAT [Network].

TheGoob · ‎02-10-2024

Geeze either apparently I am the only one who wants to to a STATIC WAN IP to LAN NETWORK, straight forward, or I suck at Googling.

liviu.gheorghe · ‎02-10-2024

I imagine that you would like to configure a combination of dynamic (for the users on the inside networks in order to access the Internet) and static NAT (for the servers you have on the inside networks). The difference between the two:

dynamic nat allows host on the inside to communicate with outside networks and only return traffic is allowed back for traffic initiated on the inside
static nat allows bidirectional traffic - outside to inside and inside to outside

You will have to decide which vlans on the inside need dynamic nat and what are the hosts that need static nat configured.

In your ISR configuration, you have dynamic nat configured with the following commands:

ip nat inside source list 1 interface Dialer1 overload

ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
 11 permit 192.168.2.0 0.0.0.255
 12 permit 192.168.1.0 0.0.0.255
 13 permit 192.168.3.0 0.0.0.255
 14 permit 192.168.4.0 0.0.0.255
 15 permit 192.168.5.0 0.0.0.255
 16 permit 192.168.6.0 0.0.0.255

interface Vlan1
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 ip mtu 1460
 ip nat outside

This translates to: all traffic matching access-list 1 will have it's source IP translated to that of the Dialer1 interface. This applies ti traffic in vlan 1 because only interface Vlan1 is assigned on the inside from the point of view of NAT. If you will want to configure dynamic NAT for other vlans, you will have to:

transport that vlan to the ISR
terminate it on a interhace vlan
configure an IP address on it and assign it it ip nat inside

You have another dynamic NAT configuration:

ip nat inside source route-map track-primary-if interface Dialer1 overload

route-map track-primary-if permit 1
 match ip address 197
 set interface Dialer1

This configuration doesn't do anything. It translates to: NAT the source IP address of every packet matched by route-map track-primary-if to the IP of the Dialer1 interface. The route-map references access-list 197 which does not exist in your configuration.

And another thing - remove ip nat outside from interface GigabitEthernet 0/0/0. This interface doesn't have an IP address and for that reason it doesn't participate in NAT.

With static NAT, the configuration differs depending on whether you want to translate

a single inside IP to an outside IP
many inside IP's to an outside IP

Please specify what exactly do you want to translate (inside IP) to what external IP.

The commands you have configured:

ip nat inside source static network 192.168.4.0 207.108.121.174 /32
ip nat inside source static network 192.168.6.0 207.108.121.177 /32
ip nat inside source static network 192.168.3.0 207.108.121.179 /32
ip nat inside source static network 192.168.1.0 207.108.121.180 /32
ip nat inside source static network 192.168.2.0 207.108.121.181 /32
ip nat inside source static network 192.168.5.0 207.108.121.182 /32

do nat do static NAT in the way I imagine you want.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-10-2024

Hello.

In my defense I think what we have now is hours of hair pulling combinations that look chaotic.

Until I get into specific NAT's for outside-to-inside access for like email servers etc, for now I literally want whole networks to be associated to a WAN IP.

Like, I want

192.168.1.0 to have 207.208.121.177

192.168.2.0 to have 207.108.121.178

And so on.

I want ANYONE who connects to vlan 2 [192.168.2.0] to have 207.108.121.178 as their WAN IP. I am sensing this isnt generally the rule, and it more specific to ports, but really for now I wanted whole networks to associate. I did have that on the FPR but apparently NAT is different there. Or maybe I just got lucky.

ALSO, if it makes a difference, I changed 0/0/1 from Management to an L3 link from ISR to Nexus for Routing, which uses 192.168.8.1 (192.168.8.2 on Nexus). The ISR vlan 1 (now 192.168.9.0) is only active on the ISR and for nothing on the Nexus or anything else. So everything on my Networks is done through 192.168.8.1 (not on Any vlan).

TheGoob · ‎02-10-2024

My whole point of having the NEXUS be the DHCP Server/ “Owner” of vlans is because each Interface is 10G. This is why I’d prefer not to have the ISR be the vlan initiator or DHCP Server, because everything Nexus 10G will route back through ISR 1G Interfaces. This was why I do not have any vlans on the ISR (that are part of the Nexus 6 vlans I want) and also am using Management Interface 0/0/1 as the Link/ Route TO the Nexus from the ISR. Also, 0/0/1 is not part of any vlan. Clearly my way of wanting things done is too simple, therefore not possible.
I feel my only options would be to create vlan 1-7 on ISR, Configure 6 DHCP Servers on ISR but use Code 3 so that it uses the Nexus vlan Interface IPS and routing stays on Nexus?
Yeah, I know, I clearly want unconventional. And truly am open to change. If my way simply isn’t realistic, sure, I can choose 1 IP from each Network to do NAT to instead of whole Networks if it isn’t realistic.

I guess my question on this would be; If I run the DHCP Server on the ISR, let’s say vlan 1 Intetface IP 192.168.1.2 with a pool of 193.168.1.3 - 192.168.1.254 and then default-router to be 192.168.1.1 (which would be vlan 1 Interface on Nexus) would anything on Nexus (vlan1) now grab a DHCP address with default-gateway of 192.168.1.1 [along with each other vlan on Nexus doing same with their comparable configuration] and then everything stays ROUTING at 10G via Nexus?

I assume I would now need to have 6 Ethernet cables from ISR to NEXUS, unless I can do a Trunk.

TheGoob · ‎02-10-2024

I think I am losing my mind. I am trying different things, this time gonna TRUNK vlan 1-6 on GE 1/7 to Nexus..

!
ip name-server 205.171.3.65 205.171.2.65
ip dhcp excluded-address 192.168.1.0 192.168.1.2
ip dhcp excluded-address 192.168.2.0 192.168.2.2
ip dhcp excluded-address 192.168.3.0 192.168.3.2
ip dhcp excluded-address 192.168.4.0 192.168.4.2
ip dhcp excluded-address 192.168.6.0 192.168.6.2
ip dhcp excluded-address 192.168.5.0 192.168.5.2
!
ip dhcp pool LAN
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool fbeye
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool fhc
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool ceyea
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool proxmox
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 177
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.1
 dns-server 8.8.8.8
 lease infinite
!
vlan internal allocation policy ascending
!
vlan 2-6
!
!
interface GigabitEthernet0/0/0
 description WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1412
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
 spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
 ip address 192.168.8.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
 spanning-tree portfast disable
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
 switchport trunk allowed vlan 1-6
 switchport mode trunk
 spanning-tree portfast trunk
!
interface Vlan1
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
!
interface Vlan2
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
!
interface Vlan3
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
!
interface Vlan4
 ip address 192.168.3.2 255.255.255.0
 ip nat inside
!
interface Vlan5
 ip address 192.168.4.2 255.255.255.0
 ip nat inside
!
interface Vlan6
 ip address 192.168.6.2 255.255.255.0
 ip nat inside
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 ip mtu 1460
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp mtu adaptive
 ppp authentication chap pap callin
 ppp chap hostname malleomatthew
 ppp chap password 0 JimRulz
 ppp pap sent-username malleomatthew password 0 JimRulz
 ppp ipcp dns request
 ppp ipcp route default
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat pool fbeye 192.168.1.3 192.168.1.254 prefix-length 24
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 180 pool fbeye
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
 11 permit 192.168.2.0 0.0.0.255
 13 permit 192.168.3.0 0.0.0.255
 14 permit 192.168.4.0 0.0.0.255
 15 permit 192.168.5.0 0.0.0.255
 16 permit 192.168.6.0 0.0.0.255
ip access-list extended 180
 10 permit ip 192.168.1.0 0.0.0.255 host 207.108.121.180
dialer-list 1 protocol ip permit
!

TheGoob · ‎02-11-2024

Mental Note

Dynamic NAT ??

access-list 1 permit 192.168.1.0 0.0.0.255

This is “permission” for this Network?

ip nat pool WAN x.x.x.177 x.x.x.182

This is my Pool of Static WAN IP’s?

ip nat inside source list 1 pool WAN

Associating inside with WAN Pool?

interface gigabit 0/1/7

ip nat inside

Interface gigabit

ip nat outside

I am using dialer 1 for PPPoe; Would this be my “outside” instead of gigabit 0/0/0?

Also, 0/1/7 is a TRUNK for all 6 vlans on ISR towards Nexus. Would 0/1/7 be “inside” or are each vlans the inside?

Also, if this is correct, how does the specific WAN ip get specified? It creates a pool, but I want a 1:1 dynamic nat. Or whatever of the so many NATS would be SUBNET to STATIC WAN IP.

In this POOL, how does inside vlan 1 192.168.1.0 associate with x.x.x.177.

This is the closest I can come up with and not sure.

liviu.gheorghe · ‎02-11-2024

@TheGoob wrote:

Mental Note

access-list 1 permit 192.168.1.0 0.0.0.255

This is “permission” for this Network?

ip nat pool WAN x.x.x.177 x.x.x.182

This is my Pool of Static WAN IP’s?

ip nat inside source list 1 pool WAN

   Associating inside with WAN Pool?

interface gigabit 0/1/7

   ip nat inside

Interface gigabit

   ip nat outside

interface gi0/1/7 is L2, you cannot have ip nat inside configured on it

I am using dialer 1 for PPPoe; Would this be my “outside” instead of gigabit 0/0/0?

Yes, dialer 1 interface is the "nat outside".

Also, 0/1/7 is a TRUNK for all 6 vlans on ISR towards Nexus. Would 0/1/7 be “inside” or are each vlans the inside?

Each interface vlan will have configured ip nat inside

Also, if this is correct, how does the specific WAN ip get specified? It creates a pool, but I want a 1:1 dynamic nat. Or whatever of the so many NATS would be SUBNET to STATIC WAN IP.

In this POOL, how does inside vlan 1 192.168.1.0 associate with x.x.x.177.

This is the closest I can come up with and not sure.

You will have:

ip nat pool WAN-1 x.x.x.177 x.x.x.177

ip nat inside source list 1 pool WAN-1 overload

access-list 1 permit 192.168.1.0 0.0.0.255

repeat for the other vlans that you want translated in other pools associated with the other WAN IP's.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-11-2024

Well I got everything to work now. What I did, after coding in what you had instructed, had worked. I tested it by assigning each interface on the ISR its own vlan. I plug into each interface and it grabs correct wan ip. So I am very pleased by this and you have been extremely patient and supportive.
I just wish I were not so single minded linear. The NAT for example… I was so focused on 1 WAN ip to LAN NETWORK, I could not wrap my head around “pool” being isolated to 1 ip if I just told it one. Eh, my own worst enemy. I thank you very much. For this thread… I think we got it. My next phase will be to move 3 vlans to the FPR and then for all 6 vlans, incorporate the Nexus.

Thank you so much.

liviu.gheorghe · ‎02-11-2024

I'm glad I could help and that it worked out in the end.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-12-2024

Morning.. I did have some NEXUS connectivity questions should I ask here or make a more refined thread?

liviu.gheorghe · ‎02-12-2024

Evening,

Yes, I would close this long thread, rate what you found useful and move to another thread.

Regards, LG
*** Please Rate All Helpful Responses ***