Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2490
Views
0
Helpful
2
Replies

NAT issue on Catalyst 9500 - IOS XE 16.9.1 (Fuji)

ALAN MURRAY
Level 1
Level 1

‎09-25-2018 08:53 PM - edited ‎03-03-2019 08:54 AM

Hi Folks,

A customer and I are trying to shoehorn a multi-tennanted network into devices which are obviously not intended for the purpose. They purchased a Catalyst 9500 switch for their layer 3 device because it does NAT. Unfortunately it doesn't do NAT + VRF. Next suggestion was to use policy-based routing but that doesn't work either as it appears the 9500 does not support PSB and NAT on the same interface <sigh>. 

OK so option three was to turn the configuration around and use NAT on the interfaces required and then use policy-based routing to provide a default route. All was going along nicely until this last little hurdle which has me stumped. From one of the subnets that requires NAT I can ping a webserver, see the hits on the NAT access list, see the translation and get a reply so:-

ping XXX.XXX.X27.X30 - translates to XXX.XXX.X26.1 and the reply comes in.

However when I try web traffic to the same address - no reply. Also there are no hits on the NAT access list and no translation.

If I web to another server (which BTW does not listen on port 80) I can:-

see the hits on the NAT access list and see the translation. Of course I do not get a reply.

So web to XXX.XXX.X26.X14 - translates to XXX.XXX.X26.1

We know the routing is correct because a tracert to both addresses follows the path that we want it to take. I should also point out the webserver is active as we have connected to it from another subnet.

Does anyone have any ideas as to what is happening here?

Thanks

Al

 

 

Labels:
0 Helpful
2 Replies 2

fbabashahi
Spotlight
Spotlight

‎11-14-2018 09:34 AM

Hi , please post your configuration
0 Helpful

ALAN MURRAY
Level 1
Level 1
In response to fbabashahi

‎11-14-2018 11:18 AM

Thanks for the reply. I've been through all this with TAC and it transpires that what we are trying to do is not supported on the Catalyst 9500. This means we had to re-design what the customer had come up with which is fine from my point of view as I believe the new solution is simpler. This will make it a lot easier for anyone coming into the organisation to understand the solution.

 

Alan

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card