881W - NAT Without Using WAN port

William Benson · ‎03-20-2012

Hey Gang,

I'm trying to setup my 881W with multiple VLans to support guest access as well as access for wireless devices like smart phones etc. I'm trying to make this uniform across all of our offices. I have the VLans, Routing and NAT working fine at corporate but the equipment in the field is a little different. At our corporate office we're using a 2811 and bonded Ts. At this office we're using an 881W connected to a router which connects to a bonded pair. We're not utilizing the WAN port on the 881W at all. We're connecting over to the FastEthernet port on the ISP's router, via FastEthernet0 on the 881W.

Unless I miss my guess here, the 881W is not actually routing anything, it's basically just an expensive "switch" at this point.

I have setup my NAT pool, my overloaded nat statement, and my access list to identify the traffic I want to NAT. The problem I'm seeing is the acl's for the NAT statements aren't getting any hits. My guess is that even though my guest network sits on a 192.168 network and my internal network is a 10 net, that since the router sees them as both directly connected on the fastethernet side, it's just switching the traffic instead of routing. Since the traffic is not going from an inside to outside interface I don't think I can get it to NAT.

I'm just drawing a blank on this one. I just don't see how I can NAT traffic coming from the GuestVlan to a routable IP address. I have to be able to translate the address to something my ISP will accept.

I'll beat my head on the wall a little more while I try and think of how this can be done, but I just can't see anyway to get this traffic to basically NAT at the switch level of this device.

The Vlans are working fine, everything pings fine accross the local network as it should. If I can just get the 192.168 traffic to NAT to an overload 10.x.x.x address I'd be in business.

paolo bevilacqua · ‎03-22-2012

Do you have expereince/certification with configuring VLANS and IOS in general?

If not, the best choice would be engaging a reputable consultant, or certified Cisco partner.

William Benson · ‎03-26-2012

Yes I've been doing this for a while, but I've never tried to use one of these 881 appliances with the built-in switch. It's kind of like a high-end Linksys router like what you would use for home networking. The switch itself doesn't appear to support NAT on the switch, so you'll have to use the WAN interface to get any kind of NAT to work. I asked a colleague who has a little more experience dealing with these appliances if he had ever encountered a situation like this. He told me he did at one customer site. He was actually working on their WAN services but noticed that the 881W they had on the wall actually had a short patch cable running out of the FastEthernet4 (WAN) port and back into the FastEthernet3 (switch) port.

He thought it looked kind of odd but it wasn't what he was there to work on so he didn't investigate it any further than to scratch his head, look at it, and say "Why?"

We figure they were probably trying to accomplish something similiar to what I was running into and since the local switch on the 881W doesn't support NATing at the switch level, they were routing the packets out the WAN interface and right back into the switch again in order to get an ACL, NAT or some other layer 3 protocol to trigger. It seems like a bit of a "rigged" method for getting that to work, but hey if it works, I'm not going to knock it.

I actually did a bit of digging around in the pile of dust encrusted equipment they had on the floor in the closet and I found an almost pristine conditioned 1800 series router. I have been able to get it up and running and configured and I'm pretty sure I'm going to be able to accomplish what I need with this. I have my VLans configured and I can ping across all the vlans successfully, and the NAT translations are grabbing when I ping out from the non-native vlans. So I feel pretty confident this will do the trick. I like this plan a lot better than looping a 6inch patch out the wan interface of the 881 and back into the switch on the same 881.