Hello,

basically, NAT only applies to what you specify. So the below should work (changes marked in bold). However, since you have two public IP addresses on the outside, I am not sure that traffic from VLAN 3 gets routed properly, since you only have a default route out Dialer 1. 

Either way, if the below doesn't work for you, we need to implement to VRFs.

version 15.1
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vRouter
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 1 0
clock summer-time summertime recurring last Sun Mar 3:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
ip source-route
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 600
!
ip cef
ip domain name acme.priv
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip multicast-routing
no ipv6 cef
no vlan accounting
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9
!
controller VDSL 0
operating mode vdsl2
!
ip tftp source-interface Vlan2
ip ssh time-out 30

ip ssh rsa keypair-name MY_KEYS
ip ssh logging events
ip ssh version 2
ip ssh stricthostkeycheck
!
interface Ethernet0
no ip address
!
interface Ethernet0.2
encapsulation dot1Q 2
pppoe-client dial-pool-number 1
!
interface ATM0
mtu 1492
no ip address
shutdown
no atm ilmi-keepalive
hold-queue 224 in
!
interface FastEthernet0
switchport access vlan 3
no ip address
!
interface FastEthernet1
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
description vlan2 Lax_EXT (public)
ip address 83.xxx.xxx.249 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface Vlan3
description LAN MNG
ip address 172.16.2.1 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1492
ip address negotiated
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap hostname xxx
ppp chap password 7 xxxx
ppp pap sent-username xxxx
no cdp enable
!
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Vlan2 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 83.xxx.xxx.250 255.255.255.255 83.xxx.xxx.254 permanent
ip route 83.xxx.xxx.251 255.255.255.255 83.xxx.xxx.254 permanent
!
access-list 1 permit 172.16.2.0 0.0.63
access-list 101 permit ip 83.211.183.248 0.0.0.7 any
access-list 102 permit ip 172.16.2.0 0.0.0.63 any
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^CC
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
!
end

Hi Georg,

thanks for your reply!

I've tried your suggestion but still not working..!

From a win10 wireless client I can't ping the vlan2 ip nor 8.8.8.8, but I can succesfully ping vlan3

If I start "debug icmp" I can see only the packets to vlan3

With no active (visible) connections from wireless client (ssh session active, tcp 22), if I start "debug ip nat 1 detailed" router shows a lot of this messages:

000494: May 12 19:32:14.514 summert: NAT - SYSTEM PORT for 83.211.183.249: allocated port 0, refcount 5971, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 5971, proto 6

If I start "debug ip tcp packet address 172.16.2.9" (wireless client) router shows only the ssh connection to vlan3 ip.

From the router I succesfully ping internet name/address

I'm quite noobie in routing/swithcing, I don't know vrf!

Can you help me please?

Bye,
Roberto

Hello,

post the configuration you currently have, I just want to check if you haven't missed something...;)

Hello,

looking at your original post again, I just want to make sure that I understand your physical setup:

Your router has a connection to the firewall on FastEthernet3 (VLAN2).

Your wirless clients are connected to FastEthernet0 (VLAN 3).

You have a separate direct link to the Internet through Ethernet0.2 (Dialer 0).

Maybe you can post a brief schematic drawing of your physical setup...

Hello Georg,

this is the running conf with your suggestions:

version 15.1
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vRouter
!
boot-start-marker
boot-end-marker
!
!
enable password 7 012714144C0F565E73
!
no aaa new-model
!
memory-size iomem 10
clock timezone GMT 1 0
clock summer-time summertime recurring last Sun Mar 3:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 600
!
!
ip cef
ip domain name Mindless.priv
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip multicast-routing
no ipv6 cef
no vlan accounting
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ163292GS
!
!
username ************ secret ***********************
!
!
!
!
controller VDSL 0
 operating mode vdsl2
!
ip tftp source-interface Vlan2
ip ssh time-out 30
ip ssh rsa keypair-name SSH_MYKEYS
ip ssh logging events
ip ssh version 2
ip ssh stricthostkeycheck
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
!
interface Ethernet0.2
 encapsulation dot1Q 2
 pppoe-client dial-pool-number 1
!
interface ATM0
 mtu 1492
 no ip address
 shutdown
 no atm ilmi-keepalive
 hold-queue 224 in
!
interface FastEthernet0
 switchport access vlan 3
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan2
 description vlan2 Lax_EXT (public)
 ip address 83.xxx.xxx.249 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
!
interface Vlan3
 description LAN MNG
 ip address 172.16.2.1 255.255.255.192
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 mtu 1492
 ip address negotiated
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp chap hostname ****************
 ppp chap password 7 *************
 ppp pap sent-username *******************
 no cdp enable
!
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Vlan2 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 83.xxx.xxx.250 255.255.255.255 83.xxx.xxx.254 permanent
ip route 83.xxx.xxx.251 255.255.255.255 83.xxx.xxx.254 permanent
!
!
access-list 1 permit 172.16.2.0 0.0.0.63
access-list 101 permit ip 83.211.183.248 0.0.0.7 any
access-list 102 permit ip 172.16.2.0 0.0.0.63 any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
banner login ^CC

^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class vtyacl_SSH_Access in
 exec-timeout 0 0
 login local
 rotary 1
 transport input ssh
!

And in the attachment a small schema.

Tell me if something is unclear!

Thanks again,

Roberto

Hello,

this is from your original post:

My goal is natting vlan3 clients with the ip of router (vlan2), but, at the same time, router must not apply nat on the connections starts from the firewall...

Sorry for the confusion, I don't understand what you are asking. If you want wireless clients from VLAN 3 to get to the Internet, you need to change the NAT statement to:

ip nat inside source list 1 interface Dialer0 overload

VLAN 2 has a public IP address, what addresses do the clients in VLAN 2 have ?

I will try and reply you in about 30'!

 There's no client on vlan2, firewall nat anything with the 2 public ips for which I did the static route to logic ip of cluster fw!

if I nat on the dialer, I will nat also the vlan2 connections with the router ip? I would not want this...

Sorry for the misunderstanding. I am lost. Which inside IP addresses is VLAN 2 supposed to NAT ? Put the IP source and destinations in your drawing as well, that might clear things up...

It works Georg!

I'm writing you from the wireless client!

I've to add also "ip nat outside" on di0.

Now client has the pubblic address of the di0

All original lan sources behind firewalls are on B class 172.16, except "all" 172.16.2.0/24; for each lan, firewall (the active node) is the default gw and, if the destination is internet, fw nats the sources with one of the 2 static pubblic address of vlan2 subnet for which I did the static routes.