Solved: Cisco 2960 switch NAT

Kane Smith · ‎09-26-2024

Hi all, I have a Cisco 2960 switch running IOS 15.2(7) E7. I configured NAT overload.

Straight forward config:

interface Vlan150
description INSIDE-LAN
ip address 10.150.0.254 255.255.255.0
ip nat inside
!
interface Vlan192
description OUTSIDE-LAN
ip address 192.168.0.254 255.255.255.0
ip nat outside
!
ip access-list standard NAT-LIST
permit 10.150.0.0 0.0.255.255
!
ip nat inside source list NAT-LIST interface Vlan192 overload

NAT doesn't work when a device on the 10.150.x.x network (default gateway is 10.150.0.254) tries to reach the Internet.

However, if I source a PING from 10.150.0.254, it works fine:

SW1#ping 8.8.8.8 source 10.150.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.150.0.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/25 ms
SW1#

SW1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.0.254:1024 10.150.0.254:3 8.8.8.8:3 8.8.8.8:1024
SW1#

I have verified using traceroute that the PC on the 10.150.x.x network is indeed going to SW1 in order to get to 8.8.8.8.

Any ideas please?

Giuseppe Larosa · ‎09-26-2024

Hello @Kane Smith ,

you need a router to be able to NAT user traffic.

NAT support on switches start with Cat9300 ( it was supported also on high end Cat6500, Cat6800, these were the first one to support it)

I'm surprised the device accepted the NAT commands, however it is not going to work with user traffic.

Hope to help

Giuseppe

View solution in original post

paul driver · ‎09-26-2024

Hello
That make sense its a lab simulation as on real hardware of 2960s they do NOT support nat

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul.driver · ‎09-26-2024

Hello
Just to confirm if am understanding - you have a 2960 switch performing NAT - correct?

paul driver · ‎09-26-2024

Just to confirm if am understanding - you have a 2960 switch performing NAT - correct?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎09-26-2024

Friend

Just to make you notice your reply is double and one of reply without profile photo' contact manager if you want

MHM

paul driver · ‎09-26-2024

Hello @MHM Cisco World
FYI its due to having dual cco accounts and flipping between them, as such my browser(s) cannot keep up.

cheers..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Kane Smith · ‎09-26-2024

Yes. That is correct. Its in a lab environment. Does everything we need but NAT. Didn't really want to add a router to perform just one function.

MHM Cisco World · ‎09-26-2024

ip access-list standard NAT-LIST
permit 10.150.0.0 0.0.255.255

Correct this to be

ip access-list standard NAT-LIST
permit 10.150.0.0 0.0.0.255

Giuseppe Larosa · ‎09-26-2024

Hello @Kane Smith ,

you need a router to be able to NAT user traffic.

NAT support on switches start with Cat9300 ( it was supported also on high end Cat6500, Cat6800, these were the first one to support it)

I'm surprised the device accepted the NAT commands, however it is not going to work with user traffic.

Hope to help

Giuseppe

MHM Cisco World · ‎09-27-2024

""I'm surprised the device accepted the NAT commands""

Me To how device accpet command?

MHM

Kane Smith · ‎09-27-2024

Yep, it accepts the commands and also performs NAT when the traffic is sourced from the switch's own interface:

Here is a NAT debug:

SW1#ping 8.8.8.8 source 10.150.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.150.0.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/25 ms
SW1#
Sep 27 09:41:08.133: NAT: ICMP id=3->1027
Sep 27 09:41:08.133: NAT: s=10.150.0.254->192.168.0.254, d=8.8.8.8 [15]
Sep 27 09:41:08.150: NAT: ICMP id=1027->3
Sep 27 09:41:08.150: NAT: s=8.8.8.8, d=192.168.0.254->10.150.0.254 [0]
Sep 27 09:41:08.159: NAT: ICMP id=3->1027
Sep 27 09:41:08.159: NAT: s=10.150.0.254->192.168.0.254, d=8.8.8.8 [16]
Sep 27 09:41:08.175: NAT: ICMP id=1027->3
Sep 27 09:41:08.175: NAT: s=8.8.8.8, d=192.168.0.254->10.150.0.254 [0]
Sep 27 09:41:08.175: NAT: ICMP id=3->1027
Sep 27 09:41:08.175: NAT: s=10.150.0.254->192.168.0.254, d=8.8.8.8 [17]
Sep 27 09:41:08.192: NAT: ICMP id=1027->3
Sep 27 09:41:08.192: NAT: s=8.8.8.8, d=192.168.0.254->10.150.0.254 [0]
SW1#
Sep 27 09:41:08.192: NAT: ICMP id=3->1027
Sep 27 09:41:08.192: NAT: s=10.150.0.254->192.168.0.254, d=8.8.8.8 [18]
Sep 27 09:41:08.217: NAT: ICMP id=1027->3
Sep 27 09:41:08.217: NAT: s=8.8.8.8, d=192.168.0.254->10.150.0.254 [0]
Sep 27 09:41:08.217: NAT: ICMP id=3->1027
Sep 27 09:41:08.217: NAT: s=10.150.0.254->192.168.0.254, d=8.8.8.8 [19]
Sep 27 09:41:08.234: NAT: ICMP id=1027->3
Sep 27 09:41:08.234: NAT: s=8.8.8.8, d=192.168.0.254->10.150.0.254 [0]
SW1#

MHM Cisco World · ‎09-27-2024

Then friend

Did you check routing

Are you uave defualt route toward Vlan192?

Are you run

Ip routing

In SW

MHM

Kane Smith · ‎09-27-2024

Yes I have a default route towards VLAN 192. That's how the ping to 8.8.8.8 works.

MHM Cisco World · ‎09-27-2024

And ypu run

Ip routing?

If yes

Try use debug NAT and ping let see if SW show any NAT log

MHM

MHM Cisco World · ‎09-26-2024

with SW or router you need to correct your ACL

MHM

Kane Smith · ‎09-27-2024

Good spot. I updated the ACL as you stated to a /24 wildcard mask but there is still no change.