03-09-2018 11:47 PM - edited 03-05-2019 10:04 AM
Hi Guys,
I have ISR 4221 with 2 GE ports (Layer 3 ports) and 4 ES2 ports (Layer 2 ports). and i have 1 WAN and 1 Internet Link and 1 Inside(LAN) link. i wanted to enable both WAN and Internet connection for all LAN users. how can i make this to work.
Please i really need your help!
Solved! Go to Solution.
03-18-2018 10:37 PM
Thanks Deepak for your help! Appreciated.
03-10-2018 12:04 AM
Hello,
in your NAT access list, specify that any traffic from your LAN to the Internet gets translated, and exclude the traffic that goes to the other side of the WAN. So let's say your LAN is 192.168.1.0/24, and the other side of your WAN is 172.16.0.0/16, your NAT access list should be:
access-list 101 deny ip 192.168.1.0 0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Best if you post the configuration of your 4221 you have so far, so we can fill in the necessary bits and pieces...
03-10-2018 11:06 PM
Hi,
I am not sure about the meaning of WAN link. Is it MPLS link? or it is leased line?
Let's configure this router with MPLS and Internet link:
Interface XX xx/01
description Connected to LAN
IP address 192.168.1.0 255.255.255.0
IP nat inside
!
Interface XX xx/x2
description Connected to Internet
IP address DHCP
IP nat outside
!
Interface XX xx/x3
description Connected to WAN
IP address 172.16.0.1 255.255.255.0
!
!
ip access-list extended NAT
10 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
30 permit ip 192.168.1.0.0 0.0.0.255 any
!
ip nat inside source list NAT interface XX xx/01 overload
!
!
IP route 0.0.0.0 0.0.0.0 XX xx/01
IP route 172.17.0.0 255.255.255.0 172.16.0.2
!
Regards,
Deepak Kumar
03-11-2018 10:32 PM
Hi Deepak,
Thanks for your help!
You know the problem is my router got only two interfaces. so literally i have three connections and two interfaces.
03-11-2018 10:36 PM
Hi,
then add a switch to the router and both ISP connection you can terminate on the switch and Switch to the router make a trunk port.
ISP 1--------->
Switch1 ------> Router WAN port
ISP2---------->
Regards,
Deepak Kumar
03-11-2018 10:49 PM
Hi Deepak,
Thanks again for your help!!
Can you please help me on that?
03-11-2018 11:10 PM
Hi,
Your switch configuration must be like:
!
VLAN 20
name Internet
!
interface VLAN 20
no shut
no cdp enable
!
VLAN 30
name WAN
!
interface VLAN 30
no shut
no cdp enable
!
Interface FastEthernet 0/1
description "Connected to Internet ISP"
Switchport mode access
switchport access vlan 20
no shut
!
Interface FastEthernet 0/2
description "Connected to WAN ISP"
Switchport mode access
switchport access vlan 30
no shut
!
Interface FastEthernet 0/2
description "Connected to Router WAN interface"
switchport mode trunk
switchport tunk allowed vlan 20,30
no shut
!
No ip route !<If the switch is L3)
!
!
----------------------
Router configuration as below:
interface GigabitEthernet0/2
description Connected to Internet switch
no ip address
duplex full
speed auto
no shut
!
interface GigabitEthernet0/2.20
description "Connected to Internet ISP VLAN"
encapsulation dot1Q 20
ip address dhcp
IP nat outside
no shut
!
!
interface GigabitEthernet0/2.30
description "Connected to WAN ISP VLAN"
encapsulation dot1Q 30
IP address 172.16.0.1 255.255.255.0
no shut
!
----------
If you are having a dial-up connection then Internet connection configuration must be different with Dial-up configuration.
Regards,
Deepak Kumar
03-11-2018 11:48 PM
Thanks Deepak,
Am confused with the NAT configuration, can you please help me on that?
Thanks.
03-11-2018 11:56 PM
Hi,
You have to NAT the packet from LAN to the Internet. So I have configured the NAT from LAN (IP NAT Inside) to outside (IP nat Outside).
As I mentioned that I am not aware of WAN connection, Is it MLPS connection? If then mostly we don't require NAT over the MPLS connection (If subnet will not same at both locations). That why I have not configured any NAT on MPLS connection.
for better understanding, please explain your complete network details.
Regards,
Deepak Kumar
03-12-2018 12:12 AM
Hi Deepak,
Thanks Again,
WAN is like MPLS network. but in my case it will not work unless I use NAT command. Is there any way that I can use two NAT commands at the same time for the Internet and MPLS.
Thanks.
03-12-2018 12:25 AM
Hi,
Yes, you can use the two NAT at a time but you can share remote end subnet details. so I can make a good configuration for your bust you can suppose that remote end subnet is 192.168.100.0/24 then your configuration must be like:
ip access-list extended NAT-Internet
10 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
20 deny ip 192.168.1.0 0.0.0.255 192.168.100 0.0.0.255
30 permit ip 192.168.1.0.0 0.0.0.255 any
!
ip access-list extended NAT-WAN
10 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.100 0.0.0.255
30 deny ip 192.168.1.0.0 0.0.0.255 any
!
ip nat inside source list NAT-Internet interface GigabitEthernet0/2.20 overload
ip nat inside source list NAT-WAN interface GigabitEthernet0/2.30 overload
!
!
!
interface GigabitEthernet0/2
description Connected to Internet switch
no ip address
duplex full
speed auto
no shut
!
interface GigabitEthernet0/2.20
description "Connected to Internet ISP VLAN"
encapsulation dot1Q 20
ip address dhcp
IP nat outside
no shut
!
!
interface GigabitEthernet0/2.30
description "Connected to WAN ISP VLAN"
encapsulation dot1Q 30
IP address 172.16.0.1 255.255.255.0
IP nat outside
no shut
!
!
P route 0.0.0.0 0.0.0.0 XX xx/01
IP route 192.168.100.0 255.255.255.0 172.16.0.2
!
!
Regards,
Deepak Kumar
03-18-2018 10:37 PM
Thanks Deepak for your help! Appreciated.
03-18-2018 10:55 PM
Hi,
I happy that it resolved the issue. Don't forget to vote a helpful post.
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide