Hello

---

@dim_ing wrote:
It is connected to another switch that provides internet connectivtiy. To that switch I have already plugged other cisco switches and routers with the same kind of configuration without any issue

You topology does not make sense, It suggests you are performing NAT in the wrong place.?
why do you have a switch with dhcp allocation performing PAT when its connected to other switches connecting to a router, W here is the routing for all these subnets and access to the internet being performed?

If you are not willing to share an additional information then it will be hard to find a solution for you,

The DHCP on vlan103 is used cause the Ethernet connected to G1/0/2 belongs to a private IP range of 192.168.100.0/24. The NAT and routing of that IP range is done behind the switch that I am working on. This IP range is just a guest net, whatever you plug to that you have internet. I am interested only to allow the internal Vlan199 to have internet as well

Hello

---

@paul driver wrote:

The DHCP on vlan103 is used cause the Ethernet connected to G1/0/2 belongs to a private IP range of 192.168.100.0/24. The NAT and routing of that IP range is done behind the switch that I am working on. This IP range is just a guest net, whatever you plug to that you have internet. I am interested only to allow the internal Vlan199 to have internet as well

---

So what you are trying to do is double nat your vlan 199 by routing everything upstream to 192.168.100.0/24 nat subnet
From that device running the 192.168.1000/24 but at the same time trying to negate nat between certain subnets but nat everything else.

The problem you have is the default route on that switch is pointing everything towards that nat subnet, and your then leaving that nat subnet device to route between all you other subnets

What you can do is create an additional svi on that switch and connect it via another port/trunk towards the L3 device of your network, have a summarised static route pointing to the nexthop of that new svi

This way, any default traffic "internet" will go via the vlan 103 and get network translated and the more specific traffic for you internal subnets will route via the new SVI you have created and not get natted.

 

yes but that does not explain why on the extended access list when I deny a specific route, I lose the remaining routes on the permit that follows. Without the deny on the ACL it works properly

Hello
You mean the NAT works for vlan 199 for the internet access, based on what you have describe it possible due the default route, the only entry in the route table of that switch is a default "catch all" its not aware of any 10..x.x.x subnets and possible so is the 192.168.100.0/24 nat device

10.252.92.0 0.0.0.255 10.20.80.0 0.0.0.255 < lookup for 10.20.80.x = nothing so use default and arp for it

Hello
can you confirm (excluding nat and internet reachability for vlan199 hosts)
can those same hosts reach all the other subnets via vlan103 and do all those other hosts in those subnets have internet reachabilty?