Solved: Not sure what you are trying

psaunders · ‎08-07-2015

Below is a copy of what I am trying to accomplish but it does not seem to be working. Works fine if I only use one interface as the outside NAT but i need to use a VLAN so I can have and outside VLAN and add ports to the vlan as we add a few other network devices.

I am obviously missing something or doing something wrong.

vlan 200
name Outside_Access_Vlan
int vlan 200
ip address 216.10.10.251 255.255.255.240
ip nat outside
no shut

interface vlan 10
ip nat inside
interface vlan 90
ip nat inside
interface vlan 92
ip nat inside
Interface vlan 96
ip nat inside
interface vlan 112
ip nat inside

ip routing
ip route 0.0.0.0 0.0.0.0 216.10.10.241

Interface GigabitEthernet1/1
description Outside_Access_Vlan_Sw1
switchport
switchport access vlan 200
ip nat outside

Interface GigabitEthernet1/2
description Outside_Access_Vlan_Sw2
switchport
switchport access vlan 200
ip nat outside

Interface GigabitEthernet1/3
description Outside_Access_Vlan_Sw3
switchport
switchport access vlan 200
ip nat outside

Interface GigabitEthernet1/4
description Outside_Access_Vlan_ISP
switchport
switchport access vlan 200
ip nat outside

access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.96.0 0.0.0.255 any
access-list 102 permit ip 10.10.112.0 0.0.0.255 any
access-list 103 permit ip 192.168.90.0 0.0.0.255 any
access-list 104 permit ip 192.168.92.0 0.0.0.255 any

ip nat pool IP101 216.10.10.246 216.10.10.246 netmask 255.255.255.240
ip nat pool IP102 216.10.10.247 216.10.10.247 netmask 255.255.255.240
ip nat pool IP103 216.10.10.248 216.10.10.248 netmask 255.255.255.240
ip nat pool IP104 216.10.10.249 216.10.10.249 netmask 255.255.255.240

ip nat inside source list 100 interface vlan 200 overload
ip nat inside source list 101 pool IP101 overload
ip nat inside source list 102 pool IP102 overload
ip nat inside source list 103 pool IP103 overload
ip nat inside source list 104 pool IP104 overload

Jon Marshall · ‎08-10-2015

Something isn't right here.

You can see the interfaces have different mac addresses.

But from your arp outputs when it worked with the physical interface it is saying the mac address of 216.10.10.51 is for the SVI for vlan 200 which doesn't make sense.

I also noticed from your earlier out when you used the SVI you used a completely different address ie. 216.24.172.251 which could be a typo.

So to retest can you -

1) set it up for the SVI using 216.10.10.51

2) clear arp entries on next hop if there are any for that IP

3) check the arp table on the 6500 and clear any entries for the next hop IP

then try pinging and see what your arp table shows on the 6500.

Like I say none of your arp outputs show the physical interface mac address which I would expect to see when you are using a L3 port.

It may be that "ip nat outside" is not supported on an SVI in which case there may be a workaround but I can't see why it wouldn't be supported.

If the ping fails then can you remove the "ip nat outside" from the SVI for vlan 200 and try pinging again.

To me it looks like more of an arp/mac address issue than a NAT issue.

Jon

View solution in original post

trfinkenstadt · ‎08-07-2015

Hello,

Do any of your nats work? Like the one for 10.10.10.0/24? If so, you may have an arp'ish issue for people on vlan200 in that they don't know where to send 216.10.10.246-249 because their default route may very well be 216.10.10.241.

HTH,

tim

psaunders · ‎08-07-2015

none of the nats work if i use a VLAN, they all work if i define an interface. but i need more than one interface that si why i am trying to make it work on a vlan

Jon Marshall · ‎08-07-2015

Not sure what you are trying to do here.

You have applied NAT outside to vlan 200 but why do you need to apply it to the physical ports in vlan 200 ?

Jon

psaunders · ‎08-07-2015

Jon,

That is part of my question. If NAT is applied to the vlan will it route traffic coming from gi1/1-3 to gi1/4 which is the actual ISP connection.

I have 3 firewall connections that are all terminating on Vlan 200 which all have public addresses

216.10.10.242 (private subnet on the inside is 10.10.42.0/24)

216.10.10.243 (private subnet on the inside is 10.10.43.0/24)

216.10.10.244 (private subnet on the inside is 10.10.44.0/24)

The firewalls are NATing the private addresses behind those firewall to the appropriate addresses

I have a few network sub nets that are not firewalled that need NAT

10.10.10.0 /24 (NAT to Public address 216.10.10.246 overload)
10.10.96.0 /24 (NAT to Public address 216.10.10.247 overload)
10.10.112.0 /24 (NAT to Public address 216.10.10.248 overload)
192.168.90.0 /24 (NAT to Public address 216.10.10.249 overload)

i would like to overload a single IP for each subnet

i then have a couple of addresses all on the same subnet I would like to do static NAT one to one addresses

10.10.200.45 NAT to 216.10.10.45

10.10.200.50 NAT to 216.10.10.50

i never icluded these in the first config since i wanted to get the NAT overload working before i tackled the static NAT

does this make more sense?

Jon Marshall · ‎08-07-2015

If NAT is applied to the vlan will it route traffic coming from gi1/1-3 to gi1/4 which is the actual ISP connection.

Yes it should route it fine.

As far as I can tell from your description you only need "ip nat outside" on the SVI for vlan 200 ie. no need to apply it to the physical ports in that vlan.

Basically any traffic included in your NAT acls will be translated as they are routed via vlan 200.

For the subnets that are translated on the firewalls the traffic should still be able to route via vlan 200 and the "ip nat outside" statement should have no effect because there won't be a corresponding "ip nat inside" on their SVIs and your acls don't include those IP subnets anyway.

Have I understood what you are asking ?

Jon

psaunders · ‎08-07-2015

Yes you have understood. So i assume if i remove the IP NAT OUTSIDE from interfaces it should work?

vlan 200
name Outside_Access_Vlan
int vlan 200
ip address 216.10.10.251 255.255.255.240
ip nat outside

Interface GigabitEthernet1/1
description Outside_Access_Vlan_Sw1
switchport
switchport access vlan 200

Interface GigabitEthernet1/2
description Outside_Access_Vlan_Sw2
switchport
switchport access vlan 200

Interface GigabitEthernet1/3
description Outside_Access_Vlan_Sw3
switchport
switchport access vlan 200

Interface GigabitEthernet1/4
description Outside_Access_Vlan_ISP
switchport
switchport access vlan 200

Jon Marshall · ‎08-07-2015

Yes you have understood. So i assume if i remove the IP NAT OUTSIDE from interfaces it should work?

Can't see why it wouldn't :-)

Jon

psaunders · ‎08-07-2015

OK thanks Jon will give it a shot

psaunders · ‎08-10-2015

Jon,

I have tried what you described and I still get cannot get this working. Here are the pertinent parts of the configs

Working (using interface Gi1/1 as the outside NAT)

ip routing
ip route 0.0.0.0 0.0.0.0 216.24.172.241
ip routing protocol purge interface
Exit

config t
vlan 10
int vlan 10
ip address 10.10.10.1 255.255.255.0
no shut

vlan 90
int vlan 90
ip address 192.168.90.1 255.255.255.0
no shut

vlan 92
int vlan 92
ip address 192.168.92.1 255.255.255.0
no shut

vlan 96
int vlan 96
ip address 10.10.96.1 255.255.240.0
no shut

vlan 112
int vlan 112
ip address 10.10.112.1 255.255.240.0
no shut

interface GigabitEthernet1/1
description Internet Access
ip address 216.10.10.251 255.255.255.240
ip nat outside

interface vlan 10
ip nat inside
interface vlan 90
ip nat inside
interface vlan 92
ip nat inside
Interface vlan 96
ip nat inside
interface vlan 112
ip nat inside

access-list 100 remark == [Control NAT Service]==
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.96.0 0.0.0.255 any
access-list 102 permit ip 10.10.112.0 0.0.0.255 any
access-list 103 permit ip 192.168.90.0 0.0.0.255 any
access-list 104 permit ip 192.168.92.0 0.0.0.255 any

ip nat pool IP101 216.10.10.246 216.10.10.246 netmask 255.255.255.240
ip nat pool IP102 216.10.10.247 216.10.10.247 netmask 255.255.255.240
ip nat pool IP103 216.10.10.248 216.10.10.248 netmask 255.255.255.240
ip nat pool IP104 216.10.10.249 216.10.10.2489netmask 255.255.255.240

ip nat inside source list 100 interface gi1/1 overload
ip nat inside source list 101 pool IP101 overload
ip nat inside source list 102 pool IP102 overload
ip nat inside source list 103 pool IP103 overload
ip nat inside source list 104 pool IP104 overload

NOT Working (using vlan 200 as the outside NAT)

ip routing
ip route 0.0.0.0 0.0.0.0 216.24.172.241
ip routing protocol purge interface

vlan 10
int vlan 10
ip address 10.10.10.1 255.255.255.0
no shut

vlan 90
int vlan 90
ip address 192.168.90.1 255.255.255.0
no shut

vlan 92
int vlan 92
ip address 192.168.92.1 255.255.255.0
no shut

vlan 96
int vlan 96
ip address 10.10.96.1 255.255.240.0
no shut

vlan 112
int vlan 112
ip address 10.10.112.1 255.255.240.0
no shut

vlan 200
name Outside_Access_Vlan
int vlan 200
ip address 216.24.172.251 255.255.255.240
ip nat outside
no shut

interface GigabitEthernet1/1
description Outside_Access_vlan
switchport
switchport access vlan 200
no shut

interface vlan 10
ip nat inside
interface vlan 90
ip nat inside
interface vlan 92
ip nat inside
Interface vlan 96
ip nat inside
interface vlan 112
ip nat inside

access-list 100 remark == [Control NAT Service]==
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.96.0 0.0.0.255 any
access-list 102 permit ip 10.10.112.0 0.0.0.255 any
access-list 103 permit ip 192.168.90.0 0.0.0.255 any
access-list 104 permit ip 192.168.92.0 0.0.0.255 any

ip nat pool IP101 216.10.10.246 216.10.10.246 netmask 255.255.255.240
ip nat pool IP102 216.10.10.247 216.10.10.247 netmask 255.255.255.240
ip nat pool IP103 216.10.10.248 216.10.10.248 netmask 255.255.255.240
ip nat pool IP104 216.10.10.249 216.10.10.2489netmask 255.255.255.240

ip nat inside source list 100 interface vlan 200 overload
ip nat inside source list 101 pool IP101 overload
ip nat inside source list 102 pool IP102 overload
ip nat inside source list 103 pool IP103 overload
ip nat inside source list 104 pool IP104 overload

any other suggestions?

Paul

Jon Marshall · ‎08-10-2015

Paul

Slightly surprised by this as an SVI is simply another L3 interface as far as the 6500 is concerned.

When you use the SVI and try connecting do you see anything in the translation table at all -

"sh ip nat translations"

Jon

psaunders · ‎08-10-2015

no its empty, no entries

one other note. I can ping 216.10.10.251 (vlan ip address) but i can't ping anything else on that subnet. DG is 216.10.10.241 it fails when using the vlan but works if i use the interface

Jon Marshall · ‎08-10-2015

Where are you pinging the SVI IP from ie. what IP ?

I don't have a 6500 to hand :-) but when you switched over between the L3 interface and the SVI did you check the mac address on the default gateway ie. it could be that the default gateway has an incorrect arp entry.

Jon

psaunders · ‎08-10-2015

Jon,

I went so far as to reboot the router to ensure there were no stale arp entries.

i will try apply it again and check the MAC address.

i was pinging from 10.10.10.10 on vlan 10. i tried from 10.10.10.1 which is the router itself that did no work either.

ill get back to you on the mac address

psaunders · ‎08-10-2015

Jon,

Here are copies of the arp table. everything looks good as far as i can tell but still not working.

working

RTR#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.10 78 28c7.ce7a.6241 ARPA Vlan10
Internet 10.10.10.1 - 0023.33c6.0e40 ARPA Vlan10
Internet 192.168.84.20 0 0022.6471.6a4b ARPA Vlan84
Internet 192.168.90.1 - 0023.33c6.0e40 ARPA Vlan90
Internet 192.168.92.1 - 0023.33c6.0e40 ARPA Vlan92
Internet 192.168.90.10 78 28c7.ce7a.6243 ARPA Vlan90
Internet 192.168.84.1 - 0023.33c6.0e40 ARPA Vlan84
Internet 10.10.112.52 90 0021.6b17.6550 ARPA Vlan112
Internet 10.10.96.1 - 0023.33c6.0e40 ARPA Vlan96
Internet 10.10.96.10 78 28c7.ce7a.6244 ARPA Vlan96
Internet 10.10.112.1 - 0023.33c6.0e40 ARPA Vlan112
Internet 10.10.112.10 78 28c7.ce7a.6245 ARPA Vlan112
Internet 10.10.112.15 78 e4c7.22aa.d0af ARPA Vlan112
Internet 216.10.10.251 - 0023.33c6.0e40 ARPA GigabitEthernet1/1
Internet 216.10.10.241 2 001d.708c.f711 ARPA GigabitEthernet1/1
RTR#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.10.10.251, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RTR#ping 216.10.10.241

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.10.10.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RTR#

NOT WORKING
RTR#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.10 3 28c7.ce7a.6241 ARPA Vlan10
Internet 10.10.10.1 - 0023.33c6.0e40 ARPA Vlan10
Internet 192.168.84.20 0 0022.6471.6a4b ARPA Vlan84
Internet 192.168.90.1 - 0023.33c6.0e40 ARPA Vlan90
Internet 192.168.92.1 - 0023.33c6.0e40 ARPA Vlan92
Internet 192.168.90.10 3 28c7.ce7a.6243 ARPA Vlan90
Internet 192.168.84.1 - 0023.33c6.0e40 ARPA Vlan84
Internet 10.10.112.52 98 0021.6b17.6550 ARPA Vlan112
Internet 10.10.96.1 - 0023.33c6.0e40 ARPA Vlan96
Internet 10.10.96.10 3 28c7.ce7a.6244 ARPA Vlan96
Internet 10.10.112.1 - 0023.33c6.0e40 ARPA Vlan112
Internet 10.10.112.10 3 28c7.ce7a.6245 ARPA Vlan112
Internet 10.10.112.15 3 e4c7.22aa.d0af ARPA Vlan112
Internet 216.10.10.251 - 0023.33c6.0e40 ARPA Vlan200
Internet 216.10.10.241 0 Incomplete ARPA
RTR#
RTR#ping 216.10.10.251

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.10.10.251, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RTR#ping 216.10.10.241

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.10.10.241, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
RTR#

Is it possible to use a Vlan, as apposed to an interface as the outside NAT on a 6500?