L2NAT NOT WORKING

Himanshu_Dwivedi · ‎05-30-2024

Hello,

PLease consider above topology, it has a Router, IE-4010 switch and it is performing L2NAT. All the PC connected to it are a part of Same VLAN-20 and PC - A-B-C are translated to some IP in the screenshot. PC D has the IP in the same subnet as the Router. Just want to confirm that will PC - D able to Ping the gateway IP, because we have configured the L2NAT with VLAN-20 Tagged on the Uplink as it will match the L2NAT entries and discard if it is not found in the translation table. I aggressively putting my effort to make it work, but not succeeded. Can anyone help me in this.

paul driver · ‎05-30-2024

Hello
Each inside host should l2nat via 172.16.10.10 <>192.168.1.10
so host 192.168.1.10 will reach inside hosts via 172.16.10.10

Try the following:
l2nat instance DWIVEDI
instance-id 1
fixup arp
fixup icmp
inside from host 172.16.10.1 to 192.168.1.1
inside from host 172.16.10.2 to 192.168.1.2
inside from host 172.16.10.3 to 192.168.1.3
outside from host 192.168.1.10 to 172.16.10.10

int x/x
description uplink to 192.168.1.10
l2nat DWIVEDI

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Himanshu_Dwivedi · ‎05-30-2024

Thanks a lot for the support here, I would like to know on which interface this instance to be applied, the port connecting to router or to the device which has IP 192.168.1.10. Because for 192.168.1.10 I want to put a gateway as 192.168.1.254 to reach outside world.

So, I would like to NAT only A,B,C but not D towards router

paul driver · ‎05-30-2024

hello
On the interface that connects to the "outside" of those l2NAT hosts so on the port that supports 192.168,1.10

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Himanshu_Dwivedi · ‎05-30-2024

Yes this thing is working, but what if I want PC D to connect to the internet by use the Gateway of Router(192.168.1.254), because after translation it will use 172.16.10.10, which is not known to the router

paul driver · ‎05-30-2024

Hello
PC D is used to communicate with those inside hosts via l2NAT via (outside from host 192.168.1.10 to 172.16.10.10)
Its basically the logical controller for the l2 NAT, if it needs to reach the internet (upstream) then it should work with its own applied DG when physically patched into the IE400 upstream from the hub, this way those L2nat hosts can still use it to gain external access and that host can still access the internet, if you had a switch instead of an hub then the l2nat instance could be applied to the uplink towards that host and then that host should still be able to reach its own DG device attached which will be attached a different port on the the switch in the same vlan.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎05-30-2024

Looking at your diagram - what VLAN ABC belong to and what VLAN D belong to ? Post the configuration here.

Technically if you NAT using 192.168.1.1, then if 192.168.1.10 need to communicated with 172.16,10.X then you need to connected 192.168.1.X to reach them.

Look at the example :

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3X00/software/17_3/b_security_17-3_iot_switch_cg/m_16_12x_l2nat.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Himanshu_Dwivedi · ‎05-31-2024

All are on same VLAN 10, all the PC's are connected to Unmanageable hub, then the hub is cascade to the L2NAT capable switch with VLAN 10 tagged on the port. Customer want to translate all the PC A,B,C IP only, but no translation should happen for PC D it should directly interact to the router IP. But if we apply L2NAT on the port connecting to router , switch will also try translate but will not work as no NAT entries has been configured for that PC.

Like PC D should know PC A,B,C from their respective translated IP(192.168.1.1-3)

balaji.bandi · ‎05-31-2024

Post the configuration here. if possible to understand the config.

i would suggest to have different VLAN did the PC-D can reach your .254 directly ?

Also in the diagram i do not see where the dummy hub connected, can you redraw your diagram also send the config to look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Himanshu_Dwivedi · ‎05-31-2024

Please find the below topology and config as well.

i would suggest to have different VLAN did the PC-D can reach your .254 directly ? It can ping before applying the NAT on Interface but not pinging after applying the NAT Rule. Customer dont want to introduce a new VLAN as the Particular VLAN is dedicated to the particular production area.

PC A, B, C can Ping the translated IP 172.16.0.254 because these are the translated one, but PC D is not able to ping 192.168.1.254 this do not have NAT entry.