Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
2
Helpful
18
Replies

NAT a VM - where should I configure it ?

robad
Level 1
Level 1

‎05-15-2024 02:09 AM - edited ‎05-15-2024 11:22 PM

Hi,

I'm having a VM that I want to put behind a NAT.

The internal IP will be 192.168.100.30 , and the external will be 40.40.40.10

The DG is 40.40.40.1

 

Where should I configure the NAT ? as it's a VM on the VCenter. should I configure also something on the VMware's PortGroup ?

robad_0-1715840546492.png

 

 

Thanks in advance

Labels:
0 Helpful
18 Replies 18

paul driver
VIP
VIP

‎05-15-2024 02:22 AM

Hello
The Cat9k I believe does support NAT if so apply it on that box.

Example
int x/x
description WAN interface - 40.40.40.1
ip nat outside

int x/x
description LAN interface  < towards 192.168.100.x
ip nat inside 

ip nat inside source static 192.168.100.30 40.40.40.10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

robad
Level 1
Level 1

‎05-15-2024 02:48 AM

Hi Paul, and thanks for your reply !

Yes the 9300 do support NAT.

 

For the "WAN" interface - 

the address 40.40.40.1 confiugred on interface vlan 40, so that's will be my interface for the NAT ? or the interface that is connected to the "Lab Router" ?

 

Also, for the "LAN" interface - 

It'll be the interface that goes to the "Nexus" ? [that it is the path that leads to the VM]

 

Thanks in advance

0 Helpful

MHM Cisco World
VIP
VIP
In response to robad

‎05-15-2024 02:58 AM

Why you want NAT between device in same DC?

MHM

0 Helpful

robad
Level 1
Level 1
In response to MHM Cisco World

‎05-15-2024 03:01 AM

I want that my VM, will go out to corporate network with the external IP, but keep being used on the Internal IP for some reasons. 

MHM Cisco World
VIP
VIP
In response to robad

‎05-15-2024 03:09 AM

If that so c9300 do NAT

Vlan 40 SVI is NAT outside 

Abd you need VLAN SVI 192.168.100.30 To be NAT inside

That work if c9300 do intervlan 

MHM 

0 Helpful

robad
Level 1
Level 1

‎05-15-2024 04:42 AM

got it about the "outside", but regarding the "inside", I don't have SVI for that vlan.

so the question is, do I need to create some 'internal' vlan for the VM's portgroup, and then make it as 'inside' NAT ? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to robad

‎05-15-2024 04:49 AM

I can say yes simply but that need from you config c9300 as inter-vlan' i.e. your routing between vm and outside done by c9300 and routing between vm and other subnet need also to be in c9300' which I dont think you do that the router do intervlan' am I correct?

MHM

0 Helpful

robad
Level 1
Level 1
In response to MHM Cisco World

‎05-15-2024 04:54 AM

The routing between other lab's subnets is on the "Lab Router" by route-maps. The SVIs [The DG for lab's subnets], are configured on the C9300.

Also, the routing between vm and 'outside' done by same "Lab Router"

 

 

MHM Cisco World
VIP
VIP
In response to robad

‎05-15-2024 07:27 AM

Sorry I need to check topology before answer' I will draw one with detail  abd share here

MHM

0 Helpful

paul.driver
Level 1
Level 1

‎05-15-2024 06:29 AM

hello
apply the nat domains to the l3 interfaces on the cat 9k along at the cat9k have reachabilty to the vm subnet it should work as per that example i posted previously 

wan interface (svi/routed port) = ip nat outside

lan interface (svi/routed port = ip nat inside

0 Helpful

paul driver
VIP
VIP

‎05-15-2024 07:10 AM

hello
apply the nat domains to the l3 interfaces on the cat 9k along at the cat9k have reachabilty to the vm subnet it should work as per that example i posted previously 

wan interface (svi/routed port) = ip nat outside

lan interface (svi/routed port = ip nat inside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

robad
Level 1
Level 1

‎05-15-2024 08:43 AM - edited ‎05-15-2024 08:44 AM

Thanks guys for the replies.

I'll tell you what :

on the C9300 I have SVI :

int vl 40
ip add 40.40.40.1

i now added 192.168.100.1

 

and now have ping from the VM into to DG [192.168.100.1]

But, I can't understand if this SVI should be "inside" or outside

(and if it should be "inside", so I can't configure "ip nat" command on the l3 interface to the "Lab Router"... It's a port-channel, and I can't assign this command on Port-Channel as far as I can see)

 

 

Thanks again !!

 

0 Helpful

paul.driver
Level 1
Level 1
In response to robad

‎05-15-2024 09:18 AM

Hello
On the Cat9k switch can you post the exiting cfg please ( exclude any sensitive information)

0 Helpful

robad
Level 1
Level 1

‎05-15-2024 11:19 PM - edited ‎05-15-2024 11:28 PM

Yes Paul, here it is.

And thanks again for your will to help. you and MHM

(BTW - I've edited the draw on the original message)

 


************
catalyst-9300#sh run int vl 40
Current configuration : 428 bytes
!
interface Vlan40
ip address 192.168.100.1 255.255.255.0 secondary
ip address 40.40.40.1 255.255.255.0
no ip proxy-arp
ip nat outside
standby version 2
standby 20 ip
standby 20 priority 120
standby 20 preempt
standby 20 track 1 decrement 15
standby 206 ipv6 autoconfig
standby 206 priority 120
standby 206 preempt
standby 206 track 1 decrement 15
ipv6 enable
end

************

catalyst-9300#sh run int vl 49
Building configuration...

Current configuration : 296 bytes
!
interface Vlan49
ip address 49.49.49.1 255.255.255.0
no ip proxy-arp
standby version 2
standby 49 ip
standby 49 priority 110
standby 49 preempt
standby 496 ipv6 autoconfig
standby 496 priority 110
standby 496 preempt
ipv6 enable
end

************

catalyst-9300#sh run int vl 101
Building configuration...

Current configuration : 463 bytes
!
interface Vlan101
ip address 101.101.101.1 255.255.255.0
no ip redirects
no ip proxy-arp
standby version 2
standby 101 ip
standby 101 priority 120
standby 101 preempt
standby 101 track 1 decrement 15
standby 1016 ipv6 autoconfig
standby 1016 priority 120
standby 1016 preempt
standby 1016 track 1 decrement 15
ipv6 enable
end

************
interface Port-channel105
description ### Uplink from Lab-Roter - po150 ###
switchport trunk allowed vlan 49,101
switchport mode trunk
end
*************

catalyst-9300#sh run int po 40
Building configuration...

Current configuration : 119 bytes
!
interface Port-channel40
description ### Nexus ###
switchport mode trunk
spanning-tree portfast trunk
end
*************

 

And here is related config from the Lab-Router :

*************
Lab-Router#sh run int po 150
Building configuration...

Current configuration : 153 bytes
!
!
interface Port-channel150
description ### UPLINK FOR Catalyst-9300 ###
switchport
switchport mode trunk
switchport trunk allowed vlan 49,101
end
*************
Lab-Router#sh run int vl 49
Building configuration...

Current configuration : 206 bytes
!
interface Vlan49
description ### D.G for A-Team ###
ip address 49.49.49.254 255.255.255.0
ip policy route-map A-Team
ipv6 enable
end
*************
Lab-Router#sh run int vl 101
Building configuration...

Current configuration : 65 bytes
!
interface Vlan101
ip address 101.101.101.254 255.255.255.0
end
*************

0 Helpful
Customers Also Viewed These Support Documents