NAT a VM - where should I configure it ? - Page 2

robad · ‎05-15-2024

Hi,

I'm having a VM that I want to put behind a NAT.

The internal IP will be 192.168.100.30 , and the external will be 40.40.40.10

The DG is 40.40.40.1

Where should I configure the NAT ? as it's a VM on the VCenter. should I configure also something on the VMware's PortGroup ?

Thanks in advance

paul driver · ‎05-16-2024

EDITIED:
Hello
Looking at your cfg I dont see any reference for the 192.168.100.x/24 apart from the secondary addressing you applied on vlan 40 which suggests it shouldn't be there?

I would say just based on that output ,
vlan 40
no ip address 192.168.100.1 255.255.255.0 secondary
ip nat outside

int vlan 49
ip nat inside

vlan 101
ip nat inside

ip nat inside source static 192.168.100.30 40.40.40.10

Where does 192.168.100.x/24 reside originally is it via vlan 49/101 or via another l3 interface you do not show?
there isnt any reference either to how that 192.168.10/x subnet is reachable, ( dynamic/static routing)?

Additionally you have hsrp running so you will need to apply nat hsrp redundancy if you wish to accommodate any nat resiliency incase you lose the primary switch

Lasty - I assume you are using slacc for any ipv6? nodes?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

robad · ‎05-16-2024

Hi,

I'm using slacc for ipv6, yes.

Regarding 192.168.100.x/24 , it's only configured on the Catalyst 9300 as secondary IP on vlan 40, and, the VM is in vlan 40 and have IP in this subnet (192.168.100.30) and it can ping the 192.168.100.1

Can't understand what you wrote here :

Where does 192.168.100.x/24 reside originally is if off via vlan 101 ofranother l3 interface you do not show,

** EDITING -

I saw you edit your message and added config. Will try that and reply here

robad · ‎05-16-2024

Hi,

When you wrote :

int vlan 49
ip nat inside

vlan 101
ip nat inside

ip nat inside source static 192.168.100.30 40.40.40.10

you meant also on the C9300 - right ?

If so, it didn't worked.

The VM can't ping IPs of corporate network.

Also, from the C9300 itself I can't ping :

ping 8.8.8.8 source 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
.....
Success rate is 0 percent (0/5)

** EDITING -

I now see you wrote :

vlan 40
ino p address 192.168.100.1 255.255.255.0 secondary

Is it "no ip " command ? or "ip" command ?

paul driver · ‎05-16-2024

Hello
Nat is basically used to "hide" a network but if you using secondary addressing on a interface that you wish to use NAT to hide behind it makes no sense tbh?

ip nat inside source static 192.168.100.30 40.40.40.10 < so this is saying internal host 192.168.100.30 will be seen externally as 40.40.40.10

But you are saying 192.168.100.x/24 subnet doesn't exist apart from when you apply it as a secondary subnet on the same "external" / outside nat domain" interface as the required post nat address 40.40.40.x/24

Looking again at your topology, vlan 49/101 seem to be upstream towards your lab/corp rtrs so vlan 40 could be your internal nat domain and either vlan 49/101 the external nat domain.

More so maybe your lab /corp rtr would be a better place to append the nat?
Can you post the cfg for those two rtrs?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul