10-24-2019 01:15 AM
Hello,
I try to configure a simple 1to1 NAT on a Cisco IE2000, following the guide.
But it fails with an error, I don't know why it happens.
en conf t l2nat instance instance10 inside from host 192.168.178.13 to 30.225.6.9 inside from host 192.168.178.11 to 10.0.0.10 inside from host 192.168.178.32 to 10.0.0.11 inside from host 192.168.178.33 to 10.0.0.12 inside from host 192.168.178.34 to 10.0.0.13 inside from host 192.168.178.12 to 10.0.0.14 inside from host 192.168.178.101 to 10.0.0.15 inside from host 192.168.178.100 to 10.0.0.16 inside from host 192.168.178.40 to 10.0.0.17 inside from host 192.168.178.41 to 10.0.0.18 outside from host 10.0.0.9 to 192.168.178.13 outside from host 10.0.0.10 to 192.168.178.11 outside from host 10.0.0.11 to 192.168.178.32 outside from host 10.0.0.12 to 192.168.178.33 outside from host 10.0.0.13 to 192.168.178.34 outside from host 10.0.0.14 to 192.168.178.12 outside from host 10.0.0.15 to 192.168.178.101 outside from host 10.0.0.16 to 192.168.178.100 outside from host 10.0.0.17 to 192.168.178.40 outside from host 10.0.0.18 to 192.168.178.41
exit
until here, everythin is fine.
Now, the manual says:
Switch(config)#interface Gi1/1 Switch(config-if)#l2nat instance10 ^ % Invalid input detected at '^' marker. Switch(config-if)#
You see, the
Step 7 Switch(config-if)# l2nat A-LC Applies this Layer 2 NAT instance to the native VLAN on this
interface.
doesn't work.
Any idea whats wrong hère?
Thanks,
Moritz
10-24-2019 02:01 AM
Hello,
post your full configuration. You need to apply the l2instance to a Vlan. I have put together the below sample configuration based on your input, see if you get it to work:
interface GigabitEthernet1/1
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat Instance10 30
spanning-tree link-type point-to-point
ip dhcp snooping trust
!
interface FastEthernet1/1
description YourPC IP 192.168.178.13 to NAT 30.225.6.9
switchport access vlan 30
switchport mode access
srr-queue bandwidth share 1 19 40 40
priority-queue out
macro description cisco-ethernetip
storm-control broadcast level 3.00 1.00
spanning-tree portfast edge
!
l2nat instance Instance10
instance-id 10
permit all
fixup all
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.13 to 30.225.6.9
l2nat Instance10 30
10-24-2019 02:10 AM
Hello Georg,
my Configuration is very simple:
Internal network (VLAN1 ?) with 10 devices (192.168.178.xxx) and an external Network (10.0.0.x):
inside from host 192.168.178.13 to 10.0.0.9
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.41 to 10.0.0.18
outside from host 10.0.0.9 to 192.168.178.13
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.18 to 192.168.178.41
Each internal IP shall be translated to the external IP.
Thats all.
My IE2000 has
INTERFACE Gi1/1
INTERFACE Gi1/2
and
Po1 to Po6
So, as I understand I have only one VLAN (=internal network, connected to FastEthernet) and the external network (connected to GigabitEthernet1/1), correct?
Thanks,
Moritz
10-24-2019 02:20 AM
Hello Moritz,
so you cannot specify 'l2nat Instance10 1' ? It could be that it doesn't work with the native (untagged) Vlan...
You could try and change the native Vlan to something else, e.g.:
switchport trunk native vlan 2
10-24-2019 02:28 AM
Hello,
actually, looking at the guide, the native Vlan shouldn't be a problem. Can you post the full configuration ? Maybe I can spot something...
10-24-2019 02:31 AM
Hello Georg,
how can I export the full config?
Moritz
10-24-2019 02:50 AM
What I figured out, the IE2000 doesn't accept my IPs, I assigned:
interface Vlan1
no ip address
shutdown
!
interface Vlan1000
ip address 169.254.0.1 255.255.255.248
!
ip http server
ip http authentication local
ip http secure-server
But I assigned IPs with
en
conf t
interface vlan 1
ip address 192.168.178.203 255.255.255.0
interface gigabitethernet1/1
no switchport
ip address 10.0.0.19 255.255.255.192
10-24-2019 03:07 AM
Hello,
from the CLI issue the command 'show running-config' and cut and paste the output to a text file.
10-24-2019 03:22 AM
10-24-2019 05:02 AM
Hello,
assuming that your upstream layer 3 device is connected to port GigabitEthernet1/1, here is what I have come up with (important parts marked in bold).
This should be working for instance40.
bpl40#show config
Using 4183 out of 65536 bytes
!
! Last configuration change at 04:29:57 UTC Wed Mar 30 2011
! NVRAM config last updated at 04:29:57 UTC Wed Mar 30 2011
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname bpl40
!
boot-start-marker
boot-end-marker
!
logging console emergencies
enable secret 5 $1$rC2b$XaJYFtfNyBrkRf8g89yq0/
enable password cisco
!
username admin privilege 15 secret 5 $1$z1EI$cAcDnIW6OGN4pgWBYGVJB.
no aaa new-model
system mtu routing 1500
ip arp inspection vlan 1000
ip arp inspection vlan 1000 logging dhcp-bindings none
!
ip dhcp pool mgmt_pool
network 169.254.0.0 255.255.255.248
default-router 169.254.0.1
dns-server 169.254.0.1
lease 0 0 1
cip instance 1
!
ptp mode e2etransparent
!
crypto pki trustpoint TP-self-signed-3862975488
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3862975488
revocation-check none
rsakeypair TP-self-signed-3862975488
!
!
crypto pki certificate chain TP-self-signed-3862975488
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
spanning-tree mode pvst
spanning-tree extend system-id
!
alarm profile defaultPort
alarm not-operating
syslog not-operating
notifies not-operating
!
vlan internal allocation policy ascending
!
lldp run
!
l2nat instance instance40
instance-id 1
permit all
fixup arp
fixup icmp
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
l2nat instance40 1000
!
l2nat instance A-LC
instance-id 2
fixup all
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
!
interface Port-channel1
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/1
switchport access vlan 1000
switchport mode access
ip arp inspection trust
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 1,1000
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat instance40 1000
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan1000
no ip address
!
ip http server
ip http authentication local
ip http secure-server
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end
10-24-2019 05:10 AM
Thanks for Your help, but I don't know, how to continue.
When I follof the guide line, the basic commands didn't work:
I try Step 9: Apply the specified Layer 2 NAT instance to a VLAN or VLAN range. If this parameter is missing, the Layer 2 NAT
instance applies to the native VLAN.
l2nat instance_name [vlan | vlan_range ]
bpl40(config-if)#l2nat instance10 1000
^
% Invalid input detected at '^' marker.
bpl40(config-if)#
How does this CLI work? Why doesn't it return clear error codes?
I'm a bit frustrated, with Siemens Scalance Router such a simple 1:1 NAT is configured within 5 minutes. With the IE2000, it needs hours and days to figure out, how it works.
OK, any idea what's wrong with the IE2000?
Thanks,
Moritz
10-24-2019 08:19 AM
Hello,
it might not like the Vlan number (1000), as it supports only up to 128 Vlans...try and make the changes below (basically, change 1000 to 10)...
l2nat instance instance40
instance-id 1
permit all
fixup arp
fixup icmp
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
l2nat instance40 10
!
l2nat instance A-LC
instance-id 2
fixup all
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
!
interface Port-channel1
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/1
switchport access vlan 10
switchport mode access
ip arp inspection trust
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 1,10
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat instance40 10
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
ip http server
ip http authentication local
ip http secure-server
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end
01-30-2020 01:57 PM
Did you ever get this working?
Please let me know because I'm also trying to get this working and the documentation is less than helpful.
Thanks, Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide