cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1968
Views
0
Helpful
12
Replies

NAT Configuration Error with IE2000

MK1603
Level 1
Level 1

Hello,

I try to configure a simple 1to1 NAT on a Cisco IE2000, following the guide.

 

But it fails with an error, I don't know why it happens.

 

en
conf t
l2nat instance instance10

inside from host 192.168.178.13 to 30.225.6.9
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.41 to 10.0.0.18

outside from host 10.0.0.9 to 192.168.178.13 
outside from host 10.0.0.10 to 192.168.178.11 
outside from host 10.0.0.11 to 192.168.178.32 
outside from host 10.0.0.12 to 192.168.178.33 
outside from host 10.0.0.13 to 192.168.178.34 
outside from host 10.0.0.14 to 192.168.178.12 
outside from host 10.0.0.15 to 192.168.178.101 
outside from host 10.0.0.16 to 192.168.178.100 
outside from host 10.0.0.17 to 192.168.178.40 
outside from host 10.0.0.18 to 192.168.178.41
exit

until here, everythin is fine.

Now, the manual says:

 

Switch(config)#interface Gi1/1
Switch(config-if)#l2nat instance10
^
% Invalid input detected at '^' marker.
Switch(config-if)#

You see, the 

Step 7 Switch(config-if)# l2nat A-LC Applies this Layer 2 NAT instance to the native VLAN on this
interface.

doesn't work.

 

Any idea whats wrong hère?

 

Thanks,

Moritz

 

12 Replies 12

Hello,

 

post your full configuration. You need to apply the l2instance to a Vlan. I have put together the below sample configuration based on your input, see if you get it to work:

 

interface GigabitEthernet1/1
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat Instance10 30
spanning-tree link-type point-to-point
ip dhcp snooping trust
!
interface FastEthernet1/1
description YourPC IP 192.168.178.13 to NAT 30.225.6.9
switchport access vlan 30
switchport mode access
srr-queue bandwidth share 1 19 40 40
priority-queue out
macro description cisco-ethernetip
storm-control broadcast level 3.00 1.00
spanning-tree portfast edge
!
l2nat instance Instance10
instance-id 10
permit all
fixup all
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.13 to 30.225.6.9
l2nat Instance10 30

Hello Georg,

my Configuration is very simple:

Internal network (VLAN1 ?) with 10 devices (192.168.178.xxx) and an external Network (10.0.0.x):

 

inside from host 192.168.178.13 to 10.0.0.9
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.41 to 10.0.0.18

 

outside from host 10.0.0.9 to 192.168.178.13
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.18 to 192.168.178.41

 

Each internal IP shall be translated to the external IP.

 

Thats all.

 

My IE2000 has 

INTERFACE Gi1/1

INTERFACE Gi1/2

and

Po1 to Po6

 

So, as I understand I have only one VLAN (=internal network, connected to FastEthernet) and the external network (connected to GigabitEthernet1/1), correct?

 

Thanks,

Moritz

Hello Moritz,

 

so you cannot specify 'l2nat Instance10 1' ? It could be that it doesn't work with the native (untagged) Vlan...

 

You could try and change the native Vlan to something else, e.g.:

 

switchport trunk native vlan 2

Hello,

 

actually, looking at the guide, the native Vlan shouldn't be a problem. Can you post the full configuration ? Maybe I can spot something...

Hello Georg,

how can I export the full config?

 

Moritz

What I figured out, the IE2000 doesn't accept my IPs, I assigned:

 

interface Vlan1
no ip address
shutdown
!
interface Vlan1000
ip address 169.254.0.1 255.255.255.248
!
ip http server
ip http authentication local
ip http secure-server

But I assigned IPs with

 

en
conf t
interface vlan 1
ip address 192.168.178.203 255.255.255.0

interface gigabitethernet1/1
no switchport
ip address 10.0.0.19 255.255.255.192

Hello,

 

from the CLI issue the command 'show running-config' and cut and paste the output to a text file.

Here it is,

Thanks

Hello,

 

assuming that your upstream layer 3 device is connected to port GigabitEthernet1/1, here is what I have come up with (important parts marked in bold).

 

This should be working for instance40.

 

bpl40#show config
Using 4183 out of 65536 bytes
!
! Last configuration change at 04:29:57 UTC Wed Mar 30 2011
! NVRAM config last updated at 04:29:57 UTC Wed Mar 30 2011
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname bpl40
!
boot-start-marker
boot-end-marker
!
logging console emergencies
enable secret 5 $1$rC2b$XaJYFtfNyBrkRf8g89yq0/
enable password cisco
!
username admin privilege 15 secret 5 $1$z1EI$cAcDnIW6OGN4pgWBYGVJB.
no aaa new-model
system mtu routing 1500
ip arp inspection vlan 1000
ip arp inspection vlan 1000 logging dhcp-bindings none
!
ip dhcp pool mgmt_pool
network 169.254.0.0 255.255.255.248
default-router 169.254.0.1
dns-server 169.254.0.1
lease 0 0 1
cip instance 1
!
ptp mode e2etransparent
!
crypto pki trustpoint TP-self-signed-3862975488
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3862975488
revocation-check none
rsakeypair TP-self-signed-3862975488
!
!
crypto pki certificate chain TP-self-signed-3862975488
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
spanning-tree mode pvst
spanning-tree extend system-id
!
alarm profile defaultPort
alarm not-operating
syslog not-operating
notifies not-operating
!
vlan internal allocation policy ascending
!
lldp run
!
l2nat instance instance40
instance-id 1
permit all
fixup arp
fixup icmp
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
l2nat instance40 1000
!
l2nat instance A-LC
instance-id 2
fixup all
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
!
interface Port-channel1
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/1
switchport access vlan 1000
switchport mode access
ip arp inspection trust
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 1,1000
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat instance40 1000
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan1000
no ip address
!
ip http server
ip http authentication local
ip http secure-server
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end

Thanks for Your help, but I don't know, how to continue.

When I follof the guide line, the basic commands didn't work:

I try Step 9: Apply the specified Layer 2 NAT instance to a VLAN or VLAN range. If this parameter is missing, the Layer 2 NAT
instance applies to the native VLAN.
l2nat instance_name [vlan | vlan_range ]

 

bpl40(config-if)#l2nat instance10 1000
^
% Invalid input detected at '^' marker.

bpl40(config-if)#

 

How does this CLI work? Why doesn't it return clear error codes?

 

I'm a bit frustrated, with Siemens Scalance Router such a simple 1:1 NAT is configured within 5 minutes. With the IE2000, it needs hours and days to figure out, how it works.

 

OK, any idea what's wrong with the IE2000?

 

Thanks,

Moritz

Hello,

 

it might not like the Vlan number (1000), as it supports only up to 128 Vlans...try and make the changes below (basically, change 1000 to 10)...

 

 

l2nat instance instance40
instance-id 1
permit all
fixup arp
fixup icmp
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
l2nat instance40 10
!
l2nat instance A-LC
instance-id 2
fixup all
outside from host 10.0.0.18 to 192.168.178.41
outside from host 10.0.0.17 to 192.168.178.40
outside from host 10.0.0.16 to 192.168.178.100
outside from host 10.0.0.15 to 192.168.178.101
outside from host 10.0.0.14 to 192.168.178.12
outside from host 10.0.0.13 to 192.168.178.34
outside from host 10.0.0.12 to 192.168.178.33
outside from host 10.0.0.11 to 192.168.178.32
outside from host 10.0.0.10 to 192.168.178.11
outside from host 10.0.0.9 to 192.168.178.13
inside from host 192.168.178.41 to 10.0.0.18
inside from host 192.168.178.40 to 10.0.0.17
inside from host 192.168.178.100 to 10.0.0.16
inside from host 192.168.178.101 to 10.0.0.15
inside from host 192.168.178.12 to 10.0.0.14
inside from host 192.168.178.34 to 10.0.0.13
inside from host 192.168.178.33 to 10.0.0.12
inside from host 192.168.178.32 to 10.0.0.11
inside from host 192.168.178.11 to 10.0.0.10
inside from host 192.168.178.13 to 10.0.0.9
!
interface Port-channel1
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/1
switchport access vlan 10
switchport mode access
ip arp inspection trust
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 1,10
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat instance40 10
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
ip http server
ip http authentication local
ip http secure-server
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end

 

Did you ever get this working?

 

Please let me know because I'm also trying to get this working and the documentation is less than helpful. 

 

Thanks, Tom

Review Cisco Networking for a $25 gift card