cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
853
Views
0
Helpful
3
Replies

NAT configuration help

bstockslager
Level 1
Level 1

I'm having troubles getting NAT to work correctly on a router with 4 VLANs configured on it.  This is at an office that is currently dead in the water so I'm kind of scrambling to get things back up.  I'm pretty sure I'm about 95% complete with the router's config, if anyone can take a look and see what I'm missing I'd greatly appricate it.  ##########OMITTED OUTPUT########## is just passwords or other security things.

Building configuration...

Current configuration : 2808 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname  ##########OMITTED OUTPUT##########

!

boot-start-marker

boot-end-marker

!

enable password  ##########OMITTED OUTPUT##########

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.40.128

ip dhcp excluded-address 10.10.30.128

!

ip dhcp pool 40

   network 10.10.40.0 255.255.255.0

   default-router 10.10.40.128

   dns-server 8.8.8.8

   lease 4

!

ip dhcp pool 30

   network 10.10.30.0 255.255.255.0

   default-router 10.10.30.128

   dns-server 8.8.8.8

   lease 4

!

!

ip domain name ##########OMITTED OUTPUT##########

ip name-server 8.8.8.8

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username ###########OMITTED OUTPUT##########

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 10.0.0.62 255.255.255.192

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 10.128.1.129 255.255.255.192

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.30

encapsulation dot1Q 30

ip address 10.10.30.128 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.40

encapsulation dot1Q 40

ip address 10.10.40.128 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

no ip address

shutdown

half-duplex

!

interface Ethernet1/1

no ip address

shutdown

half-duplex

!

interface Ethernet1/2

no ip address

shutdown

half-duplex

!

interface Ethernet1/3

no ip address

shutdown

half-duplex

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

!

ip http server

no ip http secure-server

ip nat pool ovrld 1.1.1.1 1.1.1.1 netmask 255.255.255.240

ip nat pool ovrld2 1.1.1.1 1.1.1.1 netmask 255.255.255.240

ip nat pool ovrld3 1.1.1.1 1.1.1.1 netmask 255.255.255.240

ip nat pool ovrld4 1.1.1.1 1.1.1.1 netmask 255.255.255.240

ip nat inside source list 10 pool ovrld overload

ip nat inside source list 20 pool ovrld2 overload

ip nat inside source list 30 pool ovrld3 overload

ip nat inside source list 40 pool ovrld4 overload

!

access-list 10 permit 10.0.0.0 0.0.0.63

access-list 20 permit 10.128.1.128 0.0.0.63

access-list 30 permit 10.10.30.0 0.0.0.255

access-list 40 permit 10.10.40.0 0.0.0.255

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

#######OMITED OUTPUT##########

!

!

end

3 Replies 3

bstockslager
Level 1
Level 1

Also, I forgot to add that traffic on VLAN 1 works, no other VLANs are able to get to the internet though

Hi Blake,

I don't see any flaws right now but I will keep on looking. However, this configuration is strange:

ip nat pool ovrld 1.1.1.1 1.1.1.1 netmask 255.255.255.240

Why wouldn't you just do it without the nat pool? :

ip nat inside source list 10 interface FastEthernet0/0 overload

I have never configured it that way when I used only one IP address, but maybe it is completely allright, haven't tested it so I can't really say.

BUT

I strongly discourage you defining default route in this manner:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

With this type of configuration, a router performs ARP on the FastEthernet0/0 for every destination the router finds through the default route because the router considers all of these destinations as directly connected to FastEthernet0/0.

This kind of default route, especially if it is used by a lot of packets to many different destination subnets, can cause high processor utilization and a very large ARP cache (along with attendant memory allocation failures).

instead, please specify the IP address of the next-hop

ip route 0.0.0.0 0.0.0.0 1.1.1.2

(just a guess that 1.1.1.2 is IP of your next-hop router on that interface)

Moreover, with Proxy-ARP disabled on the next-hop router, without specifying default route with IP address on your router, you may even not get outside your network at all!

This may be the root of some ( if not all ) of your problems.

If you want more information regarding this topic, please see

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2.shtml

One more thing, clarify that the problem lays in NAT by issuing:

show ip nat translations

If you do have correct translations there, the problem is not in NAT configuration, but maybe in the definition of default route.

Please, provide us with the show ip nat translations output. Thanks!

Best regards,

Jan

Umesh Shetty
Level 1
Level 1

Hi Blake,

If you are using the same IP address ie 1.1.1.1 for natting all 4 vlans, can  you try using a single source list with all 4 subnets included in that and the same overload pool rather than using 4 NAT pools and 4 source lists. If you are observing that only Vlan 1 gets natted it maybe the case that only the first NAT pool "ovrld" is functioning and others aren't. Using only a single NAT pool and a Sigle source list will even simplify the config. Please use the config as mentioned below.

ip nat pool ovrld 1.1.1.1 1.1.1.1 netmask 255.255.255.240

access-list 10 permit 10.0.0.0 0.0.0.63

access-list 10 permit 10.128.1.128 0.0.0.63

access-list 10 permit 10.10.30.0 0.0.0.255

access-list 10 permit 10.10.40.0 0.0.0.255

ip nat inside source list 10 pool ovrld overload

Rest of the config looks fine, If you still see issue try correcting the default route as Jan suggested and try avoinding the NAT pool by using the statement below.

ip nat inside source list 10 interface FastEthernet0/0 overload

HTH !!!

Regards

Umesh Shetty

Review Cisco Networking for a $25 gift card