Re: NAT Outside on 2 Subinterfaces - Page 2

Profitcisco1 · ‎08-19-2010

Hi,

I have configured an 2651xm router on a cat3550 (Router on a stick)

See config of router below.

Im unable to see the net on 1 of the sub interfaces fe 0/0.2. it does work on fe 0/0.4

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-672148328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-672148328
revocation-check none
rsakeypair TP-self-signed-672148328
!
!
crypto pki certificate chain TP-self-signed-672148328
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36373231 34383332 38301E17 0D313030 38313930 37313434
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3637 32313438
33323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
DCF7A554 D229AE26 794F3559 F6F62588 245B712F E947A170 E09E4D25 564AC0F6
CEC7CBAE 66214A9E 7DFBD18B 787DC8E8 94AA704F F8B838BC D5803262 EE122020
8052C288 EBA2255B CB2BEB9A 9F8FC860 117971EF 8A2A1B66 BBEC6048 C985182C
E157D614 B7EB1A4B 9DE069C8 DAD564A5 176D5E68 EC5A741D B3E73863 0DD1DECF
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014AD1D 14DCF6AF
95E683EC F6EC91A5 49C8BAF7 4A87301D 0603551D 0E041604 14AD1D14 DCF6AF95
E683ECF6 EC91A549 C8BAF74A 87300D06 092A8648 86F70D01 01040500 03818100
5B287605 005DC89A FFDE8B40 B5369A23 A695A72E 4C93C05A 0FEAE244 6936C992
485D9800 28C520FB 02462C7B 91E48F22 D4886C47 9F254D91 1107FA2E 89530689
426689B8 E99AC0AE 48B63207 93BE28BA 7303B0E4 BAFA8B7D FD5A45E1 80734BC7
22C722E2 AC22C7D3 23294E3A C6280683 46278C49 BD056904 8B4F8A1B 61C7CE0B
quit
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
description Trunk to 3550 FE 0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
description Link to ISP1
encapsulation dot1Q 2
ip address 192.168.0.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.4
description Link To ISP2
encapsulation dot1Q 4
ip address 192.168.4.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
description Internal LAN
ip address 192.168.223.253 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.4.1
ip route 0.0.0.0 0.0.0.0 192.168.0.1 10
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0.2
ip route 192.168.4.0 255.255.255.0 FastEthernet0/0.4
!
ip http server
ip http secure-server
ip nat source route-map ISP2 interface FastEthernet0/0.4 overload
ip nat source route-map ISP1 interface FastEthernet0/0.2 overload
!
access-list 100 permit ip 192.168.223.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0.2
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet0/0.4
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Router#

i can ping both gateways

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Router#ping 192.168.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Below are the some trace routes

Router#traceroute www.google.com.au source fastEthernet 0/0.4

Type escape sequence to abort.
Tracing the route to www.l.google.com (66.102.11.104)

1 192.168.4.1 4 msec 4 msec 4 msec
2 loopback1.ken10.sydney.telstra.net (165.228.2.1) 28 msec 24 msec 28 msec
3 TenGigE0-1-0-2.ken-core4.Sydney.telstra.net (203.50.20.1) 28 msec 24 msec 24 msec
4 Bundle-Ether1.ken39.Sydney.telstra.net (203.50.6.146) 24 msec 24 msec 24 msec
5 72.14.222.5 24 msec 24 msec 28 msec
6 66.249.95.232 24 msec 24 msec 28 msec
7 64.233.174.242 28 msec 36 msec 36 msec
8 www.l.google.com (66.102.11.104) 24 msec 24 msec 28 msec

Router#traceroute www.google.com.au source fastEthernet 0/0.2

Type escape sequence to abort.
Tracing the route to www.l.google.com (66.102.11.104)

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
30 * * *

Why can't i see the net on Fe 0/0.2?

Profitcisco1 · ‎08-21-2010

I have made the following changes

no ip sla monitor 1

no ip sla monitor 2

ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.1 source-interface FastEthernet0/0.2
ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho 192.168.4.1 source-interface FastEthernet0/0.4
ip sla monitor schedule 2 life forever start-time now

and it appears to be working.

But as mentioned before. I want it to ping and external host to ensure the route is active till the ISP's gateway

kyukim · ‎08-21-2010

Hi,

You need to make your router can ping those two Internet address to IP SLA tracking working.

You said 192.168.4.1 and 192.168.0.1 is the internal isp router.

Do you mean you can telnet to these boxes or is it managed by your ISP?

You should make sure these two devices are doing NAT for your private address.

KK.

Profitcisco1 · ‎08-23-2010

Kyuhwan Kim,

Thanks for your assistance. the IP SLA is not working. however, the IP CLASSLESS comand is no longer showing in the config.

i have added it multiple times but it doesnt show when i do a show run.

I can ping remote hosts from the router using both fe 0/0.2 and 0/0.4. However nothing works from 0/1 - internal lan.

this is due to ip classless correct?

sbhadrav@cisco.com · ‎04-18-2018

Provided solution by Security SS.Yes you can NAT on subinterfaces

int e0

ip nat outside

int e1/0.1

ip nat inside

int e2/0.2

ip nat inside

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 172.20.0.0 0.0.255.255

ip nat inside source list 101 interface e0 overload

sbhadrav@cisco.com · ‎04-27-2018

Yes you can NAT on subinterfaces

int e0

ip nat outside

int e1/0.1

ip nat inside

int e2/0.2

ip nat inside

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 172.20.0.0 0.0.255.255

ip nat inside source list 101 interface e0 overload

sbhadrav@cisco.com · ‎04-30-2018

a subinterface is a logical interface, i.e. for ethernet you need an encapsulation dot1Q (802.1q) or ISL (cisco proprietary).

The requirement is, that the IOS and the hardware supports it - as a rule of thumb: a FastEthernet interface will usually support VLANs and subinterfaces. In case you would have support, the configuration would look like this:

interface FastEthernet0/0.100

description to ISP

encapsulation dot1Q 100

ip address 1.1.1.1 255.255.255.0

ip nat outside

interface FastEthernet0/0.200

description inside LAN

encapsulation dot1Q 200

ip address 10.10.1.1 255.255.255.0

ip nat inside

The maximum "speed of a subinterface" will be given by the physical interface, i.e. both subinterfaces in the example above share the 100Mbps of the physical interface.

Configuration examples and explanations can be found f.e. in "Routing Between VLANs Overview" and subsequent sections at

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00800ca801.html