cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
517
Views
0
Helpful
2
Replies

NAT overload issue with InterVLAN/Router on a stick

Eric Webber
Level 1
Level 1

I have a stacked pair of 3750's connected to a 2811 which is connected to a cable modem.  I also have a C6100 with each node NIC teamed to a cross-stack etherchannel trunk allowing all VLANs.  Each node is a Hyper-V host with the host management separated out by vNICs into VLAN ID's < 100 and guest OSE's tagged with ID's 100-200.  Everything ID <100 (except 10) is set to stay within the stack with 100-200 trunked to the 2811 for potential NAT overloading to the outside world.

From the router, I can ping the switch and its VLAN IPs, the ISP-assigned GW and 8.8.8.8.  I can even ping the guest on VLAN 200.  The guest can ping the router's IP but no further.  It looks as though NAT is set correctly so I'm really at a loss.  Any assistance would be much appreciated!

 

!

interface FastEthernet0/0

 description INTERNET

 ip address 74.A.B.C 255.255.255.248

 ip access-group INTERNET_DMZ in

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly in

 zone-member security Internet

 duplex full

 speed auto

 no cdp enable

!

!

interface FastEthernet0/1.200

 description DMZ

 encapsulation dot1Q 200

 ip address 192.168.200.1 255.255.255.0

 ip access-group DMZ_INTERNET in

 ip nat inside

 ip virtual-reassembly in

 zone-member security DMZ

!

!

ip default-gateway 74.A.B.E

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list NAT_SOURCE interface FastEthernet0/0 overload

 

ip access-list standard NAT_SOURCE

 permit 192.168.200.0 0.0.0.255

 permit 172.16.100.0 0.0.0.255

 permit 172.16.110.0 0.0.0.255

 deny   any

!

ip access-list extended DMZ_INTERNET

 permit ip 192.168.200.0 0.0.0.255 any log

 deny   ip any any

 

2811A#sho ip nat stat

Total active translations: 4 (0 static, 4 dynamic; 4 extended)

Peak translations: 92, occurred 4d04h ago

Outside interfaces:

  FastEthernet0/0

Inside interfaces:

  FastEthernet0/1.200

Hits: 68730  Misses: 0

CEF Translated packets: 3429, CEF Punted packets: 62754

Expired translations: 19383

Dynamic mappings:

-- Inside Source

[Id: 12] access-list NAT_SOURCE interface FastEthernet0/0 refcount 4

 

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

2811A#

 

2811A#sho ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

udp 74.A.B.C:58842 192.168.200.101:58842 8.8.4.4:53     8.8.4.4:53

udp 74.A.B.C.62:58842 192.168.200.101:58842 8.8.8.8:53     8.8.8.8:53

udp 74.A.B.C:61722 192.168.200.101:61722 8.8.4.4:53     8.8.4.4:53

udp 74.A.B.C:61722 192.168.200.101:61722 8.8.8.8:53     8.8.8.8:53

2811A#

 

2811A#sho ip access-lis

Standard IP access list NAT_SOURCE

    10 permit 192.168.200.0, wildcard bits 0.0.0.255 (7686 matches)

    20 permit 172.16.100.0, wildcard bits 0.0.0.255

    30 permit 172.16.110.0, wildcard bits 0.0.0.255

    40 deny   any (93 matches)

Extended IP access list DMZ_INTERNET

    10 permit ip 192.168.200.0 0.0.0.255 any log (2242 matches)

    100 deny ip any any (1153 matches)

Extended IP access list INTERNET_DMZ

    10 permit udp any eq domain any (28 matches)

    11 permit icmp any any (95 matches)

    20 permit tcp any any established (59 matches)

    100 deny ip any any log (1488 matches)

2811A#

1 Accepted Solution

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

first  do this:

int f0/0

 no ip access-group INTERNET_DMZ in

Then if it still doesn't work  post the full config because I don't see the Zone-based firewall policy.

 

Regards

 

Alain

Don't forget to rate helpful posts.

View solution in original post

2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

Hi,

first  do this:

int f0/0

 no ip access-group INTERNET_DMZ in

Then if it still doesn't work  post the full config because I don't see the Zone-based firewall policy.

 

Regards

 

Alain

Don't forget to rate helpful posts.

The zones!  I had set them in CCP and forgotten all about them.  Much appreciated.

Review Cisco Networking for a $25 gift card