Solved: NAT overload issue with InterVLAN/Router on a stick

Eric Webber · ‎05-07-2014

I have a stacked pair of 3750's connected to a 2811 which is connected to a cable modem. I also have a C6100 with each node NIC teamed to a cross-stack etherchannel trunk allowing all VLANs. Each node is a Hyper-V host with the host management separated out by vNICs into VLAN ID's < 100 and guest OSE's tagged with ID's 100-200. Everything ID <100 (except 10) is set to stay within the stack with 100-200 trunked to the 2811 for potential NAT overloading to the outside world.

From the router, I can ping the switch and its VLAN IPs, the ISP-assigned GW and 8.8.8.8. I can even ping the guest on VLAN 200. The guest can ping the router's IP but no further. It looks as though NAT is set correctly so I'm really at a loss. Any assistance would be much appreciated!

!

interface FastEthernet0/0

description INTERNET

ip address 74.A.B.C 255.255.255.248

ip access-group INTERNET_DMZ in

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security Internet

duplex full

speed auto

no cdp enable

!

interface FastEthernet0/1.200

description DMZ

encapsulation dot1Q 200

ip address 192.168.200.1 255.255.255.0

ip access-group DMZ_INTERNET in

ip nat inside

ip virtual-reassembly in

zone-member security DMZ

!

ip default-gateway 74.A.B.E

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list NAT_SOURCE interface FastEthernet0/0 overload

ip access-list standard NAT_SOURCE

permit 192.168.200.0 0.0.0.255

permit 172.16.100.0 0.0.0.255

permit 172.16.110.0 0.0.0.255

deny any

!

ip access-list extended DMZ_INTERNET

permit ip 192.168.200.0 0.0.0.255 any log

deny ip any any

2811A#sho ip nat stat

Total active translations: 4 (0 static, 4 dynamic; 4 extended)

Peak translations: 92, occurred 4d04h ago

Outside interfaces:

FastEthernet0/0

Inside interfaces:

FastEthernet0/1.200

Hits: 68730 Misses: 0

CEF Translated packets: 3429, CEF Punted packets: 62754

Expired translations: 19383

Dynamic mappings:

-- Inside Source

[Id: 12] access-list NAT_SOURCE interface FastEthernet0/0 refcount 4

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

2811A#

2811A#sho ip nat trans

Pro Inside global Inside local Outside local Outside global

udp 74.A.B.C:58842 192.168.200.101:58842 8.8.4.4:53 8.8.4.4:53

udp 74.A.B.C.62:58842 192.168.200.101:58842 8.8.8.8:53 8.8.8.8:53

udp 74.A.B.C:61722 192.168.200.101:61722 8.8.4.4:53 8.8.4.4:53

udp 74.A.B.C:61722 192.168.200.101:61722 8.8.8.8:53 8.8.8.8:53

2811A#

2811A#sho ip access-lis

Standard IP access list NAT_SOURCE

10 permit 192.168.200.0, wildcard bits 0.0.0.255 (7686 matches)

20 permit 172.16.100.0, wildcard bits 0.0.0.255

30 permit 172.16.110.0, wildcard bits 0.0.0.255

40 deny any (93 matches)

Extended IP access list DMZ_INTERNET

10 permit ip 192.168.200.0 0.0.0.255 any log (2242 matches)

100 deny ip any any (1153 matches)

Extended IP access list INTERNET_DMZ

10 permit udp any eq domain any (28 matches)

11 permit icmp any any (95 matches)

20 permit tcp any any established (59 matches)

100 deny ip any any log (1488 matches)

2811A#

cadet alain · ‎05-07-2014

Hi,

first do this:

int f0/0

no ip access-group INTERNET_DMZ in

Then if it still doesn't work post the full config because I don't see the Zone-based firewall policy.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎05-07-2014

Hi,

first do this:

int f0/0

no ip access-group INTERNET_DMZ in

Then if it still doesn't work post the full config because I don't see the Zone-based firewall policy.

Regards

Alain

Don't forget to rate helpful posts.

Eric Webber · ‎05-07-2014

The zones! I had set them in CCP and forgotten all about them. Much appreciated.