Re: NAT(PAT) two VLANs on ir829 with wireless bridge

VisAviS · ‎06-21-2023

Hello. I'm new in work with Cisco. Please help me with the configuration of the ir829 router with the built-in wireless module ap803. I need to get internet access on ir829 from another router (non-Cisco) through the dot11radio0 interface. I used the "station role work-group bridge universal [Mac]" configuration, and it worked for me. Now I need to configure NAT (PAT) to connect vlan1 (internal network) with vlan2 (external network). I have an ir829 with DHCP and vlan1 configured as 192.168.0.1/24. The router with the internet connection has the IP 192.168.1.1/24. I tried the following configuration:

ir829:
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.0.220 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list LANINSIDE interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip access-list extended LANINSIDE
permit ip 192.168.1.0 0.0.0.255 any

ap803:
!
dot11 ssid test
authentication open
!
interface Dot11Radio0
no ip address
!
ssid test
!
antenna gain 0
station-role workgroup-bridge universal ecce.13f9.db80
bridge-group 1
bridge-group 1 spanning-disabled

However, in this case, users had internet access through ir829, but DHCP was provided by the parent router (192.168.1.1/24). I need ir829 to have its own DHCP. I tried modifying the configuration as follows:

ir829:
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
ip nat inside source route-map MYNAT interface Vlan2 overload
!
ip access-list extended MYNAT
permit ip 192.168.0.0 0.0.0.255 any
!

The dot11radio0 interface is located on the ap803 side, so I'm configuring it through vlan2 (192.168.1.1/24).
Now, the parent router indicates that packets are being sent and received, but the users on ir829 don't have internet access.

MHM Cisco World · ‎06-22-2023

ip nat inside source list 1 interface Vlan2 overload
!
ip access-list standard 1

Permit 192.168.0.0 0.0.0.255

That all what you need

VisAviS · ‎06-22-2023

I tried to change the configuration as you instructed. Now it appears as follows:

ir829:
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in

!

ip nat inside source list 1 interface Vlan2 overload
!
ip access-list standard 1

Permit 192.168.0.0 0.0.0.255

Permit 192.168.1.0 0.0.0.255

However, the problem persists. The users of the IR829 router do not have an internet connection. The packets are still being sent and received on the parent router. I can successfully ping the IP address of the parent router (192.168.1.1) from my laptop (192.168.0.100) which is connected to the IR829. However, there is no internet connectivity.

MHM Cisco World · ‎06-22-2023

Sorry the acl of NATing muse include only Vlan1 (192.168.0.0 255.255.255.0)

VisAviS · ‎06-23-2023

I already tried only VLAN1.

!
ip nat inside source list 1 interface Vlan2 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255

There is no internet connection again.
I noticed that when I ping 192.168.1.1 from my laptop (192.168.0.100), it goes through.
When I ping 192.168.1.1 from ir829 (192.168.0.1), it also goes through.
However, when I try to ping from ap803, it doesn't work.

ap#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.1 14 ecce.13f9.db80 ARPA BVI1
Internet 192.168.0.2 - 687d.b435.41ce ARPA BVI1
Internet 192.168.1.1 14 90f6.5276.acca ARPA BVI1
ap#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

And I am accessing the internet through the ap803 interface dot11Radio0.
Maybe I should add 'ip route' or 'ip default-gateway' on the ap803 side?

MHM Cisco World · ‎06-23-2023

Can yoh share last config ?

VisAviS · ‎06-23-2023

Please find attached my last config files.

paul driver · ‎06-23-2023

Hello
I see your nat domains have swapped around which is in correct vlan 1 should be the set as outside and vlan 2 inside

Also if you already have a dhcp server on the network providing ip allocation for that subnet your need to careful not duplicate it as you could incur duplicate addressing.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

VisAviS · ‎06-23-2023

As I understood from the NAT (PAT) manuals, "Here, any match interface with access-list 1 will be translated with overload to the outgoing interface IP address of Router 1."
In my case, the outgoing interface IP address of IR829 is 192.168.1.1, which is the IP address of the parent router.
My internal VLAN on IR829 with a DHCP server is 192.168.0.1/24, and I have specified it in access-list 1.
That's why I swapped the positions of "ip nat inside" and "ip nat outside".
If I have misunderstood the manual, please let me know.