Solved: Re: NAT problem on VLAN's subnets or Routing

maciej.lisinski · ‎09-28-2021

Hello Folks,

I have a router ISR 4431 with built-in interfaces and NIM-ES2-8-P Cisco 8-Port Gigabit Ethernet Switch.

The problem is with nat translation for fo vlan 55 and vlan 66. I can ping from computers in 192.168.66.0/24 or 192.168.55.0/24 to 192.168.1.0/24 and vice versa.

I can ping from 192.168.66.0/24 or 192.168.55.0/24 to outside interface address 99.99.99.210 without any problem.

Problem is can't access Internet from 192.168.66.0/24 or 192.168.55.0/24.

Strange thing i can see transtations in nat table but no packet outgoing to Internet

sh ip nat trans | inc 192.168.66.10
tcp 99.99.99.210:12690 192.168.66.10:49571 40.126.31.139:443 40.126.31.139:443
tcp 99.99.99.210:12105 192.168.66.10:49579 178.255.155.167:443 178.255.155.167:443
tcp 99.99.99.210:11436 192.168.66.10:3389 194.61.24.62:53437 194.61.24.62:53437
tcp 99.99.99.210:12114 192.168.66.10:49580 217.146.21.137:443 217.146.21.137:443
tcp 99.99.99.210:11033 192.168.66.10:49588 213.227.185.137:80 213.227.185.137:80
tcp 99.99.99.210:13609 192.168.66.10:49585 192.168.0.12:502 192.168.0.12:502
icmp 99.99.99.210:5 192.168.66.10:3 8.8.8.8:3 8.8.8.8:5
tcp 99.99.99.210:12151 192.168.66.10:49590 188.172.219.147:80 188.172.219.147:80

What is wrong with my config?

Intefaces configuration:

WAN side

interface GigabitEthernet0/0/0
description WAN
ip address 99.99.99.210 255.255.255.252
ip nat outside
ip nbar protocol-discovery
ip access-group 130 in
zone-member security out-zone
negotiation auto
crypto map VPN-SAP-TO-GERMANY
spanning-tree portfast disable

LAN side

interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip access-group 171 in
zone-member security in-zone
ip policy route-map Gig0/0-IN
negotiation auto
spanning-tree portfast disable

interface GigabitEthernet0/1/0
switchport mode trunk

interface Vlan55
ip address 192.168.55.1 255.255.255.0
ip nat inside
zone-member security in-zone
!
interface Vlan66
ip address 192.168.66.1 255.255.255.0
ip nat inside
ip access-group 171 in
zone-member security in-zone
ip virtual-reassembly

NAT

ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload

route-map NAT_ISP1 permit 10
match ip address 151
match interface GigabitEthernet0/0/0

access-list 151 deny ip host 192.168.1.27 10.10.80.0 0.0.0.255
access-list 151 deny ip 192.168.1.0 0.0.0.255 10.10.80.0 0.0.0.255
access-list 151 permit ip 192.168.1.0 0.0.0.255 any
access-list 151 permit ip 192.168.2.0 0.0.0.255 any
access-list 151 permit ip 192.168.66.0 0.0.0.255 any
access-list 151 deny ip any any

maciej.lisinski · ‎09-30-2021

Hi Seb,

i'm getting blinde, My zbf rules blocked traffic from vlan's subnets.

I was sure that is problem with NAT and i focused on it. Thanks for kicked my mind on other way.

Best regards

Mac.

View solution in original post

Seb Rupik · ‎09-29-2021

Hi there,

Can you share the configuration for ACL 130 and also your ZBF?

cheers,

Seb.

maciej.lisinski · ‎09-30-2021

Hi Seb,

i'm getting blinde, My zbf rules blocked traffic from vlan's subnets.

I was sure that is problem with NAT and i focused on it. Thanks for kicked my mind on other way.

Best regards

Mac.

Georg Pauwen · ‎09-29-2021

Hello,

a zone based firewall and access lists applied to interfaces that are member of a security zone do not work well together. I would suggest to remove all access lists from all interfaces. And, as Sep said, post the full running config of your router...