Solved: NAT woes.. now DHCP

jbfasulo · ‎03-15-2013

Hey Everyone,

I'm trying to configure my Cisco 3725 to NAT overload between four subnets in RFC 1918 space. It's a slash 26 internal NAT network. I'm trying to figure out why i'm not getting out. Maybe I have a VLAN or access-list problem? Here's my configuration:

Thanks!

-------------------------------------------------------

Current configuration : 2940 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname JohnStark

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

no aaa new-model

ip subnet-zero

ip cef

!

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.65

ip dhcp excluded-address 192.168.1.129

ip dhcp excluded-address 192.168.1.193

!

ip dhcp pool DanLAN

network 192.168.1.0 255.255.255.192

domain-name DanLAN

default-router 192.168.1.1

dns-server 8.8.8.8 192.168.1.1

!

ip dhcp pool JoeLAN

network 192.168.1.64 255.255.255.192

domain-name JoeLAN

default-router 129.168.1.65

dns-server 8.8.8.8

!

ip dhcp pool ExperimentLAN

network 192.168.1.128 255.255.255.192

default-router 192.168.1.129

dns-server 8.8.8.8

!

ip dhcp pool ManagementLAN

network 192.168.1.192 255.255.255.192

default-router 192.168.1.193

!

ip name-server 8.8.8.8

ip audit po max-events 100

!

interface FastEthernet0/0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

switchport access vlan 100

no ip address

!

interface FastEthernet1/1

switchport access vlan 100

no ip address

!

interface FastEthernet1/2

no ip address

shutdown

!

interface FastEthernet1/3

no ip address

shutdown

!

interface FastEthernet1/4

no ip address

shutdown

!

interface FastEthernet1/5

no ip address

shutdown

!

interface FastEthernet1/6

no ip address

shutdown

!

interface FastEthernet1/7

no ip address

shutdown

!

interface FastEthernet1/8

no ip address

shutdown

!

interface FastEthernet1/9

no ip address

shutdown

!

interface FastEthernet1/10

no ip address

shutdown

!

interface FastEthernet1/11

no ip address

shutdown

!

interface FastEthernet1/12

no ip address

shutdown

!

interface FastEthernet1/13

no ip address

shutdown

!

interface FastEthernet1/14

no ip address

shutdown

!

interface FastEthernet1/15

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 10.0.0.2 255.255.255.0

ip access-group 10 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

!

interface Vlan100

ip address 192.168.1.1 255.255.255.192

ip access-group 10 in

!

interface Vlan200

ip address 192.168.1.65 255.255.255.192

!

interface Vlan300

ip address 192.168.1.129 255.255.255.192

!

interface Vlan400

ip address 192.168.1.193 255.255.255.192

!

ip nat inside source list 10 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

no ip http server

no ip http secure-server

!

access-list 10 remark Permitted Subnets allowed to internet

access-list 10 permit 0.0.0.0 255.255.255.0

access-list 10 permit any

!

line con 0

line aux 0

line vty 0 4

login

!

end

---------------------------------------------------------------------------

Peter Paluch · ‎03-15-2013

Hi Joe,

If I understand correctly, you want your privately addressed subnets to be able to access the internet behind Fa0/0, is that correct?

In that case, your Vlan10, Vlan100, Vlan200, Vlan300 and Vlan400 shall be configured with ip nat inside (note that your Vlan10 is currently configured with ip nat outside and other SVIs are not configured for NAT at all).

Next, your ACL 10 is not correct. Usage of permit any is not supported for NAT deployments - you have always to be more specific about your networks. My suggestion is to remove ACL 10 altogether and rework it like:

access-list 10 remark Permitted subnets allowed to access internet

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

Lastly, is your default route correct? It uses a next hop of 1.1.1.1 - is this next-hop IP correct?

Do you believe you could try this out?

Best regards,

Peter

View solution in original post

cadet alain · ‎03-16-2013

Hi,

Can you get rid of the ip access-group 10 on the SVIs, I even wonder how DHCPis working on one VLAN because the DISCOVER message has a source IP of 0.0.0.0 and it should get matched by the implicit deny statement in the ACL and so should get dropped.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Peter Paluch · ‎03-15-2013

Hi Joe,

If I understand correctly, you want your privately addressed subnets to be able to access the internet behind Fa0/0, is that correct?

In that case, your Vlan10, Vlan100, Vlan200, Vlan300 and Vlan400 shall be configured with ip nat inside (note that your Vlan10 is currently configured with ip nat outside and other SVIs are not configured for NAT at all).

Next, your ACL 10 is not correct. Usage of permit any is not supported for NAT deployments - you have always to be more specific about your networks. My suggestion is to remove ACL 10 altogether and rework it like:

access-list 10 remark Permitted subnets allowed to access internet

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

Lastly, is your default route correct? It uses a next hop of 1.1.1.1 - is this next-hop IP correct?

Do you believe you could try this out?

Best regards,

Peter

jbfasulo · ‎03-15-2013

Peter I'll give it a try tonight. Thanks!

jbfasulo · ‎03-15-2013

Hi Peter,

Your suggestions worked great. I was able to get it working on one vlan. As I started adding others, dhcp stopped working by not handing out addresses. That's one of the last requirements I need. Any ideas? Here's the updated config:

-------------------------------------------------------

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname JohnStark

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

no aaa new-model

ip subnet-zero

ip cef

!

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.65

ip dhcp excluded-address 192.168.1.129

ip dhcp excluded-address 192.168.1.193

!

ip dhcp pool DanLAN

network 192.168.1.0 255.255.255.192

domain-name DanLAN

default-router 192.168.1.1

dns-server 192.168.1.1 8.8.8.8

!

ip dhcp pool JoeLAN

network 192.168.1.64 255.255.255.192

domain-name JoeLAN

default-router 129.168.1.65

dns-server 192.168.1.1 8.8.8.8

!

ip dhcp pool ExperimentLAN

network 192.168.1.128 255.255.255.192

default-router 192.168.1.129

dns-server 192.168.1.1 8.8.8.8

!

ip dhcp pool ManagementLAN

network 192.168.1.192 255.255.255.192

default-router 192.168.1.193

dns-server 192.168.1.1 8.8.8.8

!

ip name-server 8.8.8.8

ip audit po max-events 100

!

interface FastEthernet0/0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

switchport access vlan 100

no ip address

!

interface FastEthernet1/1

switchport access vlan 100

no ip address

!

interface FastEthernet1/2

switchport access vlan 100

no ip address

!

interface FastEthernet1/3

switchport access vlan 100

no ip address

!

interface FastEthernet1/4

switchport access vlan 100

no ip address

!

interface FastEthernet1/5

switchport access vlan 100

no ip address

!

interface FastEthernet1/6

switchport access vlan 100

no ip address

!

interface FastEthernet1/7

switchport access vlan 100

no ip address

!

interface FastEthernet1/8

switchport access vlan 200

no ip address

!

interface FastEthernet1/9

switchport access vlan 200

no ip address

!

interface FastEthernet1/10

switchport access vlan 200

no ip address

!

interface FastEthernet1/11

switchport access vlan 200

no ip address

!

interface FastEthernet1/12

switchport access vlan 300

no ip address

!

interface FastEthernet1/13

switchport access vlan 300

no ip address

!

interface FastEthernet1/14

switchport access vlan 400

no ip address

!

interface FastEthernet1/15

switchport access vlan 400

no ip address

!

interface Vlan1

no ip address

!

interface Vlan100

ip address 192.168.1.1 255.255.255.192

ip access-group 10 in

ip nat inside

!

interface Vlan200

ip address 192.168.1.65 255.255.255.192

ip access-group 10 in

ip nat inside

!

interface Vlan300

ip address 192.168.1.129 255.255.255.192

ip access-group 10 in

ip nat inside

!

interface Vlan400

ip address 192.168.1.193 255.255.255.192

ip access-group 10 in

ip nat inside

!

ip nat inside source list 10 interface FastEthernet0/0 overload

ip classless

!

ip dns server

no ip http server

no ip http secure-server

!

access-list 10 remark Permitted subnets allowed to access the internet

access-list 10 permit 192.168.1.0 0.0.0.255

!

line con 0

line aux 0

line vty 0 4

login

!

end

---------------------------------------------------------------------

cadet alain · ‎03-16-2013

Hi,

Can you get rid of the ip access-group 10 on the SVIs, I even wonder how DHCPis working on one VLAN because the DISCOVER message has a source IP of 0.0.0.0 and it should get matched by the implicit deny statement in the ACL and so should get dropped.

Regards

Alain

Don't forget to rate helpful posts.

jbfasulo · ‎03-16-2013

Cadet Alain,

That was it! The DHCP offers weren't getting back with the current access-list. I added a permit rule for both 255.255.255.255 and 0.0.0.0. It seemed to solve my issues. Cheers!

J