Solved: Re: No internet access from VLANs

stephenpark · ‎04-16-2018

Hi, I'm very new for CISCO switches.

Recently my company install 3650 gigabit switch and I connect it to our Internet line which has static address. And I add 2 VLANs, one for Servers, two for Office PCs.

Now, inter-VLAN routing is no problem but all connected PCs on VLANs has no access internet.

I also made additional VLAN which is assigned only one dedicated port which connected to our internet.

Briefly show the VLANS:

VLAN 1 : default

VLAN 100 : Servers - G1/0/1-12

ip address 100.100.100.1 255.255.255.0

ip nat inside

VLAN 200 : Offices - G1/0/13-22

ip address 100.100.200.1 255.255.255.0

ip nat inside

VLAN 300 : WAN - G1/0/24

ip address 121.133.31.150 255.255.255.192

ip nat outside

And I set ACL for:

access-list 1 permit 100.100.100.0 0.0.0.255

access-list 2 permit 100.100.200.0 0.0.0.255

ip nat inside source list 1 interface vlan 300 overload

ip nat inside source list 2 interface vlan 300 overload

ip route 0.0.0.0 0.0.0.0 121.133.31.194

Also there is DHCP server running:

ip dhcp excluded-address 100.100.100.1

ip dhcp excluded-address 100.100.200.1

ip dhcp pool VLAN_Server

network 100.100.100.0 255.255.255.0

default-router 100.100.100.1

dns-server 8.8.8.8

lease infinite

ip dhcp pool VLAN_Office

network 100.100.200.0 255.255.255.0

default-router 100.100.200.1

dns-server 8.8.8.8

lease infinite

Inter-VLAN communicate is all right.

only each VLANs can't go through internet which connected VLAN 300.

I need all experts advice...

Thanks for advance!

Deepak Kumar · ‎04-19-2018

Hi,

I think the best router is Cisco 4451 ISR. The Cisco 4451 ISR has 1Gb throughput upgradable to 2Gb.

https://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

amikat · ‎04-17-2018

Hi,

Your interface Vlan 300 ip address is not within the same subnet as the default route; will you please adjust.

Best regards,

Antonin

stephenpark · ‎04-17-2018

Hello amikat,

Thanks for your suggestion.

However, VLAN 300 ip address is not what I can change.

This address is given by internet provider (static IPv4 address), directly came from

Fiber cable to cable modem. What this provider just send us is all I have these:

"You can set your IP address like shown below:

address : 121.133.31.150

subnet : 255.255.255.192

gateway : 121.133.31.194" -> this is probably fiber modem's address

This cable is connected to gi1/0/24.

When I connect my PC directly to this modem with given address set, it works fine,

So, I'm trying to figure out routing 100.100.100.xxx (vlan 100) and 100.100.200.xxx (vlan 200)

to vlan 300.

Just connect this vlan 300 with modem, I can "ping 8.8.8.8 repeat 500" without problem.

Also I can ping to 100.100.100.xxx and 100.100.200.xxx connected PCs.

Again, I can ping from PC with address 100.100.100.xxx to 100.100.200.xxx and ip address of

vlan 300, no problem, but I can't ping from PC to gateway (121.133.31.194).

Sorry that I'm very new for vlan and route function, and CISCO as well....

Let me know how can I make it to work with this environment?

chrihussey · ‎04-17-2018

Perhaps posting the entire config, sanitized if necessary, and the output of "show version" would be hlpful in determining a solution.

Thanks

stephenpark · ‎04-17-2018

This is all configuration and version info text file.

Hope it will helpful for your advice!

amikat · ‎04-17-2018

Hi,

Without knowing the details of your configuration will you please just TRY to change your interface vlan 300 ip address to 121.133.31.193 with the same mask (255.255.255.192) and see if there is any progress.

Thanks & Regards,

Antonin

stephenpark · ‎04-18-2018

I've tried to set vlan 300 ip address as you said, but this address is fixed by provider, so it doesn't work. Even I changed subnet mask 255.255.255.192 to 255.255.255.0 as same as other vlan neither work.

Julio E. Moisa · ‎04-17-2018

Hi

As I remember this switch model does not support NAT, it is supported on Routers, Firewalls and robust switches like: 65xx, 68xx and 9K switches only.

Some NAT commands can be executed on the switches but they will not work. The following link is an example of the devices supporting NAT (not updated), About other models like Cisco 3850 don´t support NAT either.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/29283-166.html

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

stephenpark · ‎04-17-2018

Ah, yes, thanks for your link regarding list of NAT capable switch list.

According to this information, indeed there is no 3650-24PS model included.

Means that I can't use this "ip nat inside" nor "ip nat outside"...

If so, is there any way to routing internet access from internal vlan devices?

I'm almost desperate to figure out how to do it.

Sure, there is easy way to add small router on top of this 3650 switch and connect to it.

Or even small SOHO type 4-port internet router to connect.

But what I find is that there is no "PORT FORWARDING" command working as well!

"ip nat inside source static tcp 100.100.100.100 80 121.141.31.150 extendable"

If it does not working, it is really hard to connect our web server to this switch vlan group.

Sure I could set port forward from "Router" to this "Switch"

But again I can't assign port forward from router connected uplink port to vlan.

Need good advice!

Nathan Ashby · ‎04-18-2018

Hi,

As you mentioned the solution will be adding in a router into the mix which will be assigned the VLAN 300 range. This router will then perform the NAT/Port forwarding functions you want.

In terms of the LAN - It would be best to create a new VLAN and SVI(interface vlan) for this on the switch. This new range will be then what you use for the LAN interface on the router. You will then configure on the switch a new default route pointing it to the routers LAN interface. One last thing to keep in mind is your router will need a route to reach the LAN networks via the switch as well.

Hope that helps
Nathan

Julio E. Moisa · ‎04-18-2018

Hi

You could consider the Cisco 800 Router model to make the NAT role and create a router-in-a-stick scheme for your VLANs. Selecting the router you must take in consideration the amount of traffic to pass through, the 800 model is for Small business or branches.

https://www.cisco.com/c/dam/assets/prod/routers/cisco-router-selector/index.html

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Deepak Kumar · ‎04-18-2018

Hi,

The switch will not support NAT. Please go with any router.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

stephenpark · ‎04-18-2018

Hi,
Could you please tell me which model of Router could fit my need?We need to web/app/database access from clients. App will do simple messaging and push services.We are expecting 100,000 indivisuals access but not simultaniously. Perhaps 1,000 to 2,000 simple data exchange and push message through our server at same time maximum.Any suggestion should big help for me. Thanks!

Deepak Kumar · ‎04-18-2018

Hi,

How much WAN bandwidth?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

stephenpark · ‎04-19-2018

We have contract with provider for 1G fiber 1 line with static IP address.

I think for our application, 1G bandwidth is enough.