Pat configuration on Router - Page 2

Raimund Schimanovits · ‎01-20-2015

Hello

I need a PAT configuration for 2 networks inside to 2 different global adresses. So how can i make this?

So one internal network should pat to one global adress and the other network to the second global adress.

I only can configure pat to the interface or a global pool. When i take the pool the router would take some kind of global adresses.

pleas help me

Thanks

Raimund Schimanovits · ‎02-03-2015

Yes because i made a new config with the cisco configuration professional. I make a reset and configured the router new. Than i used other ip´s and i had the same problem.

So is it possible that only on the layer 3 ports it can PAT to a pool?

With the switchport i can only PAT to the interface.

Raimund

Jon Marshall · ‎02-03-2015

As far as I know you should be able to NAT on any L3 interface.

The switchport is L2 but you have a L3 interface for that vlan on your router so it should work as far as I can see.

I have certainly used NAT on SVIs (vlan interfaces) before so I can't see why it wouldn't work.

From your output though the destination is 192.168.50.x not an internet IP so I'm still not sure how you have set it up.

Perhaps if you can post the configuration you were using and explain where 192.168.50.x was ie.is it on the same device, is it on another device etc.

Jon

Raimund Schimanovits · ‎02-03-2015

Here is the complete config

Building configuration...

Current configuration : 3478 bytes
!
! Last configuration change at 11:54:19 UTC Tue Feb 3 2015 by XXX
!
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
service compress-config
service sequence-numbers
!
hostname Testrouter
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network local_list local
!
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
!
!
ip dhcp pool *** DHCP Server1 ***
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 195.3.96.67 195.3.96.68
   lease 0 1
!
ip dhcp pool *** DHCP Server2 ***
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 195.3.96.67 195.3.96.68
   lease 0 1
!
ip dhcp pool *** DHCP Server3 ***
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 195.3.96.67 195.3.96.68
   lease 0 1
!
!
!
ip cef
ip domain name test.com
ip name-server 195.3.96.67
ip name-server 195.3.96.68
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ110474DC
username XXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
interface FastEthernet0/0
description *** Outside ***
ip address 188.20.243.229 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
switchport access vlan 20
!
interface FastEthernet0/1/2
switchport access vlan 30
!
interface FastEthernet0/1/3
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool Wlan 188.20.243.228 188.20.243.228 netmask 255.255.255.0
ip nat pool Internal 188.20.243.226 188.20.243.226 netmask 255.255.255.0
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source list 101 pool Internal overload
ip nat inside source list 102 pool Wlan overload
ip route 0.0.0.0 0.0.0.0 188.20.243.225 permanent
!
logging esm config

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
end

Jon Marshall · ‎02-03-2015

Where are you trying to ping from and to when it doesn't work ie. source and destination IPs.

Jon

Raimund Schimanovits · ‎02-03-2015

i connected a pc on the interfaces FastEthernet0/1/0 to FastEthernet0/1/2 and ping www.google.com. ; It doesn`t work on any interfaces.

Raimund

Jon Marshall · ‎02-03-2015

Can the PCs ping each other ?

Can you post a "sh ip int brief" from your router ?

Jon

Raimund Schimanovits · ‎02-03-2015

Yes they can ping and i can also ping the gw on every vlan.

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            188.20.243.229 YES manual up                    up
FastEthernet0/1            unassigned      YES manual administratively down down
FastEthernet0/1/0          unassigned      YES manual up                  up
FastEthernet0/1/1          unassigned      YES unset down                  down
FastEthernet0/1/2          unassigned      YES unset down                  down
FastEthernet0/1/3          unassigned      YES unset up                    down
NVI0                       unassigned      NO unset up                    up
Vlan1                      192.168.0.1     YES manual up                    down
Vlan20                     192.168.1.1     YES manual up                    down
Vlan30                     192.168.3.1     YES manual up                    down

Jon Marshall · ‎02-03-2015

I'm not sure how you can ping them because all your interfaces are down except for fa0/0 and fa0/1/0.

Did you create the vlans in the vlan database in the router ?

If not you need to.

Jon

Raimund Schimanovits · ‎02-03-2015

Sorry one notebook is going sleep when i copy it.

Yes the vlans are created in the vlan.dat

Testrouter#show vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1/0, Fa0/1/3
20   VLAN0020                         active    Fa0/1/1
30   VLAN0030                         active    Fa0/1/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Jon Marshall · ‎02-03-2015

Is this a typo in your config -

ip nat inside source list 100 interface FastEthernet0/1 overload

ie. the interface is wrong should be fa0/0

But that still doesn't explain why you cannot access from the other vlans.

So if you do a "clear ip nat translations *" and then try to connect from either a vlan 20 or vlan 30 client what does the translation table show ie.

"sh ip nat translations"

Jon

Raimund Schimanovits · ‎02-03-2015

sorry i changed now the interface to fa0/0. This was only a typo

now it is ok.

Now i only had vlan20 and the interface up but it doesn`t work. I get in ip from the dhcp and can ping the gw.

I cannot ping anything outside.

000826: *Feb 3 15:32:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1/1, changed state to up
000827: *Feb 3 15:32:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up

Testrouter#show ip nat translations

Testrouter#

Raimund Schimanovits · ‎02-03-2015

Testrouter#debug ip nat
IP NAT debugging is on
Testrouter#
000828: *Feb 3 15:39:31.649: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000829: *Feb 3 15:39:32.661: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000830: *Feb 3 15:39:33.673: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000831: *Feb 3 15:39:33.933: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000832: *Feb 3 15:39:33.937: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000833: *Feb 3 15:39:34.937: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000834: *Feb 3 15:39:34.941: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000835: *Feb 3 15:39:35.689: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000836: *Feb 3 15:39:35.689: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000837: *Feb 3 15:39:35.953: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000838: *Feb 3 15:39:35.953: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000839: *Feb 3 15:39:37.965: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000840: *Feb 3 15:39:37.965: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000841: *Feb 3 15:39:37.969: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000842: *Feb 3 15:39:37.969: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000843: *Feb 3 15:39:39.697: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000844: *Feb 3 15:39:39.697: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000845: *Feb 3 15:39:41.977: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000846: *Feb 3 15:39:41.977: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.67
000847: *Feb 3 15:39:41.977: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68
000848: *Feb 3 15:39:41.977: NAT: translation failed (A), dropping packet s=192.168.1.3 d=195.3.96.68no deb
Testrouter#no debug ip nat
IP NAT debugging is off
Testrouter#

Jon Marshall · ‎02-03-2015

Okay, leave it with me for a while and i'll run a few tests.

I honestly can't see an issue with your config at the moment but it's clearly not working.

I'll see if I can emulate the problem although I don't have an 1841 to test with but the principle should be the same.

Jon

Raimund Schimanovits · ‎02-05-2015

Thanks a lot.

I will test it with the cable from the internal to the switchport interface.

Raimund Schimanovits · ‎02-05-2015

i have tested this configuration

still the same . No nat between subinterface and outside. i get an ip address and can ping the gw but no NAT.

I change the nat to the pool and the same. No NAT. Strange

interface FastEthernet0/0
description *** Outside ***
ip address 188.20.243.229 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1/0
switchport mode trunk
!
interface FastEthernet0/1/1
switchport access vlan 10
!
interface FastEthernet0/1/2
switchport access vlan 10
!
interface FastEthernet0/1/3
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool Wlan 188.20.243.228 188.20.243.228 netmask 255.255.255.252
ip nat inside source list 100 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 188.20.243.225 permanent
!
logging esm config
access-list 100 permit ip 192.168.0.0 0.0.0.255 any