Solved: Re: PAT to the internet does not work - Page 2

Dimitri_Toronto · ‎12-28-2020

Good day,

I seem to have an issue with the routing/NAT. In my virtual test lab I have traffic that is not able to go out to the internet.

From the sw06 it goes to a Palo Alto in vWire mode to the edge router R10. This node has a dhcp interface towards the internet and I did add a default route to dhcp.

I configured a subinterface on the vlan192 allowing all tagging to be allow. I added static routes pointing towards the SW06 for the internal subnets

From sw06 i can source ping the router gateway IP (192.168.10.1) and to the dhcp addresses (192.168.140.144) but not the 192.168.140.1 on the other side which is a meraki switch. The output of debugging NAT and IP packet on R10 shows up as route failed.

Switch#sh ip access-lists 7
Standard IP access list 7
10 permit 192.168.10.0, wildcard bits 0.0.0.255 log (29 matches)
20 permit 172.16.0.0, wildcard bits 0.0.0.255 log
30 permit 172.16.10.0, wildcard bits 0.0.0.255 log (25 matches)
40 permit 172.16.32.0, wildcard bits 0.0.0.255 log

hostname R10

!
interface Ethernet0/0
no switchport
ip address dhcp
ip nat outside
!
interface Ethernet0/1.192
encapsulation dot1Q 192
ip address 192.168.10.1 255.255.255.0
ip nat inside

ip nat inside source list 7 interface Ethernet0/0 overload
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip route 172.16.0.0 255.255.255.0 192.168.10.252
ip route 172.16.10.0 255.255.255.0 192.168.10.252
ip route 172.16.32.0 255.255.255.0 192.168.10.252
!
access-list 7 permit 192.168.10.0 0.0.0.255 log
access-list 7 permit 172.16.0.0 0.0.0.255 log
access-list 7 permit 172.16.10.0 0.0.0.255 log
access-list 7 permit 172.16.32.0 0.0.0.255 log
!

ip forward-protocol nd
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1

What is wrong

paul driver · ‎12-29-2020

Hello @Dimitri_Toronto
First of all thanks for the updated topology as now we have a better understanding of you network-
It looks like between RTR6 & RTR10 the routing seems to be correct (static routes) so the next step would be to either advertised both of these routers subnets towards the meraki or in your case double nat on RTR10 and I believe the double nat on RTR10 is what you are trying to accomplish?

As suggested by @Richard Burts on RTR10 you seem to be missing a nat access-list for RTR6-10 networks so as a test please add the following and let us know the results

RTR10
ip access-list extended NAT-ACL
permit ip host 172.16.0.1 any
permit ip 172.16.10.0 0.0.0.255 any
permit ip 172.16.32.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any

no ip nat inside source list 7 interface Ethernet0/0 overload
ip nat inside source list NAT-ACL interface Ethernet0/0 overload

RTR6
no ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip route 0.0.0.0 0.0.0.0 vlan192 192.168.10.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Dimitri_Toronto · ‎12-29-2020

It was very helpful but I still cannot get to the internet via any of the host on R6. I didn't want to use a double NAT as it has been known to cause issues. When I traceroute from my wifi connection I see 3 RFC1918 before a routable address appears. If you care to do a teamviewer and you could check for yourself.

paul driver · ‎12-29-2020

Hello

@Dimitri_Toronto wrote:

It was very helpful but I still cannot get to the internet via any of the host on R6. I didn't want to use a double NAT as it has been known to cause issues. When I traceroute from my wifi connection I see 3 RFC1918 before a routable address appears. If you care to do a teamviewer and you could check for yourself.

Humm a wifi host behind r6 ? -Isn't the wifi subnet 192.168.120.0/24 which resides on the meraki MX if so how can it reside on R6 also?
Can you show that hosts traceroute and also its ip addressing (including dns)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Dimitri_Toronto · ‎12-29-2020

Hi,

I want to offer my gratitude to everyone that offered their feedback. The solution was in 3 parts:

1) the default route had to be interface and next hop on both r6 and r10,

2) the DHCP interface on R10 was redone as a static IP,

3) on the cisco 3750G, i made the mistake of making it a L3 instead of keeping it as L2 as it was intended to be. I deleted the 2 vlan interfaces and kept the device as an access switch.

To add context why I have 2 L2 switches daisy chained is that I ran out of ports on the meraki L2 switch. In hindsight I should of segmented the network from the start with a dedicated port on the the Meraki firewall with its own VLAN and IP addressing.

Richard Burts · ‎12-30-2020

I am glad that you got it working and that our suggestions were helpful. Thank you for sharing information about the problems and how you solved them. A well deserved +5 for sharing the solution.

HTH

Rick