05-18-2022 07:32 AM - edited 10-19-2023 11:37 AM
Ok, so after issues with VRF and NAT I have decided to make a configuration to our ISP. The goal it to provide Wireless users on their own VLAN to get out to the internet. We have a simple network layout, with Clients > APs > Distribution (L2 VLAN) WLC > CORE 2 > Boundary NAT Router/SW > ISP....
From a wireless client I can ping other clients, the WLC, the CORE 2, and the Boundary NAT Router GW . I cannot however ping out to ISP NAT IP....so evidently there is a route all the way up to the boundary L3 device but I cannot get out?
I can ping 8.8.8.8 using a source interface from VLAN on the boundary device and in the main CLI itself. So I believe its a routing issue.
ip nat outside statement with overload on VLAN as well. But I would just like to get clients to be able to get a path out to ping the ISP.
Help is appreciated.
05-18-2022 07:44 AM - edited 05-18-2022 07:46 AM
On the Router what ACL you have for NAT ? Any IP or VLAN 126 as access list ?
what kind of config you have on all router ? p2p link layer 2 extention ?
what is Core 2 ? what config it got ?
05-18-2022 07:50 AM - edited 10-19-2023 11:40 AM
The router is a 9300 L3 switch doing IP routing. Not ideal. But at an edge device I attached the current config. Just a simple access list for permitting IPs from my internal to overload. (Config is attached)
Client connecting to the WLC get DHCP and have GW to CORE 2, and then DNS of 8.8.8.8. (Config is attached)
On the Core 2, we host the internal VLAN in a layer 3 environment for internal network. We have just a route map on there right now (since it has a ip default gateway already not pointing to the ISP or NAT edge router)...pointing to the GW of the edge.
05-18-2022 08:07 AM - edited 10-19-2023 11:41 AM
From Core 2 L3 switch can ping around fine. Cell phone client can as well up to NAT router. Cannot reach ISP connection on VLAN or GW.
05-18-2022 09:51 AM
The problem may be because PBR is having to send the traffic back out of the same interface it is received on because you have used vlan 126 to connect the core switch to the NAT router and PBR sometimes does not work with that (no idea if that applies to the switch you are using).
Can you not connect the core switch to the router on a different subnet using another vlan or even a L3 routed connection.
Jon
05-18-2022 01:48 PM - edited 10-19-2023 11:42 AM
Right now the NAT rooute is switchport trunk via port
05-18-2022 11:41 PM
That doesn't really address the point I was making.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide