Solved: Re: Vlans can't talk to the gateway with static nat rule

willmaci · ‎10-30-2022

Sorry if this is a long post but i'm racking my brain against the wall here.

I have a strange setup where the building owns the router and they have cables throughout the house and provide us with a switch only. I decided to put a cisco C841M-4X-JSEC/K9 and I'm using a microtik switch so I could add vlans and start setting my network. I'm currently using these VLANs and this gateway IP.

VLAN2: 10.8.8.0/24

VLAN3: 10.8.3.0/24

Gateway IP: 10.150.208.1

The current issue I have is my VLANs can communicate with each other but they cannot ping the gateway. I tried adding a static nat rule coming from one of the VLANs and then i can communicate to the gateway IP without any issue. If anyone could help me I would be extremely grateful

Current config:

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname home
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
ip dhcp pool 2
network 10.8.8.0 255.255.255.0
default-router 10.8.8.1
dns-server 8.8.8.8
!
ip dhcp pool 3
network 10.8.3.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.8.3.1
!
ip dhcp pool 4
network 10.8.4.0 255.255.255.0
default-router 10.8.4.1
dns-server 8.8.8.8

no ip domain lookup
ip domain name home.local
ip cef
no ipv6 cef
!
redundancy

!

lldp timer 10
lldp run
no cdp run
!
interface GigabitEthernet0/0
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface GigabitEthernet0/3
no ip address
!
interface GigabitEthernet0/4
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/4.2
encapsulation dot1Q 2
ip address 10.8.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/4.3
encapsulation dot1Q 3
ip address 10.8.3.1 255.255.255.0
!
interface GigabitEthernet0/4.4
encapsulation dot1Q 4
ip address 10.8.4.1 255.255.255.0
!
interface GigabitEthernet0/5
ip address dhcp
ip access-group 112 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
interface Vlan3
no ip address
!
interface Vlan4
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source static 10.8.8.10 10.150.209.111
!
access-list 2 permit 10.8.0.0 0.0.255.255
!
line con 0
no modem enable
line vty 0 4
access-class 50 in
exec-timeout 5 0
login
transport input telnet ssh
line vty 5
login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

MHM Cisco World · ‎10-31-2022

NOTE:- no static NAT config in router
NOTE:- SW must be L2SW with command "no ip routing"

View solution in original post

willmaci · ‎10-30-2022

And also here is my nat translation table

home#show ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
tcp 10.150.209.111:16817  10.8.8.10:16817       20.198.119.84:443     20.198.119.84:443
tcp 10.150.209.111:16819  10.8.8.10:16819       20.198.118.190:443    20.198.118.190:443
tcp 10.150.209.111:16894  10.8.8.10:16894       172.217.174.106:443   172.217.174.106:443
tcp 10.150.209.111:16945  10.8.8.10:16945       52.36.24.174:443      52.36.24.174:443
tcp 10.150.209.111:16954  10.8.8.10:16954       74.125.247.128:3478   74.125.247.128:3478
tcp 10.150.209.111:17056  10.8.8.10:17056       34.149.211.227:443    34.149.211.227:443
tcp 10.150.209.111:17393  10.8.8.10:17393       172.217.31.131:443    172.217.31.131:443
tcp 10.150.209.111:17423  10.8.8.10:17423       34.120.85.253:443     34.120.85.253:443

MHM Cisco World · ‎10-30-2022

Static route need to config to make your topolgy work.

willmaci · ‎10-31-2022

Apologies just for clarification do you mean I would need to do

ip route 0.0.0.0 0.0.0.0 10.150.208.1

Here is a copy of my current route table.

home# show ip route

Gateway of last resort is 10.150.208.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 10.150.208.1
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.8.3.0/24 is directly connected, GigabitEthernet0/4.3
L 10.8.3.1/32 is directly connected, GigabitEthernet0/4.3
C 10.8.4.0/24 is directly connected, GigabitEthernet0/4.4
L 10.8.4.1/32 is directly connected, GigabitEthernet0/4.4
C 10.8.8.0/24 is directly connected, GigabitEthernet0/4.2
L 10.8.8.1/32 is directly connected, GigabitEthernet0/4.2
C 10.150.208.0/22 is directly connected, GigabitEthernet0/5
L 10.150.209.111/32 is directly connected, GigabitEthernet0/5
home#

paul driver · ‎10-31-2022

Hello
Try the following:

conf t
interface GigabitEthernet0/5
no ip access-group 112 in
exit
interface GigabitEthernet0/4.3
ip nat inside
exit
interface GigabitEthernet0/4.4
ip nat inside
exit

no ip nat inside source static 10.8.8.10 10.150.209.111
ip nat inside source list 2 interface GigabitEthernet0/5
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/5 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

willmaci · ‎10-31-2022

I tried your config but when I did, all VLANs could not communicate with the default gateway ip of 10.150.208.1

I tested 3 scenarios

VLAN2 > VLAN4 (successful - I could ping the devices and the ip gateway)

tracert -d 10.8.4.2
Tracing route to 10.8.4.2 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.8.8.1
  2     1 ms     1 ms     1 ms  10.8.4.2
Trace complete.

VLAN4 > VLAN2 (unsuccessful - I could ping the gateway of the VLANs but not any devices or the default gateway IP of 10.150.208.1)

ping 10.8.8.1

Pinging 10.8.8.1 with 32 bytes of data:
Reply from 10.8.8.1: bytes=32 time<1ms TTL=255

ping 10.8.8.10

Pinging 10.8.8.10 with 32 bytes of data:
Request timed out.

VLAN ANY > Defaul Gateway (unsuccessful - before your config suggestion I could get to the internet from VLAN2 but after the change I can't ping the default gateway IP)

tracert -d 10.150.208.1
Tracing route to 10.150.208.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.8.8.1
  2     *        *        *     Request timed out.


tracert -d 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.8.8.1
  2     *        *        *     Request timed out.

MHM Cisco World · ‎10-31-2022

that great detail,
issue is because both VLAN have same GW !!
you need to config each VLAN with different GW.

willmaci · ‎10-31-2022

I was looking through documentation but my apologies, I couldn't find anything on configuring a different GW per VLAN

So I believe there are 2 issues.

1. Vlan communication is only one way for some reason.

10.8.8.10 (PC1) >> 10.8.8.1 (Router gi0/4.4) >> 10.8.4.2 (PC2)

tracert -d 10.8.4.2

Tracing route to 10.8.4.2 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.8.8.1
  2     1 ms     1 ms     1 ms  10.8.4.2

10.8.4.2 (PC2) >> 10.8.4.1 (Router gi0/4.2) XX 10.8.8.10 (PC1)

# traceroute 10.8.8.10
traceroute to 10.8.8.10 (10.8.8.10), 30 hops max, 60 byte packets
1  _gateway (10.8.4.1)  1.757 ms  1.602 ms  1.693 ms
2  * * *
3  * * *

2. However if I make a static nat statement per IP then each vlan can communicate to the internet and also to the other VLANs Like so

The network that connects me to the internet is 10.150.208.0/22

ip nat inside source static 10.8.4.2 10.150.209.44
ip nat inside source static 10.8.8.2 10.150.209.49
ip nat inside source static 10.8.3.2 10.150.209.58
ip nat inside source static 10.8.8.10 10.150.209.111

Then I can get to the internet via the gateway ip 10.150.208.1 and the other VLANs

# traceroute 10.8.8.1
traceroute to 10.8.8.1 (10.8.8.1), 30 hops max, 60 byte packets
1  _gateway (10.8.3.1)  12.084 ms * *

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1  _gateway (10.8.3.1)  2.497 ms  2.452 ms  2.518 ms
2  10.150.208.1 (10.150.208.1)  2.580 ms  2.609 ms  2.640 ms
3  192.168.200.5 (192.168.200.5)  8.997 ms  9.340 ms  9.776 ms

However after a little bit of time, I do lose connectivity to the internet.

MHM Cisco World · ‎10-31-2022

share last config I will correct it with some note

willmaci · ‎10-31-2022

! Last configuration change at 12:24:01 UTC Mon Oct 31 2022
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$VSe6$w5JRTNqyERV1qCqkXU80Q/
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
ip dhcp excluded-address 10.8.8.1
ip dhcp excluded-address 10.8.2.1
ip dhcp excluded-address 10.8.3.1
ip dhcp excluded-address 10.8.4.1
!
ip dhcp pool 2
 network 10.8.8.0 255.255.255.0
 default-router 10.8.8.1
 dns-server 8.8.8.8
!
ip dhcp pool 4
 network 10.8.4.0 255.255.255.0
 default-router 10.8.4.1
 dns-server 8.8.8.8
!
ip dhcp pool 3
 network 10.8.3.0 255.255.255.0
 default-router 10.8.3.1
 domain-name 8.8.8.8
!
no ip domain lookup
ip domain name home.local
ip cef
no ipv6 cef
!
license udi pid C841M-4X-JSEC/K9 sn FGL2109212W
!
redundancy
!
lldp timer 10
lldp run
no cdp run
!
!
interface GigabitEthernet0/0
 no ip address
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface GigabitEthernet0/3
 no ip address
!
interface GigabitEthernet0/4
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/4.2
 encapsulation dot1Q 2
 ip address 10.8.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/4.3
 encapsulation dot1Q 3
 ip address 10.8.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/4.4
 encapsulation dot1Q 4
 ip address 10.8.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/5
 ip address dhcp
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan2
 no ip address
!
interface Vlan3
 no ip address
!
interface Vlan4
 no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 2 interface GigabitEthernet0/5 overload
ip nat inside source static 10.8.3.2 10.150.208.125
ip nat inside source static 10.8.4.2 10.150.209.44
ip nat inside source static 10.8.8.2 10.150.209.49
ip nat inside source static 10.8.8.10 10.150.209.111
ip route 10.8.4.0 255.255.255.0 GigabitEthernet0/5
!
line con 0
 no modem enable
line vty 0 5
 exec-timeout 5 0
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

I also tried doing these commands from above but I wasn't able to connect to the internet from any vlan after I tried them

no ip nat inside source static 10.8.8.10 10.150.209.111
ip nat inside source list 2 interface GigabitEthernet0/5
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/5 dhcp

MHM Cisco World · ‎10-31-2022

NOTE:- no static NAT config in router
NOTE:- SW must be L2SW with command "no ip routing"

willmaci · ‎10-31-2022

I forgot to put in the wildcard bits. Once I did, your config worked perfectly. Thank you so much for this! I marked it as the correct answer. For the sake of anyone having trouble with this same thing, I am leaving the config in here.

Here was my final config

@paul driver @MHM Cisco World Thank you both so much for your help. Couldn't have done it without either of you! Good luck to both of you

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$VSe6$w5JRTNqyERV1qCqkXU80Q/
!
no aaa new-model
ethernet lmi ce
!
!
ip dhcp excluded-address 10.8.8.1
ip dhcp excluded-address 10.8.2.1
ip dhcp excluded-address 10.8.3.1
ip dhcp excluded-address 10.8.4.1
!
ip dhcp pool 2
 network 10.8.8.0 255.255.255.0
 default-router 10.8.8.1
 dns-server 8.8.8.8
!
ip dhcp pool 4
 network 10.8.4.0 255.255.255.0
 default-router 10.8.4.1
 dns-server 8.8.8.8
!
ip dhcp pool 3
 network 10.8.3.0 255.255.255.0
 default-router 10.8.3.1
 domain-name 8.8.8.8
!
!
no ip domain lookup
ip domain name home.local
ip cef
no ipv6 cef
!
!
license udi pid C841M-4X-JSEC/K9 sn FGL2109212W
!
!
redundancy
!
!
lldp timer 10
lldp run
no cdp run
!
!
interface GigabitEthernet0/0
 no ip address
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface GigabitEthernet0/3
 no ip address
!
interface GigabitEthernet0/4
 no ip address
 duplex auto
 speed auto
 no routing dynamic
!
interface GigabitEthernet0/4.2
 encapsulation dot1Q 2
 ip address 10.8.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/4.3
 encapsulation dot1Q 3
 ip address 10.8.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/4.4
 encapsulation dot1Q 4
 ip address 10.8.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/5
 ip address dhcp
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan2
 no ip address
!
interface Vlan3
 no ip address
!
interface Vlan4
 no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/5 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/5 10.150.208.1
!
!
access-list 10 permit 10.8.4.0 0.0.0.255
access-list 10 permit 10.8.8.0 0.0.0.255
!
!
line con 0
 no modem enable
line vty 0 5
 exec-timeout 5 0
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

MHM Cisco World · ‎10-31-2022

You are so so welcome