Re: 1-to-1 NAT on IE-2000

nickjones3 · ‎09-21-2016

I'm having trouble getting setting up L2 NAT instances on a Cisco IE-2000 industrial switch and I'm not sure what I'm doing wrong. The configuration guide isn't clear how it's all supposed to work with our VLAN configuration and I think that's what's tripping me up. Here's what I have:

VLAN 6: management VLAN with an L3 interface in the switch
VLAN 128: our corporate network segment in this area (10.8.28.0/24)
VLAN 999: devices that are local only to this switch (PLCs, HMIs, etc. - 192.168.1.0/24)

What I have is a PLC connected to Fa1/1 with the IP 192.168.1.10. I want to be able to access this from the corporate network with the address 10.8.28.240. Here's how my L2 NAT instance is configured in the switch:

l2nat instance PLC1
 instance-id 1
 fixup all
 inside from host 192.168.1.10 to 10.8.28.240

and here is the configuration of the uplink port (Gi1/1):

interface GigabitEthernet1/1
 switchport trunk allowed vlan 6,128
 switchport mode trunk
 l2nat PLC1
end

I think the issue may be the access VLAN of Fa1/1, but I've tried it with both 128 and 999 and either way I can't ping the device on that port from outside the network. If I send a ping to 18.8.28.240 I get nothing back. If I give my laptop 192.168.1.11/24 and put it on another 999 port in the switch it can ping the PLC using the inside address just fine.

Gildur · ‎03-16-2018

I think you must also configure NET entry for corporate network address

outside from network 10.8.28.0 to 192.168.1.250 mask 255.255.255.0

all traffic with address source 10.8.28.0 will be nat with ip 192.168.1.250

matthew.goli1 · ‎04-20-2018

Hi everyone, I had a similar issue with this. I just posted my working configuration here: https://supportforums.cisco.com/t5/lan-switching-and-routing/can-t-get-l2nat-to-work-cisco-ie-2000-switch/m-p/3370145/highlight/true#M412094