Solved: Re: 1841 Router and 3550 Switch NAT Help

spikingrim · ‎06-01-2013

Hi experts, I need some help with configuring a network. Network diagram is attached.

I created 3 VLANs on the 3550 Switch and enabled InterVLAN Routing. I am able to ping from one VLAN to another. I added Static Routes for the VLAN networks on the Router. The only part I am not certain of is where and how do I configure NAT? For example, if this was just a standalone Cisco 1841 Router I would just create access list and NAT FA 0/0 outside and FA 0/1 inside. It would great if someone can provide me an example or point me to the right direction.

ISP Router --> Cisco 1841 --> Cisco 3550 Switch

Cisco 1841 Router:

FA 0/0 --> WAN Interface

IP Address: 30.20.10.2

FA0/1 --> LAN Interface connected to 3550 Switch

IP Address: 10.0.0.1/24

Cisco 3550 Switch:

FA 0/24 --> Connect to Cisco 1841 Router

IP Address --> 10.0.0.2/24

FA 0/1 - 0/10 --> VLAN 1

FA 0/11 - 0/20 --> VLAN 2

FA 0/21 - 0/23 --> VLAN3

Thank you

Bilal Nawaz · ‎06-02-2013

Hello, it's the same thing, but in your access list you need to permit all of your internal address ranges. On your router and 3550 make sure all routing is correct, which you say you have connectivity.

This means your 10 network should be able to get to your 192 networks and vice versa.

On your 3550 you can have a default route to the router. And your router should have routes back to the 192 networks via the 10 address of the 3550.

Then the NAT configuration

Int fa0/1
Ip NAT inside

Int fa0/0
Ip NAT outside

Ip access-list standard MYNAT
Permit 10.0.0.0 0.0.0.255
Permit 192.168.1.0 0.0.0.255
Permit 192.168.2.0 0.0.0.255
Permit 192.168.3.0 0.0.0.255

And then your NAT statement

Ip NAT inside source list MYNAT interface fa0/0 overload

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎06-02-2013

Hello, it's the same thing, but in your access list you need to permit all of your internal address ranges. On your router and 3550 make sure all routing is correct, which you say you have connectivity.

This means your 10 network should be able to get to your 192 networks and vice versa.

On your 3550 you can have a default route to the router. And your router should have routes back to the 192 networks via the 10 address of the 3550.

Then the NAT configuration

Int fa0/1
Ip NAT inside

Int fa0/0
Ip NAT outside

Ip access-list standard MYNAT
Permit 10.0.0.0 0.0.0.255
Permit 192.168.1.0 0.0.0.255
Permit 192.168.2.0 0.0.0.255
Permit 192.168.3.0 0.0.0.255

And then your NAT statement

Ip NAT inside source list MYNAT interface fa0/0 overload

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

spikingrim · ‎06-02-2013

Thanks for the help Bilal. I was able to get to the internet from all of the VLANs.

This may be a stupid question, I wanted to restrict VLAN 2 from accessing VLAN 3 so I created an Access-List to accomplish this. The first Access-List I created kill all host connective behind Vlan2 and I couldn't even ping the gateway(VLAN 2 IP). I then removed the first Access-List and added the second one and everything works. Can someone explain to me why Access-List 110 kill all connectivity?

VLAN 2 inbound

access-list 110 deny tcp any 197.168.1.0 0.0.0.255 log

access-list 110 permit tcp any any

VLAN 2 inbound

access-list 120 deny ip any 197.168.1.0 0.0.0.255 log

access-list 120 permit ip any any

Bilal Nawaz · ‎06-02-2013

It killed the connection because you are only permitting TCP traffic and not UDP which may be required. (HTTP, HTTPS, SSL all require TCP which was blocked) so you wouldnt have been able to browse to the internet.

With your second ACL, you have permitted IP which includes both TCP and UDP, it's IP in general.

Also a bit puzzled about your ACL, you wanted to block vlan 2 from vlan 3. You could have done this:

ip access-list extended BLKVLAN2_3
deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any

Interface vlan 2
Ip access-group BLKVLAN2_3 out

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

spikingrim · ‎06-06-2013

Another question. If I want to add QOS to limit one of the VLAN's traffic should I put the policy map on the Router WAN Interface or LAN interface? Also should I limit the WAN interface total usable traffic so it doesn't get congested? For example let say I have a 20Mb line, should I cap all traffic at 18Mb?

I managed to configure 1 VLAN QOS on the internal FA0/1 interface to limit VLAN1's bandwidth to 1Mb up and down, but just want to check if I'm doing this correctly.

Example configuration:

Access-list 101 permit ip any a.a.a.a b.b.b.b --> internet to VLAN

Access-list 102 permit ip a.a.a.a b.b.b.b any --> VLAN to Internet

class-map VLANUPLOAD

match access-group 102

class-map VLANDOWNLOAD

match access-group 101

policy-map VLANUPLOAD

class VLANUPLOAD

police 1000000 conform-action transmit exceed-action drop

policy-map VLANDOWNLOAD

class VLANDOWNLOAD

police 1000000 conform-action transmit exceed-action drop

policy-map TotalDownload

class class-default

police 18000000 conform-action transmit exceed-action drop

service-policy VLANDOWNLOAD

policy-map TotalUpload

class class-default

police 18000000 conform-action transmit exceed-action drop

service-policy VLANUPLOAD

int fa0/0

service-police output TotalDownload

service-police input TotalUpload