06-01-2013 11:26 PM - edited 03-07-2019 01:40 PM
Hi experts, I need some help with configuring a network. Network diagram is attached.
I created 3 VLANs on the 3550 Switch and enabled InterVLAN Routing. I am able to ping from one VLAN to another. I added Static Routes for the VLAN networks on the Router. The only part I am not certain of is where and how do I configure NAT? For example, if this was just a standalone Cisco 1841 Router I would just create access list and NAT FA 0/0 outside and FA 0/1 inside. It would great if someone can provide me an example or point me to the right direction.
ISP Router --> Cisco 1841 --> Cisco 3550 Switch
Cisco 1841 Router:
FA 0/0 --> WAN Interface
IP Address: 30.20.10.2
FA0/1 --> LAN Interface connected to 3550 Switch
IP Address: 10.0.0.1/24
Cisco 3550 Switch:
FA 0/24 --> Connect to Cisco 1841 Router
IP Address --> 10.0.0.2/24
FA 0/1 - 0/10 --> VLAN 1
FA 0/11 - 0/20 --> VLAN 2
FA 0/21 - 0/23 --> VLAN3
Thank you
Solved! Go to Solution.
06-02-2013 12:13 AM
Hello, it's the same thing, but in your access list you need to permit all of your internal address ranges. On your router and 3550 make sure all routing is correct, which you say you have connectivity.
This means your 10 network should be able to get to your 192 networks and vice versa.
On your 3550 you can have a default route to the router. And your router should have routes back to the 192 networks via the 10 address of the 3550.
Then the NAT configuration
Int fa0/1
Ip NAT inside
Int fa0/0
Ip NAT outside
Ip access-list standard MYNAT
Permit 10.0.0.0 0.0.0.255
Permit 192.168.1.0 0.0.0.255
Permit 192.168.2.0 0.0.0.255
Permit 192.168.3.0 0.0.0.255
And then your NAT statement
Ip NAT inside source list MYNAT interface fa0/0 overload
Hope this helps
Sent from Cisco Technical Support iPhone App
06-02-2013 12:13 AM
Hello, it's the same thing, but in your access list you need to permit all of your internal address ranges. On your router and 3550 make sure all routing is correct, which you say you have connectivity.
This means your 10 network should be able to get to your 192 networks and vice versa.
On your 3550 you can have a default route to the router. And your router should have routes back to the 192 networks via the 10 address of the 3550.
Then the NAT configuration
Int fa0/1
Ip NAT inside
Int fa0/0
Ip NAT outside
Ip access-list standard MYNAT
Permit 10.0.0.0 0.0.0.255
Permit 192.168.1.0 0.0.0.255
Permit 192.168.2.0 0.0.0.255
Permit 192.168.3.0 0.0.0.255
And then your NAT statement
Ip NAT inside source list MYNAT interface fa0/0 overload
Hope this helps
Sent from Cisco Technical Support iPhone App
06-02-2013 10:55 PM
Thanks for the help Bilal. I was able to get to the internet from all of the VLANs.
This may be a stupid question, I wanted to restrict VLAN 2 from accessing VLAN 3 so I created an Access-List to accomplish this. The first Access-List I created kill all host connective behind Vlan2 and I couldn't even ping the gateway(VLAN 2 IP). I then removed the first Access-List and added the second one and everything works. Can someone explain to me why Access-List 110 kill all connectivity?
VLAN 2 inbound
access-list 110 deny tcp any 197.168.1.0 0.0.0.255 log
access-list 110 permit tcp any any
VLAN 2 inbound
access-list 120 deny ip any 197.168.1.0 0.0.0.255 log
access-list 120 permit ip any any
06-02-2013 11:06 PM
It killed the connection because you are only permitting TCP traffic and not UDP which may be required. (HTTP, HTTPS, SSL all require TCP which was blocked) so you wouldnt have been able to browse to the internet.
With your second ACL, you have permitted IP which includes both TCP and UDP, it's IP in general.
Also a bit puzzled about your ACL, you wanted to block vlan 2 from vlan 3. You could have done this:
ip access-list extended BLKVLAN2_3
deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any
Interface vlan 2
Ip access-group BLKVLAN2_3 out
Hope this helps
Sent from Cisco Technical Support iPhone App
06-06-2013 10:40 AM
Another question. If I want to add QOS to limit one of the VLAN's traffic should I put the policy map on the Router WAN Interface or LAN interface? Also should I limit the WAN interface total usable traffic so it doesn't get congested? For example let say I have a 20Mb line, should I cap all traffic at 18Mb?
I managed to configure 1 VLAN QOS on the internal FA0/1 interface to limit VLAN1's bandwidth to 1Mb up and down, but just want to check if I'm doing this correctly.
Example configuration:
Access-list 101 permit ip any a.a.a.a b.b.b.b --> internet to VLAN
Access-list 102 permit ip a.a.a.a b.b.b.b any --> VLAN to Internet
class-map VLANUPLOAD
match access-group 102
class-map VLANDOWNLOAD
match access-group 101
policy-map VLANUPLOAD
class VLANUPLOAD
police 1000000 conform-action transmit exceed-action drop
policy-map VLANDOWNLOAD
class VLANDOWNLOAD
police 1000000 conform-action transmit exceed-action drop
policy-map TotalDownload
class class-default
police 18000000 conform-action transmit exceed-action drop
service-policy VLANDOWNLOAD
policy-map TotalUpload
class class-default
police 18000000 conform-action transmit exceed-action drop
service-policy VLANUPLOAD
int fa0/0
service-police output TotalDownload
service-police input TotalUpload
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide