3650 NAT Problem?

Ela Snessjna · ‎12-19-2014

Hello,

I have a brand new switch that I can't seem to get up and running for days now.

I have configured 2 ports of a 3650 . One port is on the outside 1/0/4 and one port is the inside of my network 1/0/5.

Port 1/0/5 is a trunk port with only vlan 60 for the moment. I have a DHCP pool for VLAN 60. (10.60.1.0/25). The Vlan on the switch has IP 10.60.1.1 and this address is used as gateway in the Vlan) Addresses 1 to 10 are excluded from the range.

Port 1/0/4 is a port connected to the internet through DHCP from the provider.

Port 1/0/4 get an internet IP address. Clients connected through port 1/0/5 get IP addresses in the range 10.60.1.0/24

From the client I can ping 10.60.1.1, and I can ping the internet address on 1/0/4.

I have NAT enabled. From the router I can ping everywhere. I can't ping from the clients to the outside of the network.

This is my configuration. At the end I've pasted my show ip route

Current configuration : 4849 bytes
!
! Last configuration change at 20:30:49 UTC Fri Dec 19 2014
!
version 15.0
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname router01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
!
enable secret 5 xxxxxxxxxxx
!
username administrator privilege 15 password 0 xxxxxxxxxxx
no aaa new-model
switch 1 provision ws-c3650-24ts
ip routing
!
no ip domain-lookup
ip device tracking
ip dhcp excluded-address 10.50.1.1 10.50.1.10
ip dhcp excluded-address 10.60.1.1 10.60.1.10
!
ip dhcp pool urbancity_dynamic01
network 10.60.1.0 255.255.255.0
domain-name bpost.urbancity.be
dns-server 8.8.8.8
default-router 10.60.1.1
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description Upload
no switchport
ip address 10.2.1.43 255.255.0.0
shutdown
!
interface GigabitEthernet1/0/2
shutdown
!
interface GigabitEthernet1/0/3
shutdown
!
interface GigabitEthernet1/0/4
no switchport
ip address dhcp
no ip redirects
ip nat outside
!
interface GigabitEthernet1/0/5
switchport trunk native vlan 60
switchport trunk allowed vlan 60
switchport mode trunk
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9

interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address dhcp
shutdown
!
interface Vlan60
ip address 10.60.1.1 255.255.255.0
no ip redirects
ip nat inside
!
ip nat inside source list 10 interface GigabitEthernet1/0/4 overload
ip http server
ip http authentication local
ip http secure-server
!
!
access-list 10 permit any
!
!
!
line con 0
stopbits 1
line aux 0
line vty 5 15
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end

router01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 84.196.224.1 to network 0.0.0.0

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 84.196.224.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 84.196.224.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.60.1.0/24 is directly connected, Vlan60
L 10.60.1.1/32 is directly connected, Vlan60
84.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 84.196.224.0/20 is directly connected, GigabitEthernet1/0/4
L 84.196.227.XXX/32 is directly connected, GigabitEthernet1/0/4

Jon Marshall · ‎12-19-2014

Are you sure these switches support NAT ?

I did see the post in WAN that you added to and i posted a comment in there about them not supporting NAT then noticed that the OP actually had a debug showing NAT occurring when he pinged directly from the switch itself.

So I edited the post but still have doubts as to whether this switch supports it for clients.

I have checked the configuration guides and can't find any mention of NAT anywhere.

Do you have any documentation that says it is supported ?

Jon

Ela Snessjna · ‎12-19-2014

I assumed it did? Otherwise I have a big problem :/

It certainly does NAT on the local interfaces.

router01#ping

Protocol [ip]:

Target IP address: 8.8.8.8

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.60.1.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.60.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms

router01#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 84.196.227.XXX:1025 10.60.1.1:12 8.8.8.8:12 8.8.8.8:1025

Jon Marshall · ‎12-20-2014

That is the weird thing because the other poster could also do that.

The only catalyst switch that I know of that supports NAT is the 6500 (don't know about the 6800 as I have never used it).

So I assumed it wouldn't support it. That is why I asked if you had any supporting documentation.

The results you posted above are surprising but I would still tend to think it is not supported.

Unfortunately I can't say for sure because I haven't used that switch so I guess we'll have to hope either the OP in the other thread comes back with an answer or someone else on the forum knows.

Jon

Ela Snessjna · ‎12-20-2014

I do think we are getting close.. http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/29283-166.html

Doesn't state the 3650 but does state the 3750 and 3560.

Hm this is a problem for me. I need a device where I can connect two wans so I can route and NAT the traffic accordingly the vlan.

Some end device just for the NATting and firewalling maybe?

Thanks!

Reza Sharifi · ‎12-20-2014

Jon is correct. Only the 6500 series can do nat. All the other devices (3560, 3750, 3850, 3650, 4500) series do not support nat.

You need a router or firewall to do this function for you.

HTH