I need to clarify this further. I´m here because I was searching for the NAT commands supported by the Catalyst 3850. I spent some hours trying to configure a very simple connection from the internet to an internal network using NAT. It´s just a 3850 switch with IP Services IOS license with direct connection to the internet and some devices attached to the GE ports.

The switch CLI supports only the "ip nat inside source list interface <overload>" command, that is, no support for NAT pool or other options. I configured the correct interfaces and the access list and apparently NAT was working as shown by the "show ip nat translations" and "show ip nat statistics" commands. However I could not reach, ping, trace, etc, from the connected laptops any valid internet address except the one configured on the switch interface - interface vlan or routed port. After trying all possibilities, testing three different laptops correctly configured and connected to the GE ports, I couldn´t understand why it didn´t work. However, I can ping from the switch any internet address using as source IP the internal network default-gateway configured in an interface vlan.

As per this discussion here maybe the problem is that the switch does not actually support NAT, but being so, how does it show the translations and statistics? And why I can ping the internet from the switch (any source IP) but not from the laptop?

Unfortunately the platform does not support NAT. The ios-xe is a modular ios. This means that inside the ios-XE we have a regular ios. This regular ios has the commands and that is the problem. There is already an internal bug to remove this CLI commands from the ios release.

But again. NAT is not supported on the 3850. 

.:|:.:|:.

CISCO  

Eliel Garcia Leyva    

ENGINEER.CUSTOMER SUPPORT

Hi Eliel, i am having the same experience as luizlalmeida. I am trying to setup NAT services on 
Cisco ME-3600X-24FS-M running Cisco IOS Software, ME360x Software (ME360x-UNIVERSALK9-M), Version 12.2(52)EY4,RELEASE SOFTWARE (fc1) - Metro IP access.

As long as a request comes from the inside interface - which is an SVI on the switch - translation works. But when the same request comes from a laptop directly connected on the same VLAN and subnet as the inside interface, translation fails.

I found out that the NAT features have been removed completely from higher software versions for this platform. what do you suggest as the possible solution . 

Hi mtnghanait,

The platform ME3600 does not support either the feature NAT. I just checked on this tool:

http://tools.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

Also on the release notes NAT does not came as a supported feature.

So I read about the 3850XE's ability to NAT and I decided to give a shot and see if it does infact, supports NAT. I have well over 200 of them in production all acting as access switches with very little layer 3/4 functionality. To my surprise the simple answer is YES! The 3850XE running 03.06.06 can NAT. Very impressive Cisco. If continued, this could potentially be a strong case against Junos EX line of products. Good job Cisco.

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24P 03.06.06E cat3k_caa-universalk9 INSTALL

interface GigabitEthernet1/1/1
no switchport
ip address dhcp
ip nat outside
!
interface GigabitEthernet1/1/2
no switchport
ip address 10.0.0.1 255.255.255.0
ip nat inside

interface Loopback192
ip address 192.168.0.1 255.255.255.255
ip nat inside
!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/1/1 dhcp

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255

Switch#ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.10.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/40 ms
Switch#

Switch#ping google.com source lo192
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.12.206, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!

Switch#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp x.x.x.x:1024 192.168.0.1:6 172.217.12.206:6 172.217.12.206:1024
Switch#

Switch#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
GigabitEthernet1/0/24, GigabitEthernet1/1/1
Inside interfaces:
GigabitEthernet1/0/23, GigabitEthernet1/1/2, Loopback1, Loopback192
Hits: 10 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet1/1/1 refcount 0
Switch#

30 permit 192.168.0.0, wildcard bits 0.0.255.255 (1 match)

interface Loopback192
ip address 192.168.0.1 255.255.255.255
ip nat inside
!