Re: Basic static NAT doesn't work

lady_of_the_lake · ‎09-27-2019

Hi,

I have a problem with basic 1:1 NAT configuration on my IE-2000-8TC-G-N. My network:

I connected Host1 to port FastEthernet1/2 and Host2 to port FastEthernet1/3. Then I configured switch with commands according to this guide:
l2nat instance basic_translation
inside from host 192.168.1.4 to 10.10.1.4
outside from host 10.10.1.3 to 192.168.1.3

The only thing I skipped was application of l2nat instance to a VLAN, but in such case the instance should be applied to the native VLAN. All of the ports on my switch are in VLAN 1, so if I understand correctly, translation should work on all ports.

However, hosts cannot ping each other. Does anyone know what the problem may be? Is my understanding of how NAT works incorrect or something is missing from the configuration?

My running config:

!
vlan internal allocation policy ascending
!
lldp run
!
l2nat instance basic_translation
 instance-id 1
 fixup all
 outside from host 10.10.1.3 to 192.168.1.3
 inside from host 192.168.1.4 to 10.10.1.4
!
!
!
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
 ip address 10.10.0.50 255.0.0.0
 cip enable
!
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server

Deepak Kumar · ‎09-27-2019

Hi,

Have you applies this Layer 2 NAT instance to the port / VLAN on the interface?

Check this guide:

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie2000/software/release/15_0_2_ea/configuration/guide/scg-ie2000/nat.pdf

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

lady_of_the_lake · ‎09-27-2019

No, I said in my post I skipped this step. The guide you linked (I linked the same one) contains this information:

l2nat instance_name [vlan | vlan_range] Applies the specified Layer 2 NAT instance to a VLAN or VLAN range. If this parameter is missing, the Layer 2 NAT instance applies to the native VLAN.

From my understanding, if NAT instance is not applied to any interface, it's applied by default to VLAN 1. So if all ports on my switch belong to this VLAN, shouldn't it work on all of them?

Also, I don't really understand why you can apply NAT instance to Gigabit Ethernet ports only, can you explain?

pieterh · ‎09-27-2019

you still need to apply it to a port

if you ommit the vlan number it effects the native vlan of this port, which by default is VLAN1 !

and I do not think you need to read it that L2nat can only be applied to gigabit ports,

but this device (IE2000) has two gigabit UPLINK ports, these port have different electronics (ASIC) than the other ports

if it only works on those two ports, it probably has to do with the internal architecture of this switch, not 10/100/1000 property.

lady_of_the_lake · ‎10-02-2019

Hi, thanks for the explanation.

So I created another VLAN I would like NAT to happen in and added some ports to it. Then I applied my l2nat instance to one of them (uplink port). My current config:

!
vlan internal allocation policy ascending
!
lldp run
!
l2nat instance basic_translation
 instance-id 1
 fixup all
 outside from host 10.10.1.3 to 192.168.1.3
 inside from host 192.168.1.4 to 10.10.1.4
!
!
!
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet1/6
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface GigabitEthernet1/1
 switchport access vlan 100
 l2nat basic_translation 100
!
interface GigabitEthernet1/2
!
interface Vlan1
 ip address 10.10.0.50 255.0.0.0
 cip enable
!
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server

I connected Host1 to GigabitEthernet1/1 and Host2 to FastEthernet1/5. They sill cannot ping each other. Any idea what am I doing wrong?

pieterh · ‎10-02-2019

your information is incomplete!, I can make a guess, but better is you confirm this first

is Host1 to GigabitEthernet1/1 IP: 10.10.1.3 ?

and Host2 to FastEthernet1/5 IP: 192.168.1.4 ?

from host1 (10.10.1.3) you ping to 10.10.1.4 ? (l2nat translates to 192.168.1.4 and forward the packet)

from host2 (192.168.1.4) you ping to 192.168.1.3 ? (…. translates to 10.10.1.3 ….)

the document you reference mentions l2nat needs the "enhanced LAN base feature set"

did you check what version is running on your switch?

and please check if a local firewall on those hosts does not block these packets.