03-02-2014 04:40 PM - edited 03-07-2019 06:29 PM
Hello all,
Desperate need of help. I'm having trouble NATing from private LAN IPs to WAN. My 2921 router is connected to a cable modem on Gi0/0. The 3750 Network Module is connected through backplane on Router-Gi1/0 to Switch-Gi1/0/2. I plan on adding multiple different subnets and corresponding VLANs to the switch but right now I just started with one to see if I could get it to NAT properly; 10.10.30.0/24 subnet.
DHCP server is running on the router and importing DNS servers and Hostname from the cable modem. DHCP is working fine, I just can't get out to the Internet from the hosts off the switch. I can ping all interfaces on the router and switch from the end host.
When I check 'show ip nat translations' I don't see anything. Please help me figure out why I can't NAT out and access the Internet. I've included configs and routing table info below. Thanks a million in advance to anyone that can help!
ROUTER CONFIG:
version 12.4
no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log datetime msec show-timezone year
service password-encryption
!
hostname CPH-RTR-001
!
boot-start-marker
boot-end-marker
!
logging buffered 64000 informational
logging monitor informational
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip dhcp use vrf connected
ip dhcp excluded-address 10.10.30.1 10.10.30.5
!
ip dhcp pool TEST
import all
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
!
!
ip domain name XXXXXXXXX
ip name-server 4.2.2.2
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
username XXXXXXXXX
!
!
!
interface Loopback0
description CPH-RTR-001 Main Loopback Interface
ip address 14.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
!
ip classless
ip route 10.10.0.0 255.255.0.0 GigabitEthernet1/0
ip route 0.0.0.0 0.0.0.0 dhcp
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface GigabitEthernet0/0 overload
!
access-list 102 permit ip 10.10.0.0 0.0.255.255 any log-input
access-list 102 deny ip any any log-input
!
control-plane
!
privilege exec level 15 ssh
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
!
line con 0
logging synchronous
login local
line aux 0
exec-timeout 0 1
login local
no exec
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
exec-timeout 5 0
login local
transport input ssh
transport output none
!
scheduler allocate 20000 1000
!
end
SWITCH CONFIG:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CPH-SWT-001
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/2
switchport access vlan 30
switchport mode access
!
interface FastEthernet1/0/3
description Desktop PC
switchport access vlan 30
switchport mode access
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.10.10.2 255.255.255.0
!
interface Vlan1
no ip address
!
interface Vlan30
ip address 10.10.30.1 255.255.255.0
ip helper-address 10.10.10.1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
no ip http server
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
logging synchronous
login
line vty 5 15
logging synchronous
login
!
end
ROUTER - Routing Table (ISP IPs replaced with example IPs):
CPH-RTR-001#show ip route
Gateway of last resort is 95.5.5.1 to network 0.0.0.0
95.0.0.0/21 is subnetted, 1 subnets
C 95.5.5.0 is directly connected, GigabitEthernet0/0
135.254.0.0/32 is subnetted, 1 subnets
S 135.254.100.33 [254/0] via 95.5.5.1, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.10.0.0/16 is directly connected, GigabitEthernet1/0
C 10.10.10.0/24 is directly connected, GigabitEthernet1/0
14.0.0.0/32 is subnetted, 1 subnets
C 14.1.1.1 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 95.5.5.1
SWITCH - Routing Table:
CPH-SWT-001#show ip route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, GigabitEthernet1/0/2
C 10.10.30.0 is directly connected, Vlan30
S* 0.0.0.0/0 [1/0] via 10.10.10.1
ROUTER - IP Interface Brief:
CPH-RTR-001#show ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 95.5.7.244 YES DHCP up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet1/0 10.10.10.1 YES NVRAM up up
NVI0 unassigned YES unset up up
Loopback0 14.1.1.1 YES NVRAM up up
SWITCH - IP Interface Brief:
CPH-SWT-001#show ip int bri
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up down
Vlan30 10.10.30.1 YES NVRAM up up
FastEthernet1/0/2 unassigned YES unset up up
FastEthernet1/0/3 unassigned YES unset down down
FastEthernet1/0/4 unassigned YES unset down down
FastEthernet1/0/5 unassigned YES unset down down
FastEthernet1/0/6 unassigned YES unset down down
FastEthernet1/0/7 unassigned YES unset down down
FastEthernet1/0/8 unassigned YES unset down down
FastEthernet1/0/9 unassigned YES unset down down
FastEthernet1/0/10 unassigned YES unset down down
FastEthernet1/0/11 unassigned YES unset down down
FastEthernet1/0/12 unassigned YES unset down down
FastEthernet1/0/13 unassigned YES unset down down
FastEthernet1/0/14 unassigned YES unset down down
FastEthernet1/0/15 unassigned YES unset down down
FastEthernet1/0/16 unassigned YES unset down down
FastEthernet1/0/17 unassigned YES unset down down
FastEthernet1/0/18 unassigned YES unset down down
FastEthernet1/0/19 unassigned YES unset down down
FastEthernet1/0/20 unassigned YES unset down down
FastEthernet1/0/21 unassigned YES unset down down
FastEthernet1/0/22 unassigned YES unset down down
FastEthernet1/0/23 unassigned YES unset down down
FastEthernet1/0/24 unassigned YES unset down down
GigabitEthernet1/0/1 unassigned YES unset down down
GigabitEthernet1/0/2 10.10.10.2 YES NVRAM up up
Solved! Go to Solution.
03-03-2014 12:45 AM
Hi,
log keyword is not supported in NAT ACLs so just edit your ACL 102 by removing the log-input keyword and it should be working.
One little remark, you don't need a static route for the 10.10.0.0/16 network and you should avoid static routes pointing to an ethernet exit interface.
Regards
Alain
Don't forget to rate helpful posts.
03-03-2014 12:45 AM
Hi,
log keyword is not supported in NAT ACLs so just edit your ACL 102 by removing the log-input keyword and it should be working.
One little remark, you don't need a static route for the 10.10.0.0/16 network and you should avoid static routes pointing to an ethernet exit interface.
Regards
Alain
Don't forget to rate helpful posts.
03-03-2014 05:08 AM
I can't believe it was that simple! Thanks so much for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: