can't get L2NAT to work Cisco IE-2000 switch

Richard Bradfield · ‎12-22-2014

Actualy is the Rockwell 1783-BMS10CGN running ver 15.0(2)EA1 S5700-UNIVERSAL-M

I have followed the configuration as documneted but does not want to work

here is relevent configuration:

l2nat instance crust
instance-id 1
permit unmatched in
permit unmatched out
fixup arp
fixup icmp
inside from host 192.168.1.200 to 10.71.205.30
inside from host 192.168.1.190 to 10.71.205.31
outside from host 10.71.205.254 to 192.168.1.15

!

int gi1/1

l2nat crust 107

!

All the relevent hosts are reachable, 10.71.205.254 is an outside router using for testing

I followed the example in the documentaion, for the basic configuration for "inside to outside" but i want to go from"outside to inside" would the configuration be any different?

something to think about over Christmas!

!

matthew.goli1 · ‎04-20-2018

Hi folks, I pulled my hair out over this configuration this week and finally got it working with this simple configuration. This is running on an IE-2000-8TC-G-N with the enhancedlanbase license level

Real "Inside" IP Addresses: 192.168.10.20/16

Default Gateway of 192.168.10.4 specified on the PLC device. NAT traffic back and forth between 10.247.28.65 (Outside/public) to 192.168.10.20 (inside/private).

interface GigabitEthernet1/1
switchport trunk allowed vlan 1,149,151
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat Instance1 151
spanning-tree link-type point-to-point
ip dhcp snooping trust

interface FastEthernet1/1
description Andon PLC - 192.168.10.20 (NAT'd to 10.247.28.65)
switchport access vlan 151
switchport mode access
srr-queue bandwidth share 1 19 40 40
priority-queue out
macro description cisco-ethernetip
storm-control broadcast level 3.00 1.00
spanning-tree portfast edge

l2nat instance Instance1
instance-id 1
permit all
fixup all
outside from host 10.247.28.94 to 192.168.10.4 gateway
outside from host 10.247.28.65 to 192.168.10.20
inside from host 192.168.10.20 to 10.247.28.65
l2nat Instance1 151

Hope this helps fellow people who have struggled to make this work.

matthew.cochran · ‎10-19-2018

Hello,

I am curious, is the Internal/Private VLAN that the PLC is on the same as the Outside/Public Vlan that you are translating the traffic for?

Does it also work if you do NOT "Permit All" ?

With "Permit all" turned on, it allows all multicast/broadcast traffic to pass to the outside network and that is what we do not want, but then I have to have a Translation for every IP address going out and every device coming in. So when we want to collect data with OPC servers, I have to add them to the "outside to inside" translations and give them an Internal/Private IP address or I can not communicate with the Machine devices.

@matthew.goli1 wrote:

Hi folks, I pulled my hair out over this configuration this week and finally got it working with this simple configuration. This is running on an IE-2000-8TC-G-N with the enhancedlanbase license level

Real "Inside" IP Addresses: 192.168.10.20/16

Default Gateway of 192.168.10.4 specified on the PLC device. NAT traffic back and forth between 10.247.28.65 (Outside/public) to 192.168.10.20 (inside/private).

interface GigabitEthernet1/1
switchport trunk allowed vlan 1,149,151
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
l2nat Instance1 151
spanning-tree link-type point-to-point
ip dhcp snooping trust

interface FastEthernet1/1
description Andon PLC - 192.168.10.20 (NAT'd to 10.247.28.65)
switchport access vlan 151
switchport mode access
srr-queue bandwidth share 1 19 40 40
priority-queue out
macro description cisco-ethernetip
storm-control broadcast level 3.00 1.00
spanning-tree portfast edge

l2nat instance Instance1
instance-id 1
permit all
fixup all
outside from host 10.247.28.94 to 192.168.10.4 gateway
outside from host 10.247.28.65 to 192.168.10.20
inside from host 192.168.10.20 to 10.247.28.65
l2nat Instance1 151

Hope this helps fellow people who have struggled to make this work.

gbekmezi-DD · ‎10-24-2018

Is "permit all in" acceptable to you? Then that would only permit broadcasts from the outside in without an explicit NAT.

James_Sample_02 · ‎01-13-2020

I tried this with "permit all in" and it did not allow my SCADA server to communicate with the PLC through L2NAT. I also tried an outside-in translation for the SCADA server IP address to a local address and that did not allow communication either. "Permit All" works, but then because the VLAN is shared with other automation equipment there are IP address conflicts, as the poster above has said. Does anyone have a configuration you can share for L2NAT without "Permit All"?