11-24-2010 03:25 AM - edited 03-06-2019 02:11 PM
Hi,
I am having trouble implementing a nat on Catalyst 6500: this is my dafault configuration:
interface Vlan1
no ip address
shutdown
!
interface Vlan48
description 100
bandwidth 10000000
ip address 193.xx.xx.1 255.255.255.0
!
This is my public network 193.xx.xx.0 255.255.255.0
!
interface Vlan50
ip address 130.xx.xx.13 255.255.255.252
!
interface Vlan65
ip address 10.10.0.1 255.255.0.0
ip nat inside
!
interface Vlan620
ip address 130.xx.xx.34 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 130.xx.xx.13
!
no ip http server
!
I have a prv network 10.10.0.0 255.255.0.0 and I want using Cisco nat to connect this prv net to the WLAN usin only one ip of my public 193.xx.xx.0 255.255.255.0. (193.xx.xx.254 in this case)
I have made next changes:
interface Vlan1
no ip address
shutdown
!
interface Vlan48
description 100
bandwidth 10000000
ip address 193.xx.xx.1 255.255.255.0
ip nat outside
!
interface Vlan50
ip address 130.xx.xx.14 255.255.255.252
!
interface Vlan65
ip address 10.10.0.1 255.255.0.0
ip nat inside
!
!Define a new valan for my prv net. vlan65
interface Vlan620
ip address 130.xx.xx.34 255.255.255.252
!
no ip nat service skinny tcp port 2000
no ip nat service H225
ip nat pool WLANPOOL 193.xx.xx.254 193.xx.xx.254 netmask 255.255.255.0
ip nat inside source list 10 pool WLANPOOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 130.xx.xx.13
!
no ip http server
!
access-list 10 permit 10.10.0.0 0.0.255.255
11-24-2010 06:23 AM
Iban
Can you clarify something ?
What are you trying to ping ie. what destination address and what does the routing table show for this destination address ? You have a default-route -
ip route 0.0.0.0 0.0.0.0 130.xx.xx.13
the destination IP you are trying to ping, can you post "sh ip route
Jon
11-25-2010 12:55 AM
Hi Jon,
In the Catalyst most of the ports belong to vlan48 only one port belongs to vlan65(10.10.0.1) in this port I have connected the 10.10.90.60/255.255.0.0 machine.
Router#show ip route 193.xx.xx.0
Routing entry for 193.xx.xx.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan48
Route metric is 0, traffic share count is 1
Router#
I am tring to ping to my public network from my prv net:
From 10.10.90.60/255.255.0.0 to 193.xx.xx.1 OK
From 10.10.90.60/255.255.0.0 to 193.xx.xx.3 FAIL:
1w0d: NAT: ICMP id=16476->0
1w0d: NAT: s=10.10.90.60->193.xx.xx.254, d=193.xx.xx.3 [0]
1w0d: NAT*: ICMP id=16476->0
1w0d: NAT*: s=10.10.90.60->193.xx.xx.254, d=193.xx.xx.3 [0]
11-25-2010 03:07 AM
Iban
Can you try a few things for me -
1) do a ping as is and run "sh ip nat translations"
if you cannot see a NAT translation for your host then
2) change the nat to be -
ip nat inside source list 10 interface vlan 48 overload
ping and run "sh ip nat translations"
if you still cannot see a NAT translation then -
3) change acl 10 to
access-list 101 permit ip host 10.10.0.0 0.0.255.255. any
ip nat inside source list 101 interface vlan 48 overload
and again ping and look at "sh ip nat translations"
Jon
11-25-2010 03:34 AM
Hi jon,
I just make an ip nat inside source list 10 interface vlan 48 overload
1w0d: NAT: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]
1w0d: NAT*: ICMP id=0->20573
1w0d: NAT*: s=193.xx.xx.3, d=193.xx.xx.1->10.10.90.60 [48566]
1w0d: NAT*: ICMP id=20573->0
1w0d: NAT*: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]
1w0d: NAT*: ICMP id=0->20573
1w0d: NAT*: s=193.xx.xx.3, d=xx.xx.75.1->10.10.90.60 [48567]
1w0d: NAT*: ICMP id=20573->0
1w0d: NAT*: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]
1w0d: NAT*: ICMP id=0->20573
1w0d: NAT*: s=193.xx.xx.3, d=193.xx.xx.1->10.10.90.60 [48568]
1w0d: NAT*: ICMP id=20573->0
1w0d: NAT*: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]
1w0d: NAT*: ICMP id=0->20573
1w0d: NAT*: s=193.xx.xx.3, d=193.xx.xx.1->10.10.90.60 [48569]
1w0d: NAT: ICMP id=20829->1
1w0d: NAT: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.67 [0]
1w0d: NAT*: ICMP id=3->21597
1w0d: NAT*: s=193.xx.xx.67, d=193.xx.xx.1->10.10.90.60 [51826]
Then I can ping to my public network 193.xx.xx.3, 193.xx.xx.36, 193.xx.xx.44 etc
access-list 101 permit ip host 10.10.0.0 0.0.255.255. any
ip nat inside source list 101 interface vlan 48 overload
11-25-2010 04:11 AM
Iban
Then I can ping to my public network 193.xx.xx.3, 193.xx.xx.36, 193.xx.xx.44 etc
access-list 101 permit ip host 10.10.0.0 0.0.255.255. any
ip nat inside source list 101 interface vlan 48 overload
11-25-2010 07:38 AM
Hi Jon,
There is only one port at switch configure to Vlan65 (machine 10.10.90.60 connected) most part of the rest ports belongs to vlan 48:
sh valn
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi3/10
48 local active Te1/1, Te1/2, Te1/3, Te1/4
Te2/1, Te2/2, Te2/3, Te2/4
Gi3/3, Gi3/5, Gi3/7, Gi3/11
Gi3/12, Gi3/14, Gi3/15, Gi3/16
Gi3/17, Gi3/18, Gi3/19, Gi3/20
Gi3/21, Gi3/22, Gi3/24
50 Red active
55 private active
56 Red_10G active
65 VLAN0065 active Gi3/13
620 RAES active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
11-25-2010 10:25 PM
Iban
interface Vlan48
description 100
bandwidth 10000000
ip address 193.xx.xx.1 255.255.255.0
ip nat outside
!
interface Vlan65
ip address 10.10.0.1 255.255.0.0
ip nat inside
the above is from your 6500 switch. Then in this post you say -
at the ports that belongs to vlan 48 are connected machines that belong to prv (10.10.x.x) and public (193.xx.xx.0) (this is not my own configuration, it have been working long time ago)
but this doesn't make any sense because 10.10.x.x is your vlan 65 and if 10.10.x.x ports were configured into vlan 48 you wouldn't be able to get to them because the L3 vlan 48 interface from above doesn't have an IP address for 10.10.x.x. So if 10.10.0.2 is assigned to vlan 48 then when you try to ping it from 10.10.90.60 it will think it is in the same vlan. So that will never work.
As for the internet it looks to me like it is reachable via the 130.yy.yy.13 route so i'm not sure how you think you can access the internet via your 193.x.x.x network. I thought that you had internet connectivity via the 193.x.x.x but it seems like that is not the case.
Your NAT is working fine. However much of what you have said ie. about the 10.10.x.x network and the internet doesn't make a lot of sense so you need to understand exactly how the 6500 is setup before doing anything else otherwise you could affect the other users.
Jon
01-31-2011 07:51 AM
Hi Jon,
Reading a little more about th switches L3 (in my case 6500), i think th i know which is the problem reading ths document :
http://www.dslreports.com/faq/13563
In my case the nat is workin fine but the packets of my internal network are not routing to default gw "ip route 0.0.0.0 0.0.0.0 130.206.199.13"
In my case the ports that routes the trafic to out are a trunk of two gigabit 3/1 & 3/2, port-channel1:
!
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,620
switchport mode trunk
no ip address
!
interface GigabitEthernet3/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,620
switchport mode trunk
no ip address
channel-group 1 mode active
!
interface GigabitEthernet3/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,620
switchport mode trunk
no ip address
channel-group 1 mode active
I think, I should do a "no switchport" on the interface, and the set an "ip" in the same network that the gateway
ip address 130.206.199.14 255.255.255.252 (which is now asigned to vlan50)
I only have a doubt this changes shoud by applied on the physical interface (g 3/1 , g 3/2) or in the
port-channel1 interface
Regards, Iban
01-31-2011 08:01 AM
Hi Iban,
IP address needs to be configured under the port channel interface. Please visit the following link for details:
Router# configure terminal
Router(config)# interface port-channel 1
Router(config-if)# ip address x.x.x.x 255.255.255.0 (for /24 mask)
Router(config-if)# end
Hope this helps,
Shashank
Please rate if this answered your question
03-29-2011 07:51 AM
Solved adding :
ip nat outside too to vlan50 (ip nat outside on vlan48 and on vlan 50)
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide