Re: Catalyst Vlan nat trouble

cabrilloji · ‎11-24-2010

Hi,

I am having trouble implementing a nat on Catalyst 6500: this is my dafault configuration:

interface Vlan1

no ip address

shutdown

!

interface Vlan48

description 100

bandwidth 10000000

ip address 193.xx.xx.1 255.255.255.0

!

This is my public network 193.xx.xx.0 255.255.255.0

!

interface Vlan50

ip address 130.xx.xx.13 255.255.255.252

!

interface Vlan65

ip address 10.10.0.1 255.255.0.0

ip nat inside

!

interface Vlan620

ip address 130.xx.xx.34 255.255.255.252

!

ip classless

ip route 0.0.0.0 0.0.0.0 130.xx.xx.13

!

no ip http server

!

I have a prv network 10.10.0.0 255.255.0.0 and I want using Cisco nat to connect this prv net to the WLAN usin only one ip of my public 193.xx.xx.0 255.255.255.0. (193.xx.xx.254 in this case)

I have made next changes:

interface Vlan1

no ip address

shutdown

!

interface Vlan48

description 100

bandwidth 10000000

ip address 193.xx.xx.1 255.255.255.0

ip nat outside

!

interface Vlan50

ip address 130.xx.xx.14 255.255.255.252

!

interface Vlan65

ip address 10.10.0.1 255.255.0.0

ip nat inside

!

!Define a new valan for my prv net. vlan65

interface Vlan620

ip address 130.xx.xx.34 255.255.255.252

!

no ip nat service skinny tcp port 2000

no ip nat service H225

ip nat pool WLANPOOL 193.xx.xx.254 193.xx.xx.254 netmask 255.255.255.0

ip nat inside source list 10 pool WLANPOOL overload

ip classless

ip route 0.0.0.0 0.0.0.0 130.xx.xx.13

!

no ip http server

!

access-list 10 permit 10.10.0.0 0.0.255.255

I have define a port t vlan65 and a wih a machine on prv net with 10.10.0.1 as gw i can ping to 10.10.0.1 and 193.xx.xx.1 but nothing more:

Router#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Vlan48
Inside interfaces:
Vlan65
Hits: 39 Misses: 3
Expired translations: 2
Dynamic mappings:
-- Inside Source
[Id: 3] access-list 10 pool WLANOVERLOAD refcount 0
pool WLANOVERLOAD: netmask 255.255.255.0
start 193.xx.xx.254 end 193.xx.xx.254
type generic, total addresses 1, allocated 0 (0%), misses 0

d23h: NAT: s=10.10.37.37->193.xx.xx.254, d=193.xx.xx.3 [0]
4d23h: NAT*: ICMP id=31280->0
4d23h: NAT*: s=10.10.37.37->193.xx.xx.254, d=193.xx.xx.3 [0]
4d23h: NAT*: ICMP id=31280->0
4d23h: NAT*: s=10.10.37.37->193.xx.xx.254, d=193.xx.xx.3 [0]
4d23h: NAT*: ICMP id=31280->0
4d23h: NAT*: s=10.10.37.37->193.xx.xx.254, d=193.xx.xx.3 [0]

Any idea about the error?

Regards.

Jon Marshall · ‎11-24-2010

Iban

Can you clarify something ?

What are you trying to ping ie. what destination address and what does the routing table show for this destination address ? You have a default-route -

ip route 0.0.0.0 0.0.0.0 130.xx.xx.13

the destination IP you are trying to ping, can you post "sh ip route

Jon

cabrilloji · ‎11-25-2010

Hi Jon,

In the Catalyst most of the ports belong to vlan48 only one port belongs to vlan65(10.10.0.1) in this port I have connected the 10.10.90.60/255.255.0.0 machine.

Router#show ip route 193.xx.xx.0

Routing entry for 193.xx.xx.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan48

Route metric is 0, traffic share count is 1

Router#

I am tring to ping to my public network from my prv net:

From 10.10.90.60/255.255.0.0 to 193.xx.xx.1 OK

From 10.10.90.60/255.255.0.0 to 193.xx.xx.3 FAIL:

1w0d: NAT: ICMP id=16476->0

1w0d: NAT: s=10.10.90.60->193.xx.xx.254, d=193.xx.xx.3 [0]

1w0d: NAT*: ICMP id=16476->0

1w0d: NAT*: s=10.10.90.60->193.xx.xx.254, d=193.xx.xx.3 [0]

.....

Of course no ping to other public/wlan direction ;(

I no have control about ip route 0.0.0.0 0.0.0.0 130.xx.xx.13 this is the academic network, i only get out with my prv net (10.10.0.0/255) using the one pool 193.xx.xx.254 direction.

If you need more info please let me know.

Regards

Jon Marshall · ‎11-25-2010

Iban

Can you try a few things for me -

1) do a ping as is and run "sh ip nat translations"

if you cannot see a NAT translation for your host then

2) change the nat to be -

ip nat inside source list 10 interface vlan 48 overload

ping and run "sh ip nat translations"

if you still cannot see a NAT translation then -

3) change acl 10 to

access-list 101 permit ip host 10.10.0.0 0.0.255.255. any

ip nat inside source list 101 interface vlan 48 overload

and again ping and look at "sh ip nat translations"

Jon

cabrilloji · ‎11-25-2010

Hi jon,

I just make an ip nat inside source list 10 interface vlan 48 overload

1w0d: NAT: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]

1w0d: NAT*: ICMP id=0->20573

1w0d: NAT*: s=193.xx.xx.3, d=193.xx.xx.1->10.10.90.60 [48566]

1w0d: NAT*: ICMP id=20573->0

1w0d: NAT*: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]

1w0d: NAT*: ICMP id=0->20573

1w0d: NAT*: s=193.xx.xx.3, d=xx.xx.75.1->10.10.90.60 [48567]

1w0d: NAT*: ICMP id=20573->0

1w0d: NAT*: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]

1w0d: NAT*: ICMP id=0->20573

1w0d: NAT*: s=193.xx.xx.3, d=193.xx.xx.1->10.10.90.60 [48568]

1w0d: NAT*: ICMP id=20573->0

1w0d: NAT*: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.3 [0]

1w0d: NAT*: ICMP id=0->20573

1w0d: NAT*: s=193.xx.xx.3, d=193.xx.xx.1->10.10.90.60 [48569]

1w0d: NAT: ICMP id=20829->1

1w0d: NAT: s=10.10.90.60->193.xx.xx.1, d=193.xx.xx.67 [0]

1w0d: NAT*: ICMP id=3->21597

1w0d: NAT*: s=193.xx.xx.67, d=193.xx.xx.1->10.10.90.60 [51826]

Then I can ping to my public network 193.xx.xx.3, 193.xx.xx.36, 193.xx.xx.44 etc

But I cannot ping to my own prv net (10.10.0.2 for example) and the rest of WLAN (google.com for example), I can resolve the name because 193.xx.xx.3 is my DNS server.

Should I run :

access-list 101 permit ip host 10.10.0.0 0.0.255.255. any

ip nat inside source list 101 interface vlan 48 overload

Regards

Jon Marshall · ‎11-25-2010

Iban

Then I can ping to my public network 193.xx.xx.3, 193.xx.xx.36, 193.xx.xx.44 etc

But I cannot ping to my own prv net (10.10.0.2 for example) and the rest of WLAN (google.com for example), I can resolve the name because 193.xx.xx.3 is my DNS server.

Should I run :

access-list 101 permit ip host 10.10.0.0 0.0.255.255. any

ip nat inside source list 101 interface vlan 48 overload

Regards

This is getting confusing. What is 10.10.0.2 ? - you said there was nothing else on this vlan ? The NAT will have no effect if you are pinging within yout own vlan ie. from 10.10.x.x to 10.10.x.x. Check for firewalls on the devices if ping isn't working.

As for internet ie. google.com then again i don't think the NAT is the issue. Is the route to the internet via the 193.x.x.x network ? Please clarify with a diagram or more detailed explanation.

And when you do the ping please post "sh ip nat translations" rather than the debug.

Jon

cabrilloji · ‎11-25-2010

Hi Jon,

There is only one port at switch configure to Vlan65 (machine 10.10.90.60 connected) most part of the rest ports belongs to vlan 48:

sh valn

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi3/10

48 local active Te1/1, Te1/2, Te1/3, Te1/4

Te2/1, Te2/2, Te2/3, Te2/4

Gi3/3, Gi3/5, Gi3/7, Gi3/11

Gi3/12, Gi3/14, Gi3/15, Gi3/16

Gi3/17, Gi3/18, Gi3/19, Gi3/20

Gi3/21, Gi3/22, Gi3/24

50 Red active

55 private active

56 Red_10G active

65 VLAN0065 active Gi3/13

620 RAES active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

at the ports that belongs to vlan 48 are connected machines that belong to prv (10.10.x.x) and public (193.xx.xx.0) (this is not my own configuration, it have been working long time ago)

pinging from 10.10.90.60 to 193.xx.xx.3:

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 193.xx.x.1:4501 10.10.90.60:45935 193.xx.xx.3:53 193.xx.xx.3:53

udp 193.xx.xx.1:4502 10.10.90.60:39918 193.xx.xx.3:53 193.xx.xx.3:53

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 193.xx.xx.1:0 10.10.90.60:59247 193.xx.xx.36:59247 193.xx.xx.36:0

udp 193.xx.xx.1:4501 10.10.90.60:45935 193.xx.xx.3:53 193.xx.xx.3:53

udp 193.xx.xx.1:4502 10.10.90.60:39918 193.xx.xx.3:53 193.xx.xx.3:53

So seems the the nat is working

there is no firewall on prv lan:

Is the route to the internet via the 193.x.x.x network ? Really I do not know but seems at router config, seems that the route:

show ip route static

S* 0.0.0.0/0 [1/0] via 130.yy.yy.13

I have no any control on this network

Regards

Jon Marshall · ‎11-25-2010

Iban

interface Vlan48

description 100

bandwidth 10000000

ip address 193.xx.xx.1 255.255.255.0

ip nat outside

!

interface Vlan65

ip address 10.10.0.1 255.255.0.0

ip nat inside

the above is from your 6500 switch. Then in this post you say -

at the ports that belongs to vlan 48 are connected machines that belong to prv (10.10.x.x) and public (193.xx.xx.0) (this is not my own configuration, it have been working long time ago)

but this doesn't make any sense because 10.10.x.x is your vlan 65 and if 10.10.x.x ports were configured into vlan 48 you wouldn't be able to get to them because the L3 vlan 48 interface from above doesn't have an IP address for 10.10.x.x. So if 10.10.0.2 is assigned to vlan 48 then when you try to ping it from 10.10.90.60 it will think it is in the same vlan. So that will never work.

As for the internet it looks to me like it is reachable via the 130.yy.yy.13 route so i'm not sure how you think you can access the internet via your 193.x.x.x network. I thought that you had internet connectivity via the 193.x.x.x but it seems like that is not the case.

Your NAT is working fine. However much of what you have said ie. about the 10.10.x.x network and the internet doesn't make a lot of sense so you need to understand exactly how the 6500 is setup before doing anything else otherwise you could affect the other users.

Jon

cabrilloji · ‎01-31-2011

Hi Jon,

Reading a little more about th switches L3 (in my case 6500), i think th i know which is the problem reading ths document :

http://www.dslreports.com/faq/13563

In my case the nat is workin fine but the packets of my internal network are not routing to default gw "ip route 0.0.0.0 0.0.0.0 130.206.199.13"

In my case the ports that routes the trafic to out are a trunk of two gigabit 3/1 & 3/2, port-channel1:

!
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,620
switchport mode trunk
no ip address

!

interface GigabitEthernet3/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,620
switchport mode trunk
no ip address
channel-group 1 mode active
!
interface GigabitEthernet3/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50,620
switchport mode trunk
no ip address
channel-group 1 mode active

I think, I should do a "no switchport" on the interface, and the set an "ip" in the same network that the gateway

ip address 130.206.199.14 255.255.255.252 (which is now asigned to vlan50)

I only have a doubt this changes shoud by applied on the physical interface (g 3/1 , g 3/2) or in the 
port-channel1 interface

Regards, Iban

Shashank Singh · ‎01-31-2011

Hi Iban,

IP address needs to be configured under the port channel interface. Please visit the following link for details:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/channel.html#wp1020478

Router# configure terminal

Router(config)# interface port-channel 1

Router(config-if)# ip address x.x.x.x 255.255.255.0 (for /24 mask)

Router(config-if)# end

Hope this helps,

Shashank

Please rate if this answered your question

cabrilloji · ‎03-29-2011

Solved adding :

ip nat outside too to vlan50 (ip nat outside on vlan48 and on vlan 50)

Regards,