Cisco Community
English
Register
Community will be in Read-only Mode (you will not be able to login) from April 11 at 11:00 PM PT to Monday April 12 at 9:00 PM PT - READ DETAILS HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
414
Views
0
Helpful
12
Replies
MarkhamBledsoe
Beginner
Beginner
‎08-13-2014 12:22 PM
‎08-13-2014 12:22 PM

I am trying to get NAT working on a Cisco 2801 with HWIC-4ESW.

I have a 2801 that had a failed Fe0/1 port.  The Fe0/1 port was used to give sub-interface Fe0/0.200 access to internet.  We installed a HWIC-4ESW into the 2801.  I have successfully moved the sub-interfaces ( 0/0.1 , 0/0.100 , and 0/0.200 ) from the Fe0/0 to the HWIC-4ESW.  I have reconfigured the Fe0/0 to connect to my ISP.  However, I cannot get traffic from vlan200 to pass to the internet over Fe0/0.   I have a guest wireless network set for vlan 200.  Clients get an IP address in the appropriate range (192.168.200.0), but they cannot get to the internet.  Below I have included the results of "sh ip int brief" and some of the "sh run".  I think that it is something simple, but I canot get it working.  

 

Help would be appreciated.

 

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            ***.**.244.194  YES manual up                    up      
FastEthernet0/0.200        unassigned      YES unset  deleted               down    
Service-Engine0/0          192.168.100.254 YES TFTP   up                    up      
FastEthernet0/1            unassigned      YES NVRAM  administratively down down    
FastEthernet0/1/0          unassigned      YES unset  up                    up      
FastEthernet0/1/1          unassigned      YES unset  up                    up      
FastEthernet0/1/2          unassigned      YES unset  administratively down down    
FastEthernet0/1/3          unassigned      YES unset  administratively down down    
Serial0/3/0:0              unassigned      YES unset  down                  down    
Serial0/3/0:1              unassigned      YES unset  down                  down    
Serial0/3/0:2              unassigned      YES unset  down                  down    
Serial0/3/0:3              unassigned      YES unset  down                  down    
Serial0/3/0:4              unassigned      YES unset  down                  down    
Serial0/3/0:5              unassigned      YES unset  down                  down    
Serial0/3/0:6              unassigned      YES unset  down                  down    
Serial0/3/0:7              unassigned      YES unset  down                  down    
Serial0/3/0:8              unassigned      YES unset  down                  down    
Serial0/3/0:9              unassigned      YES unset  down                  down    
Serial0/3/0:10             unassigned      YES unset  down                  down    
Serial0/3/0:11             unassigned      YES unset  down                  down    
Serial0/3/0:12             unassigned      YES unset  down                  down    
Serial0/3/0:13             unassigned      YES unset  down                  down    
Serial0/3/0:14             unassigned      YES unset  down                  down    
Serial0/3/0:15             unassigned      YES unset  down                  down    
Serial0/3/0:23             unassigned      YES NVRAM  up                    up      
Vlan1                      192.168.1.254   YES NVRAM  up                    up      
Vlan100                    192.168.100.254 YES NVRAM  up                    up      
Vlan200                    192.168.200.254 YES NVRAM  up                    up      
NVI0                       ***.12.244.194  YES unset  administratively down down 
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.99
ip dhcp excluded-address 192.168.100.200 192.168.100.254
ip dhcp excluded-address 192.168.200.1 192.168.200.99
ip dhcp excluded-address 192.168.200.200 192.168.200.254
!
ip dhcp pool Phones
   network 192.168.100.0 255.255.255.0
   option 150 ip 192.168.100.254 
   default-router 192.168.100.254 
   dns-server 192.168.1.8 
!
ip dhcp pool guestwireless
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.254 
   dns-server 8.8.8.8 8.8.4.4 
!
!
ip cef
no ip domain lookup
ip domain name pwa.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
controller T1 0/3/0
 pri-group timeslots 1-16,24
!
controller T1 0/3/1
 shutdown
!
gw-accounting aaa
!
gw-accounting syslog 
!
!
!
!
!
interface FastEthernet0/0
 description Guestwireless route to internet
 ip address ***.**.244.194 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Service-Engine0/0
 ip unnumbered Vlan100
 service-module ip address 192.168.100.200 255.255.255.0
 service-module ip default-gateway 192.168.100.254
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 description trunk to switch
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/1/1
 description voice
 switchport access vlan 100
!
interface FastEthernet0/1/2
 shutdown
!
interface FastEthernet0/1/3
 shutdown
!
interface Serial0/3/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn supp-service name calling
 no cdp enable
!
interface Vlan1
 description Data
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan100
 description voice vlan
 ip address 192.168.100.254 255.255.255.0
 h323-gateway voip bind srcaddr 192.168.100.254
!
interface Vlan200
 description Guestwireless Data
 ip address 192.168.200.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
ip nat inside source list 10 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.100.200 255.255.255.255 Service-Engine0/0
ip route 192.168.200.0 255.255.255.0 FastEthernet0/0
!
ip radius source-interface Vlan100 
access-list 10 permit 192.168.200.0 0.0.0.255
Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Sam Byers
Beginner
Beginner
In response to MarkhamBledsoe
‎08-13-2014 03:26 PM
‎08-13-2014 03:26 PM

In that case, you'll probably want to segregate the GuestWireless traffic into a vrf. Do GuestWireless or Data ever need to talk to each other? Do they ever use the same interface for internet access?

Something like this, maybe:

ip vrf GuestWireless
!
interface FastEthernet0/0
 description GuestWireless route to internet
 ip vrf forwarding GuestWireless
 ip address 17.12.244.194 255.255.255.240
 ip nat outside
 ip virtual-reassembly
!
interface Vlan200
 description Guest Wireless
 ip vrf forwarding GuestWireless
 ip address 192.168.200.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip route vrf GuestWireless 0.0.0.0 0.0.0.0 17.12.244.195
! You have to use an IP here, I just used .195 as an example.
!
ip nat inside source list 10 interface FastEthernet0/0 vrf GuestWireless overload
!
access-list 10 permit 192.168.200.0 0.0.0.255

View solution in original post

0 Helpful
12 REPLIES 12
Sam Byers
Beginner
Beginner
‎08-13-2014 01:07 PM
‎08-13-2014 01:07 PM

>ip route 0.0.0.0 0.0.0.0 192.168.1.1

You are routing default traffic to 192.168.1.1. What is that?

Can you post the routing table?

0 Helpful
MarkhamBledsoe
Beginner
Beginner
In response to Sam Byers
‎08-13-2014 01:25 PM
‎08-13-2014 01:25 PM

The ip route 0.0.0.0 0.0.0.0 192.168.1.1 points to an ASA5505 for traffic on vlan1 (192.168.1.0/24).

 

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      ***.**.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        ***.**.244.192/28 is directly connected, FastEthernet0/0
L        ***.**.244.194/32 is directly connected, FastEthernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.254/32 is directly connected, Vlan1
      192.168.100.0/24 is variably subnetted, 3 subnets, 2 masks
C        192.168.100.0/24 is directly connected, Vlan100
S        192.168.100.200/32 is directly connected, Service-Engine0/0
L        192.168.100.254/32 is directly connected, Vlan100
      192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.200.0/24 is directly connected, Vlan200
L        192.168.200.254/32 is directly connected, Vlan200
0 Helpful
Sam Byers
Beginner
Beginner
In response to MarkhamBledsoe
‎08-13-2014 02:39 PM
‎08-13-2014 02:39 PM

The main issue is that you have two networks that need to send default traffic to two different interfaces. Does that sound right? You want guest internet traffic to go out fa0/0, and all else to go out 192.168.1.1?

 

Just at making sure I understand! :)

 

 

0 Helpful
MarkhamBledsoe
Beginner
Beginner
In response to Sam Byers
‎08-13-2014 02:41 PM
‎08-13-2014 02:41 PM

Yes, that is correct.

0 Helpful
Sam Byers
Beginner
Beginner
In response to MarkhamBledsoe
‎08-13-2014 03:26 PM
‎08-13-2014 03:26 PM

In that case, you'll probably want to segregate the GuestWireless traffic into a vrf. Do GuestWireless or Data ever need to talk to each other? Do they ever use the same interface for internet access?

Something like this, maybe:

ip vrf GuestWireless
!
interface FastEthernet0/0
 description GuestWireless route to internet
 ip vrf forwarding GuestWireless
 ip address 17.12.244.194 255.255.255.240
 ip nat outside
 ip virtual-reassembly
!
interface Vlan200
 description Guest Wireless
 ip vrf forwarding GuestWireless
 ip address 192.168.200.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip route vrf GuestWireless 0.0.0.0 0.0.0.0 17.12.244.195
! You have to use an IP here, I just used .195 as an example.
!
ip nat inside source list 10 interface FastEthernet0/0 vrf GuestWireless overload
!
access-list 10 permit 192.168.200.0 0.0.0.255

View solution in original post

0 Helpful
MarkhamBledsoe
Beginner
Beginner
In response to Sam Byers
‎08-13-2014 03:29 PM
‎08-13-2014 03:29 PM

Guestwireless and Data do not talk to each other.  They also do not use the same interface for internet.

 

I will try your suggestion and post back.

 

Thank you,

0 Helpful
MarkhamBledsoe
Beginner
Beginner
In response to MarkhamBledsoe
‎08-13-2014 04:25 PM
‎08-13-2014 04:25 PM

Unfortunately, that did not work. I will be resetting the ISP modem after the end users leave.  I will post back if that works.

0 Helpful
Sam Byers
Beginner
Beginner
In response to MarkhamBledsoe
‎08-13-2014 05:09 PM
‎08-13-2014 05:09 PM

That's odd. Did you have translations in the NAT table for the guest vrf? 

The guest hosts, do they get the right ip? You'll have to change the dhcp config to work in that vrf.

0 Helpful
MarkhamBledsoe
Beginner
Beginner
In response to Sam Byers
‎08-14-2014 07:54 AM
‎08-14-2014 07:54 AM

I am now seeing translations in the vrf NAT table after restarting the ISP modem.  I am waiting to hear from end users now.

 

I appreciate the help.  I will post back with results when I hear from the end users.

0 Helpful
MarkhamBledsoe
Beginner
Beginner
In response to MarkhamBledsoe
‎08-14-2014 08:16 AM
‎08-14-2014 08:16 AM

I just heard from the end users.  The GuestWireless is up.  I am also seeing NAT translations thru the correct route.

 

Thank you again for the help.

0 Helpful
Sam Byers
Beginner
Beginner
In response to MarkhamBledsoe
‎08-14-2014 08:41 AM
‎08-14-2014 08:41 AM

Nice! The ol' reboot fixes all kinds of things. Np!

0 Helpful
Sam Byers
Beginner
Beginner
In response to MarkhamBledsoe
‎08-14-2014 06:50 AM
‎08-14-2014 06:50 AM

So, I just built this in the lab, and it seemed to work ok. I attached a sparse config, but it does let my host on the GuestWireless get the internet via NAT.

 

R2#sh ip nat translations vrf GuestWireless
Pro Inside global      Inside local       Outside local      Outside global
icmp 17.12.244.194:5   192.168.200.1:5    1.1.1.1:5          1.1.1.1:5

 

R2#sh ip route vrf GuestWireless

Routing Table: GuestWireless
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 17.12.244.195 to network 0.0.0.0

     17.0.0.0/28 is subnetted, 1 subnets
C       17.12.244.192 is directly connected, FastEthernet0/0
C    192.168.200.0/24 is directly connected, Vlan200
S*   0.0.0.0/0 [1/0] via 17.12.244.195

 

Preview file
3 KB
0 Helpful
Latest Contents
Living on the Edge with the Secure Cats
Created by almuench on 04-07-2021 01:34 PM
0
0
0
0
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats... view more
Community Live- Smart Licensing Using Policy (Routing) – A S...
Created by Cisco Moderador on 04-06-2021 06:31 AM
0
0
0
0
Community Live- Smart Licensing Using Policy (Routing) – A Simplified Licensing Approach (Live event -  Tuesday, 18 May, 2021 at 9:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris) This event will have place on Tuesday 18th, May 2021 at 9:00 hrs PDT&nb... view more
Networking and Data Center Products Overview (Spring 2021)
Created by Kelli Glass on 03-31-2021 12:46 PM
0
0
0
0
Welcome to the overview guide that covers the latest in Cisco Networking and Data Center innovations and new product introductions. You'll find information on Intent Based Networking updates, special promotions and free trials, as well as exclusive upcom... view more
**New Episode** Cisco Champion Radio: S8|E13 Build Your IT F...
Created by aalesna on 03-30-2021 02:52 PM
0
0
0
0
Listen: https://smarturl.it/CCRS8E13 99% of organizations use certifications to make hiring decisions. The reason is simple: Cisco certifications bring valuable, measurable rewards to certified IT professionals and the organizations that employ them.... view more
Cisco AI Endpoint Analytics - Deployment Guide
Created by kthiruve on 03-29-2021 06:15 PM
0
5
0
5
Cisco AI Endpoint Analytics – Deployment guide This deployment guide is meant for Cisco AI Endpoint Analytics adoption for customers, partners and everyone focusing on Endpoint Visibility and to how achieve it with Endpoint Analytics. It has sections that... view more
Content for Community-Ad