12-08-2014 04:23 PM - edited 03-07-2019 09:49 PM
We have 2000 locations that all have same 5 VLAN subnets. We had to implement unique NAT subnets for each location and we have static Nat and overload applied.
We nat this unique subnet to the Vlans using the following statements. This is so we can monitor all locations uniquely.
Here is how we do it on the 1811 and it works well.
Vlan1 192.168.1.1 YES NVRAM up up
Vlan2 192.168.244.1 YES NVRAM up up
Vlan3 192.168.233.1 YES NVRAM up up
Vlan4 192.168.220.1 YES NVRAM up down
Vlan5 192.168.122.1 YES NVRAM up down
ip route 172.30.1x.x 255.255.2x.x VLAN1
ip route 172.30.1x.x 255.255.2x.x VLAN2
ip route 172.30.1x.x 255.255.2x.x VLAN3
ip route 172.30.1x.x 255.255.2x.x VLAN4
ip route 172.30.1x.x 255.255.2x.x VLAN5
HM-HUB025-WIN64#ping 192.168.169.68 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.169.68, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/94/96 ms
Here is we have attempted to implement on the 3925 but it never NATs
GigabitEthernet0/2.1 192.168.1.2 YES NVRAM up up
GigabitEthernet0/2.2 192.168.244.1 YES NVRAM up up
GigabitEthernet0/2.3 192.168.233.1 YES NVRAM up up
GigabitEthernet0/2.4 192.168.220.1 YES NVRAM up up
GigabitEthernet0/2.5 192.168.122.1 YES NVRAM up up
ip route 172.30.1x.x 255.255.2x.x GigabitEthernet0/2.1
ip route 172.30.1x.x 255.255.2x.x GigabitEthernet0/2.2
ip route 172.30.1x.x 255.255.2x.x GigabitEthernet0/2.3
ip route 172.30.1x.x 255.255.2x.x GigabitEthernet0/2.4
ip route 172.30.1x.x 255.255.2x.x GigabitEthernet0/2.5
HM-HUB025-WIN64-3925-Primary#$68.169.68 source gigabitEthernet 0/2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.169.68, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
.....
Success rate is 0 percent (0/5)
HM-HUB025-WIN64-3925-Primary#
12-08-2014 04:25 PM
The 3925 only has three interfaces and will not allow us to create vlan interfaces. The customer did not want to spend the money and buy the switch module. :(
12-08-2014 04:41 PM
Here are my sub interfaces:
interface GigabitEthernet0/2.1
description POS Zone, Out PCI Scope, Non CDE
encapsulation dot1Q 1 native
ip address 192.168.1.2 255.255.255.224
interface GigabitEthernet0/2.2
description Kiosk and Backroom Zone, Out of PCI Scope, No CDE
encapsulation dot1Q 2
ip address 192.168.244.1 255.255.255.0
interface GigabitEthernet0/2.3
description Wireless Zone, Out of PCI Scope, No CDE
encapsulation dot1Q 3
ip address 192.168.233.1 255.255.255.224
interface GigabitEthernet0/2.4
description Unfiltered Internet, Out of PCI Scope, No CDE, !IR Configuration Only!
encapsulation dot1Q 4
ip address 192.168.220.1 255.255.255.224
interface GigabitEthernet0/2.5
description EFT Communications, In PCI Scope, CDE
encapsulation dot1Q 5
ip address 192.168.122.1 255.255.255.224
12-09-2014 03:32 AM
I don't see nat enabled on your subinterfaces. Can you post the complete config of g0/2.1 for starters and the wan interface (removing the public address), the nat config and any acls used in nat?
Thanks,
John
12-09-2014 10:28 AM
interface GigabitEthernet0/0
description Primary Link to Internet WAN1 - Static
ip ddns update hostname FOC1*******
ip ddns update dyndns host dynamiknow.ipass.com
ip address 64.237.x.x 255.255.255.248
ip access-group Wan_2_Local in
ip access-group Wan_2_Internet out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip nat enable
ip virtual-reassembly in
standby version 2
standby 1 ip 64.237.x.x
standby 1 timers 5 15
standby 1 priority 101
standby 1 preempt
standby 1 authentication *H4L
standby 1 name *_WAN1
standby 1 track 456 decrement 10
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map Broadband
interface GigabitEthernet0/2.1
description POS Zone, Out PCI Scope, Non CDE
encapsulation dot1Q 1 native
ip address 192.168.1.2 255.255.255.224
ip access-group POS-IR_VLAN_In in
ip access-group DENY_SUBNETS out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip mtu 1400
ip nat inside
ip nat enable
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip verify unicast source reachable-via rx
standby version 2
standby 3 ip 192.168.1.1
standby 3 timers 5 15
standby 3 priority 101
standby 3 preempt
standby 3 authentication *L@n
standby 3 name *_LAN
standby 3 track 456 decrement 10
no ip route-cache
ip tcp adjust-mss 1360
ntp disable
ip nat inside source route-map INTERNET interface GigabitEthernet0/0 overload
ip nat inside source route-map INTERNET_DIAL interface GigabitEthernet0/1 overload
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.1
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.2
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.3
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.4
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.5
route-map INTERNET permit 10
match ip address 110
match interface GigabitEthernet0/0
set ip next-hop 64.237.117.145
!
route-map INTERNET_DIAL permit 10
match ip address 110
match interface GigabitEthernet0/1
set ip next-hop 2.2.2.1
Gateway of last resort is 2.2.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [200/0] via 2.2.2.1
2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 2.2.2.0/29 is directly connected, GigabitEthernet0/1
L 2.2.2.2/32 is directly connected, GigabitEthernet0/1
4.0.0.0/32 is subnetted, 3 subnets
S 4.2.2.1 is directly connected
S 4.2.2.2 [200/0] via 2.2.2.1
S 4.2.2.3 is directly connected
7.0.0.0/28 is subnetted, 1 subnets
S 7.7.7.16 is directly connected, GigabitEthernet0/0
8.0.0.0/32 is subnetted, 1 subnets
S 8.8.8.8 [200/0] via 2.2.2.1
64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 64.237.x.x/29 is directly connected, GigabitEthernet0/0
L 64.237.x.x/32 is directly connected, GigabitEthernet0/0
156.79.0.0/32 is subnetted, 3 subnets
S 156.79.x.x [200/0] via 2.2.2.1
S 156.79.x.x [1/0] via 64.237.117.145
S 156.79.x.x [1/0] via 64.237.117.145
172.29.0.0/27 is subnetted, 1 subnets
S 172.29.0.0 [200/0] via 2.2.2.1
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 172.30.63.224/27 [200/0] via 2.2.2.1
S 172.30.183.128/26 is directly connected, GigabitEthernet0/2.5
is directly connected, GigabitEthernet0/2.4
is directly connected, GigabitEthernet0/2.3
is directly connected, GigabitEthernet0/2.2
is directly connected, GigabitEthernet0/2.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/27 is directly connected, GigabitEthernet0/2.1
L 192.168.1.2/32 is directly connected, GigabitEthernet0/2.1
192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.122.0/27 is directly connected, GigabitEthernet0/2.5
L 192.168.122.1/32 is directly connected, GigabitEthernet0/2.5
S 192.168.168.0/23 [200/0] via 2.2.2.1
S 192.168.170.0/23 [200/0] via 2.2.2.1
192.168.220.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.220.0/27 is directly connected, GigabitEthernet0/2.4
L 192.168.220.1/32 is directly connected, GigabitEthernet0/2.4
192.168.233.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.233.0/27 is directly connected, GigabitEthernet0/2.3
L 192.168.233.1/32 is directly connected, GigabitEthernet0/2.3
192.168.244.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.244.0/24 is directly connected, GigabitEthernet0/2.2
L 192.168.244.1/32 is directly connected, GigabitEthernet0/2.2
216.231.x.x/32 is subnetted, 1 subnets
S 216.231.x.x [1/0] via 64.237.117.145
216.231.x.x/32 is subnetted, 1 subnets
S 216.231.x.x [200/0] via 2.2.2.1
S 216.231.x.x/24 [200/0] via 2.2.2.1
HM-HUB025-WIN64-3925-Primary#ping 4.2.2.2 source gigabitEthernet 0/2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/90/96 ms
HM-HUB025-WIN64-3925-Primary#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 2.2.2.2:1794 192.168.1.2:1794 4.2.2.2:1794 4.2.2.2:1794
When I ping a host on the other end of the tunnel, it never translates to the unique subnet assigned.
HM-HUB025-WIN64-3925-Primary#ping 192.168.169.68 source gigabitEthernet 0/2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.169.68, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
....
Success rate is 0 percent (0/4)
HM-HUB025-WIN64-3925-Primary#sh ip nat tr
HM-HUB025-WIN64-3925-Primary#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 172.30.183.129 192.168.1.1 --- ---
--- 172.30.183.130 192.168.1.4 --- ---
--- 172.30.183.131 192.168.1.5 --- ---
--- 172.30.183.132 192.168.1.6 --- ---
--- 172.30.183.133 192.168.1.7 --- ---
--- 172.30.183.134 192.168.1.8 --- ---
--- 172.30.183.135 192.168.1.9 --- ---
I Get Matches so I am just lost now. What did I miss? 2.2.2.0/29 subnet is just a randowm subnet we assigned behind our 3G/4G device connected to the backup interface Gig0/1
12-09-2014 10:56 AM
First, take the "ip nat enable" config off of the interface. You're not using the NVI for nat in your current nat config. IP Nat enable is for when you're using ip nat statements with no direction.
Second, so are you telling us that it nats fine outside of the tunnel, but it doesn't work over the tunnel?
12-09-2014 11:05 AM
Ya sorry about those, ip nat enable statements. I added after I did not see Nat working to see if it made a difference. Of course it did not.
Yes, so Nat overload works but Nat thru IPSEC tunnel does not.
Here is my encryption ACL. On 1811 router, everything works.
ip access-list extended To-*
permit ip 172.30.183.128 0.0.0.63 host 139.131.98.23
permit ip 172.30.183.128 0.0.0.63 192.168.168.0 0.0.1.255
permit ip 172.30.183.128 0.0.0.63 192.168.170.0 0.0.1.255
permit ip 172.30.183.128 0.0.0.63 7.7.7.16 0.0.0.15
permit ip 172.30.183.128 0.0.0.63 192.168.21.192 0.0.0.15
permit ip 172.30.183.128 0.0.0.63 172.30.63.224 0.0.0.31
crypto map Broadband 25 ipsec-isakmp
description *** Broadband IPSEC to Concentrators at * ***
dialer pre-classify
set peer 156.79.106.7
set transform-set *mark
match address To-*
12-09-2014 11:25 AM
Unless someone else comes along and can see the problem, I'll have to lab this up tonight to see if I can replicate it. Have you looked at Cisco bugtraq to see if you can find anything related to this?
04-29-2015 07:29 AM
Hi,
I have a similar situation on a 3925 running IOS 15.3.3M5. I noticed that if I add my config, and then straight away ping from a remove host through the VPN, the first ping responded, but then never again. If I remove and add my NAT statement, it was reproducible.
If I do this using separate interfaces as opposed to subinterfaces then I have no problem.
Did you manage to get to the bottom of your problem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide