Solved: NAT Vlan trafic out to the internet

Serphentis · ‎06-29-2016

Hi Guys,

i could really use some help with this as cant figure this out.

What i have is an ISP router that feeds in to a Catalyst 3850 switch, that switch has 2 vlans and i am trying to NAT the trafic out the interface that connects to the router:

Router: 10.1.1.254 255.255.255.0

Switch:

interface GigabitEthernet1/0/1
no switchport
ip address 10.1.1.1 255.255.255.0
ip nat outside

interface Vlan20
ip address 172.16.20.1 255.255.255.0
ip nat inside

interface Vlan30
ip address 172.16.30.1 255.255.255.0
ip nat inside

ip default-gateway 10.1.10.254
ip nat inside source list 1 interface GigabitEthernet1/0/1 overload
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254

access-list 1 permit 172.16.20.0 0.0.0.255 log
access-list 1 permit 172.16.30.0 0.0.0.255 log

Now the problem is that the if a plug in a host in to VLAN 20 or VLAN 30 traffic is not getting NATed.

If i do a:

ping x.x.x.x source 172.16.30.1 (vlan 30 interface)

ping x.x.x.x source 172.16.20.1 (vlan20 interface)

i can get to anything and this is getting translated, but if i plug in a pc and give it an address (172.16.20.20/ 24 172.16.20.1) it can ping everything on the switch, but as soon as it tries to leave out to the internet, it fails. Any suggestions would be highly appreciated.

this is the full config on the switch.

Thank you in advance,

on 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config

boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
!
!
!
ip routing
!
!
!
!
qos queue-softmax-multiplier 100
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
no switchport
ip address 10.1.1.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/7
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/8
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/9
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/10
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/11
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/12
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/13
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/14
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/15
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/16
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/17
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/18
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/19
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/21
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
ip nat inside
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
ip nat inside
!
!
router eigrp 25
network 10.0.0.0
network 172.0.0.0
eigrp stub connected summary
!
ip default-gateway 10.1.10.254
ip nat inside source list 1 interface GigabitEthernet1/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
access-list 1 permit 172.16.20.0 0.0.0.255 log
access-list 1 permit 172.16.30.0 0.0.0.255 log
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
password 7 11281502180002180C077F77716B
login local
transport preferred ssh
line vty 5 15
password 7 11281502180002180C077F77716B
login local
transport preferred ssh
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end

Reza Sharifi · ‎06-30-2016

Hi,

Are you trying to NAT using the 3850 switch. The 3850 does not support NAT.

Can you clarify?

HTH

View solution in original post

Reza Sharifi · ‎06-30-2016

Hi,

Yes, as you said, that is probably a fluke. I would not trust that.

Since you have a router, can you do the NAT there and let us know if things are working?

HTH

View solution in original post

Richard Bradfield · ‎06-29-2016

the switch has configured "ip default-gateway 10.1.10.254" please remove that command first, see if that makes any difference. Please post " show IP route"

Serphentis · ‎06-30-2016

Hi Richard,

Thanks for that, i did remove it as you suggested, but it did not work again, i did then put the correct one in and it still did not work :/

i tried capturing the traffic on the other side, and it would appear that the only address that is getting translated is the one on the Vlan 20 interface (172.16.20.1) if i ping from the host 172.16.20.11 the packets are coming our from the other end as Source Address 172.16.20.11 as opposed to being natted :/

sh ip route:

Gateway of last resort is 10.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.1.254
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet1/0/1
L        10.1.1.1/32 is directly connected, GigabitEthernet1/0/1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.20.0/24 is directly connected, Vlan20
L        172.16.20.1/32 is directly connected, Vlan20

Reza Sharifi · ‎06-30-2016

Hi,

Are you trying to NAT using the 3850 switch. The 3850 does not support NAT.

Can you clarify?

HTH

Serphentis · ‎06-30-2016

Hi Reza,

i am indeed trying to do that, i was left under the impression it can ? it accepts the commands and it is able to translate the VLAN ip address but not the hosts. i take it this is a fluke on the 3850 so.. :(

Switch#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
GigabitEthernet1/0/1
Inside interfaces:
Vlan20
Hits: 40 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 4
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 interface GigabitEthernet1/0/1 refcount 0

Reza Sharifi · ‎06-30-2016

Hi,

Yes, as you said, that is probably a fluke. I would not trust that.

Since you have a router, can you do the NAT there and let us know if things are working?

HTH

Serphentis · ‎07-01-2016

Thank you Reza! :) Work great with natng on the router, now that i know i cant use the switch ! Thanks a million

Reza Sharifi · ‎07-01-2016

Glad to help

Thanks for the feedback and good luck!

Reza