Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 2821, 12.4(9) VLAN based NAT

Status
Not open for further replies.
MKiAM

MKiAM

Technical User
Nov 13, 2012
4
I've run into a problem with a 2821, 12.4(9) IOS that I didn't expect. I'm not sure why this is working.

I have a stack of switches trunked to this router over 12 VLANs. There are no issues there - all L2 is working fine and if I adjust my NAT to one pool all L3 is working.

VLAN1 is NATTing without issue:

interface Vlan1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
end

Outside interface:

interface GigabitEthernet0/0
description Outside$ETH-WAN$$FW_OUTSIDE$
ip address x.x.x.50 255.255.255.240
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map mymap
end

I've posted all pertinent config at the bottom of this post. I'm running it wide open now - no ACLs, no inspects, nothing. Only VLAN1 is showing any NAT translations - everything else continues to miss. I've looked at this blame thing for a couple of hours now. I suspect I'm missing something stupid here... Can anybody help me out? Thanks!

Config:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/3
logging buffered 4096 emergencies
!
aaa new-model

resource policy
!
!
ip dhcp excluded-address 10.1.3.0 10.1.3.150
!
ip dhcp pool vlan3
network 10.1.3.0 255.255.255.0
default-router 10.1.3.1
dns-server 10.1.1.251
!
!
no ip domain lookup
ip ssh source-interface GigabitEthernet0/1

interface Loopback0
ip address 10.1.100.1 255.255.255.0
!
interface Loopback3
no ip address
!
interface GigabitEthernet0/0
ip address x.x.x.50 255.255.255.240
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map mymap
!
interface FastEthernet1/0
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
shutdown
!
interface FastEthernet1/3
shutdown
!
interface FastEthernet1/4
no switchport
no ip address
!
interface FastEthernet1/5
switchport access vlan 3
shutdown
!
interface FastEthernet1/6
shutdown
!
interface FastEthernet1/7
shutdown
!
interface FastEthernet1/8
shutdown
!
interface FastEthernet1/9
shutdown
!
interface FastEthernet1/10
shutdown
!
interface FastEthernet1/11
shutdown
!
interface FastEthernet1/12
shutdown
!
interface FastEthernet1/13
shutdown
!
interface FastEthernet1/14
shutdown
!
interface FastEthernet1/15
switchport mode trunk
duplex full
speed 100
!
interface GigabitEthernet1/0
speed 100
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template3
no ip address
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 10.1.2.1 255.255.255.0
!
interface Vlan3
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.1.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.1.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan6
ip address 10.1.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan7
ip address 10.1.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan8
ip address 10.1.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan9
ip address 10.1.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan12
ip address 10.1.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip nat pool NATVLAN4 68.191.235.53 68.191.235.53 netmask 255.255.255.252
ip nat pool NATVLAN5 68.191.235.54 68.191.235.54 prefix-length 30
ip nat pool NATVLAN6 68.191.235.55 68.191.235.55 prefix-length 30
ip nat pool NATVLAN7 68.191.235.56 68.191.235.56 prefix-length 30
ip nat pool NATVLAN8 68.191.235.57 68.191.235.57 prefix-length 30
ip nat pool NATVLAN9 68.191.235.58 68.191.235.58 prefix-length 30
ip nat pool NATVLAN10 68.191.235.59 68.191.235.59 prefix-length 30
ip nat pool NATVLAN11 68.191.235.60 68.191.235.60 prefix-length 30
ip nat pool NATVLAN12 68.191.235.61 68.191.235.61 prefix-length 30
ip nat pool NATMAIN 68.191.235.50 68.191.235.50 netmask 255.255.255.252
ip nat pool NATVLAN3 68.191.235.52 68.191.235.52 netmask 255.255.255.252
ip nat inside source route-map SDM_RMAP3 pool NATVLAN3 overload
ip nat inside source route-map SDM_RMAP_4 pool NATVLAN4 overload
ip nat inside source route-map SDM_RMAP_5 pool NATVLAN5 overload
ip nat inside source route-map SDM_RMAP_6 pool NATVLAN6 overload
ip nat inside source route-map SDM_RMAP_7 pool NATVLAN7 overload
ip nat inside source route-map SDM_RMAP_8 pool NATVLAN8 overload
ip nat inside source route-map SDM_RMAP_1 pool NATMAIN overload
!
logging trap warnings
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.2.0 0.0.0.255 any
access-list 113 permit ip 10.1.3.0 0.0.0.255 any
access-list 114 permit ip 10.1.4.0 0.0.0.255 any
access-list 115 permit ip 10.1.5.0 0.0.0.255 any
access-list 116 permit ip 10.1.6.0 0.0.0.255 any
access-list 117 permit ip 10.1.7.0 0.0.0.255 any
access-list 118 permit ip 10.1.8.0 0.0.0.255 any
access-list 119 permit ip 10.1.9.0 0.0.0.255 any
access-list 120 permit ip 10.1.10.0 0.0.0.255 any
access-list 121 permit ip 10.1.11.0 0.0.0.255 any
access-list 122 permit ip 10.1.12.0 0.0.0.255 any
!
route-map SDM_RMAP3 permit 10
match ip address 113
set interface GigabitEthernet0/0
!
route-map SDM_RMAP_11 permit 10
match ip address 121
!
route-map SDM_RMAP_10 permit 10
match ip address 120
!
route-map SDM_RMAP_12 permit 10
match ip address 122
!
route-map SDM_RMAP_4 permit 10
match ip address 114
!
route-map SDM_RMAP_5 permit 10
match ip address 115
!
route-map SDM_RMAP_6 permit 10
match ip address 116
!
route-map SDM_RMAP_7 permit 10
match ip address 117
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
route-map SDM_RMAP_8 permit 10
match ip address 118
!
route-map SDM_RMAP_9 permit 10
match ip address 119
!
end





 
Sort by date Sort by votes
In reading this, I realize my explanation is horrible but I'm unable to edit the post (as far as I can tell).

Only SDM_RMAP_1 (vlan 1 and 2) are routing publicly - no other VLANs are receiving a public address. I'm NATting that to the IP address of interface G0/0, but it's my understanding that these other pools should work. Am I wrong on that? Thanks again.
 
Upvote 0 Downvote
Disregard - this was a problem with the ISP.
 
Upvote 0 Downvote
Nope - re-regard. That wasn't it. I've noticed that I can only NAT if I use the IP address assigned to the physical interface that connects to the cable modem. I have been able to perform static NATting to another address in this subnet without issue though.

If I change the public address of NATMAIN (the pool used by VLAN1 - the one that works) to another address, DESTINATION HOST UNREACHABLE and the nat pool continually misses.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
330
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
315
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
296
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
305
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
386
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top