Solved

NAT problems from VLANs on CISCO router

Posted on 2004-03-25
9
3,295 Views
Last Modified: 2012-05-04
I have a CISCO 1710 router and a Netgear FS526T Switch.

After a while I've been able to sort most of the configuration out but there´s something that does not quite work properly.

I use the switch to create port-based vlans All the ports but one are untagged. The last port in the switch uses 802.1q vlan tagging and belongs to all the vlans.

That port is connected to the fastethernet interface in the cisco.

Up to here, everything is fine. I can connect machines to different ports and they can all access the router, but when I try to access the internet there is a strange behaviour: The VLAN 1 works normally and at full speed. The other VLANs experience problems accessing some web sites.

I can trace a route, query a dns server, even download web pages from some sites (i.e. microsoft or cocacola), but not others (like google or altavista).

I'll paste a bit of configuration to see if anyone can find my mistake.
(I found a web page with the same problem but no solution:
http://www.groupstudy.com/archives/associate/200104/msg00325.html)

interface Ethernet0
 ip address XX.XX.XX.XX 255.255.255.248
 ip nat outside
 half-duplex
!
interface FastEthernet0
 no ip address
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 ip address 172.16.22.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0.3
 encapsulation dot1Q 3
 ip address 172.16.24.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 110 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
no ip http server
no ip http secure-server
!

access-list 110 permit ip 192.168.37.0 0.0.0.255 any
access-list 110 permit ip 192.168.47.0 0.0.0.255 any
access-list 110 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 permit ip 172.17.0.0 0.0.255.255 any

Thanks
0
Comment
Question by:ralonso
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10680054
Are you connecting to a DSL modem?

Try adjusting the MTU on the Ethernet interface

Interface ethernet 0
 mtu 1492

0
 
LVL 5

Author Comment

by:ralonso
ID: 10685834
yes, ethernet 0 is connected via crossover cable to a DSL modem.

I'll probably try it on monday, but it was extremely weird when machines in vlan 1 can access everything normally, while people in the other vlans experience problems.

By the way, a quick one on ACLs.
I want all VLANs to be routed to the internet, but to no other VLAN.
what kind of acls should I set. I'm having 26 different subnets being:
192.168.37.0/24
192.168.47.0/24
and a bunch of subnetted 172.16.x.0/24 and 172.17.y.0/24

I have the vague feeling I should deny access to each one of those networks in the inside (fast ethernet) interface, but I'm not sure on how to do it.

Thanks.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 10686931
Correct. You'd have to add an access-list for every sub-interface

access-list 111 deny 192.168.37.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 111 deny 192.168.37.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 111 permit 192.168.37.0 0.0.0.255 any

access-list 112 deny 192.168.38.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 112 deny 192.168.38.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 112 permit 192.168.38.0 0.0.0.255 any

Interface FastEthernet 0/0.37
 ip address 192.168.37.1 255.255.255.0
 ip access-group 111 in
!
Interface FastEthernet 0/0.38
 ip address 192.168.38.1 255.255.255.0
 ip access-group 112 in
!
<etc>
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10697098
Some IOSs have problems when you create a subinterface for the native vlan.  Do this instead:

interface FastEthernet0
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.2
 encapsulation dot1Q 2
etc...

-Pascal
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Assisted Solution

by:Pascal666
Pascal666 earned 250 total points
ID: 10697106
For your access lists, it would be easier to just have one access-list and use it on all interfaces, such as:

access-list 110 deny any 192.168.0.0 0.0.255.255
access-list 110 deny any 172.16.0.0 0.15.255.255
access-list 110 permit any any

Also note that not all 172.x.x.x networks are non-routable.

-Pascal
0
 
LVL 5

Author Comment

by:ralonso
ID: 10702556
Pascal666, Initially I had tried what you propose:

interface FastEthernet0
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 ip address 172.16.22.1 255.255.255.0
 ip nat inside
!
etc...

But it didn't work.

Then I tried again with:
interface FastEthernet0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 ip address 172.16.22.1 255.255.255.0
 ip nat inside
!
etc...
But still the same.

While using the first option, the router was receiving untagged packets for VLAN 1 and tagged packets for all other VLANs.
I changed to an all-tagged scenario because I believed that maybe handling both tagged and untagged packets would lead it to a confusion, but it made no difference.

I'll be trying all tomorrow (the setup is in a remote site).
Regarding the MTU, I'll also try but I don't know if it will have any effect. I've seen a lot of references to it when using PPPoE, but I am using PPPoA. The DSL router does all the authentication and bridging, therefore there should be no need for it.

Cheers
0
 
LVL 5

Author Comment

by:ralonso
ID: 10722596
well, some updates.

the MTU did not work.
waterfront(config)#int ethernet 0
waterfront(config-if)#mtu 1492
% Interface Ethernet0 does not support user settable mtu.

same thing for fastethernet0 or fastethernet0.2

Regarding the other suggestion, I deleted the interface fastethernet0.1 (native)
and tried with no IP address in the fastethernet0 and only subinterfaces other than 0.1 having ip address: no luck.
finally I reverted to

interface FastEthernet0
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.2
 encapsulation dot1Q 2
etc...

It definately seems to have something to do with the native vlan id.
my switch has this feature and when I tried to put all ports in VLAN 1 untagged, except for the one that links to the router, that was tagged
then set the router´s port in the switch to use as default port vlan id for untagged packets (2). Machines stopped connecting properly to the internet.
I believe that the router must be sending untagged packets to the switch.

any further ideas?
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10726703
The correct command is "ip mtu 1492"

-Pascal
0
 
LVL 5

Author Comment

by:ralonso
ID: 10733380
well, anyway I found what it was.

In the end it was nothing to do with the default vlan id or mtu's.

I had to disable route-cache in the external interface. As soon as I did it, everything started working properly.

Thanks for the help. By the way, the help with the acls came handy (saved me a lot of time).
I had to create a different access-list per subinterface, otherwise the devices in the subnet were not able to communicate with the router.

Cheers
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now