• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4143
  • Last Modified:

Cisco 3750 routing question

I have a Cisco 3750 with IP routing turned on.
I have three VLANs configured 1,2,3.
VLAN 1 IP Address: 192.168.1.1
VLAN 2 IP Address: 192.168.2.1
VLAN 3 IP Address: 16.102.185.1

VLAN 3 is a network not in my control and will not route traffic from VLANs 1 and 2.  
Clients on VLANs 1 and 2 have each other's respective VLAN IP addresses configured as default gateways.

Is there a way to configure NAT on this Cisco that will allow me to communicate to the internet only through VLAN 3 (which has a proxy sever setting)?  Or a better way?
0
romatlo
Asked:
romatlo
4 Solutions
 
rsivanandanCommented:
Yes you could do that;

int <internet facing interface>
ip nat outside

int <vlan1>
ip nat inside

int <vlan2>
ip nat inside

ip nat inside source list 1 int <internet facing interface> overload

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

That should do it.

Cheers,
Rajesh
0
 
trinak96Commented:
If you only want VLAN3 to communicate to the internet, then replace vlan1 & vlan2 above with vlan3 and only permit that subnet.
ie:
int <vlan3>
ip nat inside

access-list 1 permit 16.102.185.0 0.0.0.255

0
 
lrmooreCommented:
I don't think the 3750 switch supports NAT...

0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Jim_CoyneCommented:
Under "Layer 2 Features" section

http://www.cisco.com/en/US/products/ps7077/products_qanda_item0900aecd805bbea5.shtml

Q. Is Network Address Translation (NAT) supported?
A. No, there are no plans to support NAT.

You'll need a router to do NAT on a stick:

Switch:
int fa0/24
description to router
switchport
switchport trunk encap dot1q
switchport trunk allowed vlan 1,2,3
switchport mode trunk

Router:
int fa0/0
description to switch
!
int fa0/0.1
description VLAN1
encap dot1q 1
ip nat inside
!
int fa0/0.2
description VLAN2
encap dot1q 2
ip nat inside
!
int fa0/0.3
description to Internet VLAN
encap dot1q 3
ip nat outside
!
ip nat inside source list 1 int fa0/0.3 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255



0
 
trathCommented:
All Cisco switches support NAT, in order to get it though you have to have the enhanced image IOS version. Other than that rsivanandan is exactly right on how to acheive the result.
0
 
romatloAuthor Commented:
Jim Coyne,

Since there is a list of unsupported NAT commands for the 3750, does that mean that it should work just not supported?  Therefore rsivanandan's suggestion may work?

trath,

Do you know what version of IOS is considered enhanced?

Thanks, to everyone for your responses.  Allow me to try some of these suggestions before accepting answers.
0
 
Jim_CoyneCommented:
Switch#config t
Switch(config)#ip nat ?
% Unrecognized command
Switch(config)#int fa0/1
Switch(config-if)#ip nat ?
% Unrecognized command

It's not available at all, you MUST do NAT on a stick if you want this to work. Anyone who tells you that you can NAT on a 3550, 3560 or 3750 is wrong, you can route but not NAT.
0
 
Jim_CoyneCommented:
Standard multilayer image (SMI), which provides Layer 2+ features
(enterprise-class intelligent services). These features include access
control lists (ACLs), quality of service (QoS), static routing, and the
Hot Standby Router Protocol (HSRP) and the Routing Information Protocol
(RIP). Switches with the SMI installed can be upgraded to the EMI.

· Enhanced multilayer image (EMI), which provides a richer set of
enterprise-class intelligent services. It includes all SMI features
plus full Layer 3 routing (IP unicast routing, IP multicast routing,
and fallback bridging). To distinguish it from the Layer 2+ static
routing and RIP, the EMI includes protocols such as the Enhanced
Interior Gateway Routing Protocol (EIGRP) and the Open Shortest Path
First (OSPF) Protocol.
0
 
romatloAuthor Commented:
Thanks Jim.
I do not have a separate router...other than a linksys NAT router.  I wonder if I can make that work some how?
0
 
Jim_CoyneCommented:
You need to find out if that model supports 802.1q (dot1q) trunking. If it does, you can use it. Although I would be careful not to overload it, since it's meant to be a 'home" router and not an enterprise solution.

I personally have a Linksys WRT54G loaded with DD-WRT firmware and I can dot1q trunk with it.

http://en.wikipedia.org/wiki/DD-WRT
0
 
romatloAuthor Commented:
So I finally got it to work.
I hung the linksys off of VLAN 2 and gave it an internal static IP of 192.168.2.25 and gateway of 192.168.2.1.  I gave it a static external IP address, gateway, and DNS setting.  I then set a static route at the core to point any destination of 16.x.x.x to 192.168.2.25 and put forwarder on my internal DNS to a 16.x.x.x address.  
So now clients on VLANs 1 and 2 try to resolve internet DNS requests to internal DNS first and then it forwards to a 16.x.x.x address which is taken care of with the static route to the linksys...and back.
Seems to work fine for now...  Thanks again for all the help.
0
 
Robert Sutton JrSenior Network ManagerCommented:
That was going to be my suggestion, static your route to your gateway in this case your Linksys and DNS resolution should occur.  
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now