Solved

Cisco 1841 HWIC-4ESW Inter VLAN NAT

Posted on 2009-05-16
10
1,580 Views
Last Modified: 2012-05-07
Hello All,

We have a Cisco 1841 with a HWIC-4ES4 with a simple config and need to do a NAT between 2 vlans.

We need that all traffic from 192.168.16.0/24 with destination for 10.1.0.0/16 and for 10.120.0.0/16 be source NATed for range 10.2.166.x. This because we have a partner that delegated this sub-range for us to connect for his company network.

FastEthernet 0/0/3 is connected to the router of this partner with address 10.2.166.1.

When traffic go out from router using a simple telnet or came from our VPDN or from router itself (telnet with source interface vlan1) NAT works fine and is logged in ACLs. But when traffic cames from LAN the NAT do not work and is not logged in the ACLs.

Here is relevant parts of the config. Router is running IOS 12.4.8 Advanced Security.

If somebody have questions please fell free to ask and sorry for my poor english.

Thanks in advance for your help.


Current configuration : 6527 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.1 192.168.16.10
!
ip dhcp pool 1
   network 192.168.16.0 255.255.255.0
   domain-name xxxxx
   default-router 192.168.16.1
   dns-server 208.67.222.222
!
!
ip name-server 208.67.222.222
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 local name VPDN01
!
!
!
!
username cnteste privilege 7 password 7 HSDFQW37REWHIUFGSFGDSAJGF8EW7RTW87
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key jojojojo address 148.177.xxx.xxx
crypto isakmp key kekekeke address 200.255.xxx.xxx
!
!
crypto ipsec transform-set VPN_001 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set VPN_002 esp-3des esp-md5-hmac
!
crypto map VPNs 1 ipsec-isakmp
 description VPNs Remota 002
 set peer 200.255.xxx.xxx
 set security-association lifetime seconds 28800
 set transform-set VPN_002
 set pfs group5
 match address 160
crypto map VPNs 2 ipsec-isakmp
 description VPNs Remota 001
 set peer 148.177.xxx.xxx
 set transform-set VPN_001
 match address 150
!
!
!
interface Loopback998
 ip address 200.170.xxx.xxx 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback999
 ip address 200.170.xxx.xxx 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description ISP01
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 speed auto
 full-duplex
 fair-queue
 crypto map VPNs
!
interface FastEthernet0/1
 description RESERVED FOR ISP02
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 shutdown
 speed auto
 full-duplex
 fair-queue
!
interface FastEthernet0/0/0
 description Interface LAN
!
interface FastEthernet0/0/1
 shutdown
!
interface FastEthernet0/0/2
 shutdown
!
interface FastEthernet0/0/3
 description PARTNER CONNECTION
 switchport access vlan 10
!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly
 ip mroute-cache
 peer default ip address dhcp-pool 1
 ppp encrypt mppe auto passive
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 description description VLAN 1 Interface F0/0/0 
 ip address 192.168.16.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map FROM-LAN
!
interface Vlan10
 description VLAN 10 Interface F0/0/3 PARTNER CONNECTION
 ip address 10.2.166.100 255.255.254.0
 ip nat outside
 ip virtual-reassembly
!
ip local pool VPDN01 192.168.254.51 192.168.254.199
ip route 0.0.0.0 0.0.0.0 189.38.252.1
ip route 10.1.0.0 255.255.0.0 10.2.166.1
ip route 10.120.0.0 255.255.0.0 10.2.166.1
!
ip http server
ip http port 2280
ip http authentication local
no ip http secure-server
ip nat pool NAT-PARTNER 10.2.166.128 10.2.166.160 prefix-length 26
ip nat inside source list 140 interface FastEthernet0/0 overload
ip nat inside source list NAT-PARTNER pool NAT-PARTNER overload
!
ip access-list extended NAT-PARTNER
 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
 deny   ip any any
!
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 71 permit 192.168.16.1
access-list 99 permit 192.168.16.3
access-list 100 permit ip any any
access-list 101 deny   ip any any
access-list 130 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255
access-list 140 permit ip 192.168.16.0 0.0.0.255 any
access-list 140 permit ip 192.168.254.0 0.0.0.255 any
access-list 150 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
access-list 160 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
!
route-map FROM-LAN permit 10
 match ip address NAT-PARTNER
 set ip next-hop 10.2.166.1
!

Open in new window

0
Comment
Question by:convergenetworks
  • 5
  • 4
10 Comments
 
LVL 5

Expert Comment

by:ksims1129
ID: 24404474
why are you using a policy-route and you have a staic route for the 10.2.166.0 network?
0
 
LVL 5

Expert Comment

by:ksims1129
ID: 24404484
policy routing will take the packet and route based on the set policy before it gets a chance to be translated. if ip policy is required then you will not be able to nat correctly. if its not required remove it and see if that fixes the problem.
0
 

Author Comment

by:convergenetworks
ID: 24406704
Hi ksims1129.
Sorry, policy route was just a test. Already removed from interface vlan1 but same results. When tested from cli using vlan1 as source it works but when tested from LAN it not work:

ROUTER#telnet 10.120.108.31 80 /source-interface vlan1
Trying 10.120.108.31, 80 ... Open
quit
HTTP/1.1 400 Bad Request
Date: Sun, 17 May 2009 16:24:05 GMT
Server: OracleAS-Web-Cache-10g/10.1.2.0.2
Content-Type: text/html
Content-Length: 103
<HTML><HEAD><TITLE>Bad Request</TITLE></HEAD><BODY>The request contains invalid syntax.</BODY></HTML>
[Connection to 10.120.108.31 closed by foreign host]

Thanks
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 5

Expert Comment

by:ksims1129
ID: 24406787
can you debug ip nat and see if  the traffic is making it to the nat rule. or paste it so i can get a look to see exactlyt whats going on.
0
 

Author Comment

by:convergenetworks
ID: 24407185
Hi ksims1129, thanks!

When telneting from router in another session traffic goes to ACL and is NATed correctly:

ROUTER#debug ip nat 71
IP NAT debugging is on for access list 71
ROUTER#term mon
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36754]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [0]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36755]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36756]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36757]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6387]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36758]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36759]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6389]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36760]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6393]
1w5d: NAT: expiring 10.2.166.130 (192.168.16.1) tcp 23746 (23746)
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36761]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6395]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6399]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6397]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36762]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36763]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [46367]

sh access-lists shows a correct match for NAT ACL when traffic source is 192.168.16.1

ROUTER#sh access-lists
Standard IP access list 1
    10 permit 192.168.16.0, wildcard bits 0.0.0.255
    20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
    10 permit 192.168.16.1
Standard IP access list 99
    10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
    10 permit ip any any
Extended IP access list 101
    10 deny ip any any
Extended IP access list 130
    10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
    10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
    20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
    30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
    40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (10 matches)
    50 permit ip 192.168.16.0 0.0.0.255 any (174 matches)
    60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
    10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
    10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
    10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
    20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input (1 match)
    30 deny ip any any (820 matches)

BUT When telneting from LAN address 192.168.16.3 there is no DEBUG output and no match for that NAT ACL ( I did an clear counters before testing)

ROUTER#debug ip nat 99
IP NAT debugging is on for access list 99
ROUTER#no deb all
All possible debugging has been turned off

ROUTER#sh access-lists
Standard IP access list 1
    10 permit 192.168.16.0, wildcard bits 0.0.0.255
    20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
    10 permit 192.168.16.1
Standard IP access list 99
    10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
    10 permit ip any any
Extended IP access list 101
    10 deny ip any any
Extended IP access list 130
    10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
    10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
    20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
    30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
    40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (9 matches)
    50 permit ip 192.168.16.0 0.0.0.255 any (168 matches)
    60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
    10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
    10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
    10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
    20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
    30 deny ip any any (754 matches)

Thanks, Jeff
0
 

Author Comment

by:convergenetworks
ID: 24407198
As we can see, ACL 140 that NATs for internet correctly deny traffic from 192.168.16.3->10.120.x.x but after this ACL NAT-VPN-ODEB have no matches... Traffic just goes nowhere. I never saw that before.
[]'s
Jeff
0
 

Author Comment

by:convergenetworks
ID: 24408078
Hello All,

Problem appears to be just related to vlans or hwic-4esw because when we chage outgoing interface from switched fe0/0/3 (vlan10) to routed fe0/1 SNAT works fine.

For while I can leave config working this way (with routed fe0/1 being nat outside)  but I'll need to add a second ISP and i'm affraid that I'll have same problem.

Any hint? Thanks, Jeff
0
 

Accepted Solution

by:
convergenetworks earned 0 total points
ID: 24432911
Hi ksims1129,

Just to tank you. In the end we did a IOS upgrade to 12.4.25 and NAT is now Ok with same config.

Kind regards
0
 
LVL 5

Expert Comment

by:ksims1129
ID: 24434697
Ok.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can Cisco resolve internet address internally 4 52
What is the Router Login page for Comcast? 10.0.0.1? 7 186
VIRL IP adress 3 79
Help logging in to my router 12 59
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question