convergenetworks
asked on
Cisco 1841 HWIC-4ESW Inter VLAN NAT
Hello All,
We have a Cisco 1841 with a HWIC-4ES4 with a simple config and need to do a NAT between 2 vlans.
We need that all traffic from 192.168.16.0/24 with destination for 10.1.0.0/16 and for 10.120.0.0/16 be source NATed for range 10.2.166.x. This because we have a partner that delegated this sub-range for us to connect for his company network.
FastEthernet 0/0/3 is connected to the router of this partner with address 10.2.166.1.
When traffic go out from router using a simple telnet or came from our VPDN or from router itself (telnet with source interface vlan1) NAT works fine and is logged in ACLs. But when traffic cames from LAN the NAT do not work and is not logged in the ACLs.
Here is relevant parts of the config. Router is running IOS 12.4.8 Advanced Security.
If somebody have questions please fell free to ask and sorry for my poor english.
Thanks in advance for your help.
We have a Cisco 1841 with a HWIC-4ES4 with a simple config and need to do a NAT between 2 vlans.
We need that all traffic from 192.168.16.0/24 with destination for 10.1.0.0/16 and for 10.120.0.0/16 be source NATed for range 10.2.166.x. This because we have a partner that delegated this sub-range for us to connect for his company network.
FastEthernet 0/0/3 is connected to the router of this partner with address 10.2.166.1.
When traffic go out from router using a simple telnet or came from our VPDN or from router itself (telnet with source interface vlan1) NAT works fine and is logged in ACLs. But when traffic cames from LAN the NAT do not work and is not logged in the ACLs.
Here is relevant parts of the config. Router is running IOS 12.4.8 Advanced Security.
If somebody have questions please fell free to ask and sorry for my poor english.
Thanks in advance for your help.
Current configuration : 6527 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.1 192.168.16.10
!
ip dhcp pool 1
network 192.168.16.0 255.255.255.0
domain-name xxxxx
default-router 192.168.16.1
dns-server 208.67.222.222
!
!
ip name-server 208.67.222.222
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name VPDN01
!
!
!
!
username cnteste privilege 7 password 7 HSDFQW37REWHIUFGSFGDSAJGF8EW7RTW87
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key jojojojo address 148.177.xxx.xxx
crypto isakmp key kekekeke address 200.255.xxx.xxx
!
!
crypto ipsec transform-set VPN_001 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set VPN_002 esp-3des esp-md5-hmac
!
crypto map VPNs 1 ipsec-isakmp
description VPNs Remota 002
set peer 200.255.xxx.xxx
set security-association lifetime seconds 28800
set transform-set VPN_002
set pfs group5
match address 160
crypto map VPNs 2 ipsec-isakmp
description VPNs Remota 001
set peer 148.177.xxx.xxx
set transform-set VPN_001
match address 150
!
!
!
interface Loopback998
ip address 200.170.xxx.xxx 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback999
ip address 200.170.xxx.xxx 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
description ISP01
ip address dhcp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
fair-queue
crypto map VPNs
!
interface FastEthernet0/1
description RESERVED FOR ISP02
ip address dhcp
ip nat outside
ip virtual-reassembly
shutdown
speed auto
full-duplex
fair-queue
!
interface FastEthernet0/0/0
description Interface LAN
!
interface FastEthernet0/0/1
shutdown
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
description PARTNER CONNECTION
switchport access vlan 10
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
ip mroute-cache
peer default ip address dhcp-pool 1
ppp encrypt mppe auto passive
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description description VLAN 1 Interface F0/0/0
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map FROM-LAN
!
interface Vlan10
description VLAN 10 Interface F0/0/3 PARTNER CONNECTION
ip address 10.2.166.100 255.255.254.0
ip nat outside
ip virtual-reassembly
!
ip local pool VPDN01 192.168.254.51 192.168.254.199
ip route 0.0.0.0 0.0.0.0 189.38.252.1
ip route 10.1.0.0 255.255.0.0 10.2.166.1
ip route 10.120.0.0 255.255.0.0 10.2.166.1
!
ip http server
ip http port 2280
ip http authentication local
no ip http secure-server
ip nat pool NAT-PARTNER 10.2.166.128 10.2.166.160 prefix-length 26
ip nat inside source list 140 interface FastEthernet0/0 overload
ip nat inside source list NAT-PARTNER pool NAT-PARTNER overload
!
ip access-list extended NAT-PARTNER
permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
deny ip any any
!
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 71 permit 192.168.16.1
access-list 99 permit 192.168.16.3
access-list 100 permit ip any any
access-list 101 deny ip any any
access-list 130 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255
access-list 140 permit ip 192.168.16.0 0.0.0.255 any
access-list 140 permit ip 192.168.254.0 0.0.0.255 any
access-list 150 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
access-list 160 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
!
route-map FROM-LAN permit 10
match ip address NAT-PARTNER
set ip next-hop 10.2.166.1
!
ksims1129
why are you using a policy-route and you have a staic route for the 10.2.166.0 network?
policy routing will take the packet and route based on the set policy before it gets a chance to be translated. if ip policy is required then you will not be able to nat correctly. if its not required remove it and see if that fixes the problem.
ASKER
Hi ksims1129.
Sorry, policy route was just a test. Already removed from interface vlan1 but same results. When tested from cli using vlan1 as source it works but when tested from LAN it not work:
ROUTER#telnet 10.120.108.31 80 /source-interface vlan1
Trying 10.120.108.31, 80 ... Open
quit
HTTP/1.1 400 Bad Request
Date: Sun, 17 May 2009 16:24:05 GMT
Server: OracleAS-Web-Cache-10g/10.
Content-Type: text/html
Content-Length: 103
<HTML><HEAD><TITLE>Bad Request</TITLE></HEAD><BOD
[Connection to 10.120.108.31 closed by foreign host]
Thanks
Sorry, policy route was just a test. Already removed from interface vlan1 but same results. When tested from cli using vlan1 as source it works but when tested from LAN it not work:
ROUTER#telnet 10.120.108.31 80 /source-interface vlan1
Trying 10.120.108.31, 80 ... Open
quit
HTTP/1.1 400 Bad Request
Date: Sun, 17 May 2009 16:24:05 GMT
Server: OracleAS-Web-Cache-10g/10.
Content-Type: text/html
Content-Length: 103
<HTML><HEAD><TITLE>Bad Request</TITLE></HEAD><BOD
[Connection to 10.120.108.31 closed by foreign host]
Thanks
can you debug ip nat and see if the traffic is making it to the nat rule. or paste it so i can get a look to see exactlyt whats going on.
ASKER
Hi ksims1129, thanks!
When telneting from router in another session traffic goes to ACL and is NATed correctly:
ROUTER#debug ip nat 71
IP NAT debugging is on for access list 71
ROUTER#term mon
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: expiring 10.2.166.130 (192.168.16.1) tcp 23746 (23746)
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
sh access-lists shows a correct match for NAT ACL when traffic source is 192.168.16.1
ROUTER#sh access-lists
Standard IP access list 1
10 permit 192.168.16.0, wildcard bits 0.0.0.255
20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
10 permit 192.168.16.1
Standard IP access list 99
10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
10 permit ip any any
Extended IP access list 101
10 deny ip any any
Extended IP access list 130
10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (10 matches)
50 permit ip 192.168.16.0 0.0.0.255 any (174 matches)
60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input (1 match)
30 deny ip any any (820 matches)
BUT When telneting from LAN address 192.168.16.3 there is no DEBUG output and no match for that NAT ACL ( I did an clear counters before testing)
ROUTER#debug ip nat 99
IP NAT debugging is on for access list 99
ROUTER#no deb all
All possible debugging has been turned off
ROUTER#sh access-lists
Standard IP access list 1
10 permit 192.168.16.0, wildcard bits 0.0.0.255
20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
10 permit 192.168.16.1
Standard IP access list 99
10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
10 permit ip any any
Extended IP access list 101
10 deny ip any any
Extended IP access list 130
10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (9 matches)
50 permit ip 192.168.16.0 0.0.0.255 any (168 matches)
60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
30 deny ip any any (754 matches)
Thanks, Jeff
When telneting from router in another session traffic goes to ACL and is NATed correctly:
ROUTER#debug ip nat 71
IP NAT debugging is on for access list 71
ROUTER#term mon
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: expiring 10.2.166.130 (192.168.16.1) tcp 23746 (23746)
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT: s=192.168.16.1->10.2.166.1
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16
sh access-lists shows a correct match for NAT ACL when traffic source is 192.168.16.1
ROUTER#sh access-lists
Standard IP access list 1
10 permit 192.168.16.0, wildcard bits 0.0.0.255
20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
10 permit 192.168.16.1
Standard IP access list 99
10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
10 permit ip any any
Extended IP access list 101
10 deny ip any any
Extended IP access list 130
10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (10 matches)
50 permit ip 192.168.16.0 0.0.0.255 any (174 matches)
60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input (1 match)
30 deny ip any any (820 matches)
BUT When telneting from LAN address 192.168.16.3 there is no DEBUG output and no match for that NAT ACL ( I did an clear counters before testing)
ROUTER#debug ip nat 99
IP NAT debugging is on for access list 99
ROUTER#no deb all
All possible debugging has been turned off
ROUTER#sh access-lists
Standard IP access list 1
10 permit 192.168.16.0, wildcard bits 0.0.0.255
20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
10 permit 192.168.16.1
Standard IP access list 99
10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
10 permit ip any any
Extended IP access list 101
10 deny ip any any
Extended IP access list 130
10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (9 matches)
50 permit ip 192.168.16.0 0.0.0.255 any (168 matches)
60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
30 deny ip any any (754 matches)
Thanks, Jeff
ASKER
As we can see, ACL 140 that NATs for internet correctly deny traffic from 192.168.16.3->10.120.x.x but after this ACL NAT-VPN-ODEB have no matches... Traffic just goes nowhere. I never saw that before.
[]'s
Jeff
[]'s
Jeff
ASKER
Hello All,
Problem appears to be just related to vlans or hwic-4esw because when we chage outgoing interface from switched fe0/0/3 (vlan10) to routed fe0/1 SNAT works fine.
For while I can leave config working this way (with routed fe0/1 being nat outside) but I'll need to add a second ISP and i'm affraid that I'll have same problem.
Any hint? Thanks, Jeff
Problem appears to be just related to vlans or hwic-4esw because when we chage outgoing interface from switched fe0/0/3 (vlan10) to routed fe0/1 SNAT works fine.
For while I can leave config working this way (with routed fe0/1 being nat outside) but I'll need to add a second ISP and i'm affraid that I'll have same problem.
Any hint? Thanks, Jeff
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok.