Solved

Cisco 1841 HWIC-4ESW Inter VLAN NAT

Posted on 2009-05-16
10
1,559 Views
Last Modified: 2012-05-07
Hello All,

We have a Cisco 1841 with a HWIC-4ES4 with a simple config and need to do a NAT between 2 vlans.

We need that all traffic from 192.168.16.0/24 with destination for 10.1.0.0/16 and for 10.120.0.0/16 be source NATed for range 10.2.166.x. This because we have a partner that delegated this sub-range for us to connect for his company network.

FastEthernet 0/0/3 is connected to the router of this partner with address 10.2.166.1.

When traffic go out from router using a simple telnet or came from our VPDN or from router itself (telnet with source interface vlan1) NAT works fine and is logged in ACLs. But when traffic cames from LAN the NAT do not work and is not logged in the ACLs.

Here is relevant parts of the config. Router is running IOS 12.4.8 Advanced Security.

If somebody have questions please fell free to ask and sorry for my poor english.

Thanks in advance for your help.


Current configuration : 6527 bytes

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname XXXXXX

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default line

aaa authentication ppp default local

aaa authorization network default if-authenticated

!

aaa session-id common

!

resource policy

!

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.16.1 192.168.16.10

!

ip dhcp pool 1

   network 192.168.16.0 255.255.255.0

   domain-name xxxxx

   default-router 192.168.16.1

   dns-server 208.67.222.222

!

!

ip name-server 208.67.222.222

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

 accept-dialin

  protocol pptp

  virtual-template 1

 local name VPDN01

!

!

!

!

username cnteste privilege 7 password 7 HSDFQW37REWHIUFGSFGDSAJGF8EW7RTW87

!

!

!

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 28800

!

crypto isakmp policy 20

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

crypto isakmp key jojojojo address 148.177.xxx.xxx

crypto isakmp key kekekeke address 200.255.xxx.xxx

!

!

crypto ipsec transform-set VPN_001 esp-aes 256 esp-sha-hmac

crypto ipsec transform-set VPN_002 esp-3des esp-md5-hmac

!

crypto map VPNs 1 ipsec-isakmp

 description VPNs Remota 002

 set peer 200.255.xxx.xxx

 set security-association lifetime seconds 28800

 set transform-set VPN_002

 set pfs group5

 match address 160

crypto map VPNs 2 ipsec-isakmp

 description VPNs Remota 001

 set peer 148.177.xxx.xxx

 set transform-set VPN_001

 match address 150

!

!

!

interface Loopback998

 ip address 200.170.xxx.xxx 255.255.255.255

 ip nat outside

 ip virtual-reassembly

!

interface Loopback999

 ip address 200.170.xxx.xxx 255.255.255.255

 ip nat outside

 ip virtual-reassembly

!

interface FastEthernet0/0

 description ISP01

 ip address dhcp

 ip nat outside

 ip virtual-reassembly

 speed auto

 full-duplex

 fair-queue

 crypto map VPNs

!

interface FastEthernet0/1

 description RESERVED FOR ISP02

 ip address dhcp

 ip nat outside

 ip virtual-reassembly

 shutdown

 speed auto

 full-duplex

 fair-queue

!

interface FastEthernet0/0/0

 description Interface LAN

!

interface FastEthernet0/0/1

 shutdown

!

interface FastEthernet0/0/2

 shutdown

!

interface FastEthernet0/0/3

 description PARTNER CONNECTION

 switchport access vlan 10

!

interface Virtual-Template1

 ip unnumbered Vlan1

 ip nat inside

 ip virtual-reassembly

 ip mroute-cache

 peer default ip address dhcp-pool 1

 ppp encrypt mppe auto passive

 ppp authentication ms-chap ms-chap-v2

!

interface Vlan1

 description description VLAN 1 Interface F0/0/0 

 ip address 192.168.16.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip policy route-map FROM-LAN

!

interface Vlan10

 description VLAN 10 Interface F0/0/3 PARTNER CONNECTION

 ip address 10.2.166.100 255.255.254.0

 ip nat outside

 ip virtual-reassembly

!

ip local pool VPDN01 192.168.254.51 192.168.254.199

ip route 0.0.0.0 0.0.0.0 189.38.252.1

ip route 10.1.0.0 255.255.0.0 10.2.166.1

ip route 10.120.0.0 255.255.0.0 10.2.166.1

!

ip http server

ip http port 2280

ip http authentication local

no ip http secure-server

ip nat pool NAT-PARTNER 10.2.166.128 10.2.166.160 prefix-length 26

ip nat inside source list 140 interface FastEthernet0/0 overload

ip nat inside source list NAT-PARTNER pool NAT-PARTNER overload

!

ip access-list extended NAT-PARTNER

 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input

 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input

 deny   ip any any

!

access-list 1 permit 192.168.16.0 0.0.0.255

access-list 1 permit 192.168.254.0 0.0.0.255

access-list 71 permit 192.168.16.1

access-list 99 permit 192.168.16.3

access-list 100 permit ip any any

access-list 101 deny   ip any any

access-list 130 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255

access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255

access-list 140 deny   ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255

access-list 140 permit ip 192.168.16.0 0.0.0.255 any

access-list 140 permit ip 192.168.254.0 0.0.0.255 any

access-list 150 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log

access-list 160 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log

!

route-map FROM-LAN permit 10

 match ip address NAT-PARTNER

 set ip next-hop 10.2.166.1

!

Open in new window

0
Comment
Question by:convergenetworks
  • 5
  • 4
10 Comments
 
LVL 5

Expert Comment

by:ksims1129
Comment Utility
why are you using a policy-route and you have a staic route for the 10.2.166.0 network?
0
 
LVL 5

Expert Comment

by:ksims1129
Comment Utility
policy routing will take the packet and route based on the set policy before it gets a chance to be translated. if ip policy is required then you will not be able to nat correctly. if its not required remove it and see if that fixes the problem.
0
 

Author Comment

by:convergenetworks
Comment Utility
Hi ksims1129.
Sorry, policy route was just a test. Already removed from interface vlan1 but same results. When tested from cli using vlan1 as source it works but when tested from LAN it not work:

ROUTER#telnet 10.120.108.31 80 /source-interface vlan1
Trying 10.120.108.31, 80 ... Open
quit
HTTP/1.1 400 Bad Request
Date: Sun, 17 May 2009 16:24:05 GMT
Server: OracleAS-Web-Cache-10g/10.1.2.0.2
Content-Type: text/html
Content-Length: 103
<HTML><HEAD><TITLE>Bad Request</TITLE></HEAD><BODY>The request contains invalid syntax.</BODY></HTML>
[Connection to 10.120.108.31 closed by foreign host]

Thanks
0
 
LVL 5

Expert Comment

by:ksims1129
Comment Utility
can you debug ip nat and see if  the traffic is making it to the nat rule. or paste it so i can get a look to see exactlyt whats going on.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:convergenetworks
Comment Utility
Hi ksims1129, thanks!

When telneting from router in another session traffic goes to ACL and is NATed correctly:

ROUTER#debug ip nat 71
IP NAT debugging is on for access list 71
ROUTER#term mon
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36754]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [0]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36755]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36756]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36757]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6387]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36758]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36759]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6389]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36760]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6393]
1w5d: NAT: expiring 10.2.166.130 (192.168.16.1) tcp 23746 (23746)
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36761]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6395]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6399]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [6397]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36762]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36763]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT: s=192.168.16.1->10.2.166.130, d=10.120.108.31 [36764]
1w5d: NAT*: s=10.120.108.31, d=10.2.166.130->192.168.16.1 [46367]

sh access-lists shows a correct match for NAT ACL when traffic source is 192.168.16.1

ROUTER#sh access-lists
Standard IP access list 1
    10 permit 192.168.16.0, wildcard bits 0.0.0.255
    20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
    10 permit 192.168.16.1
Standard IP access list 99
    10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
    10 permit ip any any
Extended IP access list 101
    10 deny ip any any
Extended IP access list 130
    10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
    10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
    20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
    30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
    40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (10 matches)
    50 permit ip 192.168.16.0 0.0.0.255 any (174 matches)
    60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
    10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
    10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
    10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
    20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input (1 match)
    30 deny ip any any (820 matches)

BUT When telneting from LAN address 192.168.16.3 there is no DEBUG output and no match for that NAT ACL ( I did an clear counters before testing)

ROUTER#debug ip nat 99
IP NAT debugging is on for access list 99
ROUTER#no deb all
All possible debugging has been turned off

ROUTER#sh access-lists
Standard IP access list 1
    10 permit 192.168.16.0, wildcard bits 0.0.0.255
    20 permit 192.168.254.0, wildcard bits 0.0.0.255
Standard IP access list 71
    10 permit 192.168.16.1
Standard IP access list 99
    10 permit 192.168.16.3 (87 matches)
Extended IP access list 100
    10 permit ip any any
Extended IP access list 101
    10 deny ip any any
Extended IP access list 130
    10 permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list 140
    10 deny ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255
    20 deny ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255
    30 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
    40 deny ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 (9 matches)
    50 permit ip 192.168.16.0 0.0.0.255 any (168 matches)
    60 permit ip 192.168.254.0 0.0.0.255 any
Extended IP access list 150
    10 permit ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255 log
Extended IP access list 160
    10 permit ip 192.168.16.0 0.0.0.255 10.90.0.0 0.0.255.255 log
Extended IP access list NAT-VPN-ODEB
    10 permit ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
    20 permit ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
    30 deny ip any any (754 matches)

Thanks, Jeff
0
 

Author Comment

by:convergenetworks
Comment Utility
As we can see, ACL 140 that NATs for internet correctly deny traffic from 192.168.16.3->10.120.x.x but after this ACL NAT-VPN-ODEB have no matches... Traffic just goes nowhere. I never saw that before.
[]'s
Jeff
0
 

Author Comment

by:convergenetworks
Comment Utility
Hello All,

Problem appears to be just related to vlans or hwic-4esw because when we chage outgoing interface from switched fe0/0/3 (vlan10) to routed fe0/1 SNAT works fine.

For while I can leave config working this way (with routed fe0/1 being nat outside)  but I'll need to add a second ISP and i'm affraid that I'll have same problem.

Any hint? Thanks, Jeff
0
 

Accepted Solution

by:
convergenetworks earned 0 total points
Comment Utility
Hi ksims1129,

Just to tank you. In the end we did a IOS upgrade to 12.4.25 and NAT is now Ok with same config.

Kind regards
0
 
LVL 5

Expert Comment

by:ksims1129
Comment Utility
Ok.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now