External address pool different from connection address

M

Mario_Z2013-11-05 22:51:05

Computer networks

Mario_Z, 2013-11-05 22:51:05

Actually the situation is this. There is a connection to the higher backbone Internet provider: 85.YY.XX.72/30, there is also a dedicated address pool 85.YY.ZZ.0/24, which does not match the connection network.

I did the following (Cisco 3945, IOS 15.1).
Looking towards the provider:

Hidden text

!
interface GigabitEthernet0/1
 description === Internet ===
 ip address 85.YY.XX.73 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!

The main interface and two VLANs look towards the clients:

Hidden text

!
interface GigabitEthernet0/0
 description === LAN ===
 ip address 172.16.0.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 10.1.0.10 255.255.0.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.3
 encapsulation dot1Q 3
 ip address 10.2.0.10 255.255.0.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!

Now NAT is configured like this:

Hidden text

ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 85.YY.XX.74
!
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
 permit ip 10.1.0.0 0.0.255.255 any
 permit ip 10.2.0.0 0.0.255.255 any

Everything works through one external IP.

I want to hang each of the internal VLANs on my external IP from the pool allocated by the provider.
I do this (so far only for VLAN2):

Hidden text

ip nat pool vlan2 85.YY.ZZ.02 85.YY.ZZ.254 prefix-length 24
ip nat inside source list NAT1 pool vlan2 overload
!
ip access-list extended NAT1
 permit ip 10.1.0.0 0.0.255.255 any

Naturally, I delete from the acl NAT list:

Hidden text

permit ip 10.1.0.0 0.0.255.255 any

And nothing works.

Also I tried to raise the virtual interface:

Hidden text

!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 6
 ip address 85.YY.ZZ.01 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!

No positive changes.

There is also a suspicion that the provider did not register routing for itself:

Hidden text

ip route 85.YY.ZZ.0 255.255.255.0 85.YY.XX.73

Although this is stated in the accompanying documents received from him.
Tomorrow I will call and find out if they forgot to register the above designated routing.

The real question is what did I do wrong. Googling and smoking manuals did not give other food for thought. The only difference in all the examples studied is that the connection network and the address pool are on the same subnet, but for me they are different. Help good people.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

paralon, 2013-11-06
@Mario_Z

Like this:

interface GigabitEthernet0/1.2
 encapsulation dot1Q 6
 ip address 85.YY.ZZ.01 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!

you definitely don't have to do it. Since, I don’t think that the provider has turned on dot1q.
Indeed, you need to check if your /24 subnet is routed to you. Conduct at least a trace to the address 85.YY.ZZ.01 FROM OUTSIDE your network, and compare with the trace to the address 85.YY.XX.73
If at first glance everything is ok (packets go along the same path), see what sh ip nat shows tr when trying to exit the second vlan to the Internet, does PAT work in principle

M

Mario_Z, 2013-11-06
@Mario_Z

Yes, the settings are correct. I myself am the sysadmin of a small provider.
I apologize for my illiteracy in terminology, but what does the phrase “just turned on secondary” means?