Answer the question
In order to leave comments, you need to log in
M
M
Mario_Z2013-11-05 22:51:05
Mario_Z, 2013-11-05 22:51:05
External address pool different from connection address
Actually the situation is this. There is a connection to the higher backbone Internet provider: 85.YY.XX.72/30, there is also a dedicated address pool 85.YY.ZZ.0/24, which does not match the connection network.
I did the following (Cisco 3945, IOS 15.1).
Looking towards the provider:
Hidden text!
interface GigabitEthernet0/1
description === Internet ===
ip address 85.YY.XX.73 255.255.255.252
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
The main interface and two VLANs look towards the clients:
Hidden text!
interface GigabitEthernet0/0
description === LAN ===
ip address 172.16.0.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 10.1.0.10 255.255.0.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 10.2.0.10 255.255.0.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
Now NAT is configured like this:
Hidden textip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 85.YY.XX.74
!
ip access-list extended NAT
permit ip 172.16.0.0 0.0.0.255 any
permit ip 10.1.0.0 0.0.255.255 any
permit ip 10.2.0.0 0.0.255.255 any
Everything works through one external IP.
I want to hang each of the internal VLANs on my external IP from the pool allocated by the provider.
I do this (so far only for VLAN2):
Hidden textip nat pool vlan2 85.YY.ZZ.02 85.YY.ZZ.254 prefix-length 24
ip nat inside source list NAT1 pool vlan2 overload
!
ip access-list extended NAT1
permit ip 10.1.0.0 0.0.255.255 any
Naturally, I delete from the acl NAT list:
Hidden textpermit ip 10.1.0.0 0.0.255.255 any
And nothing works.
Also I tried to raise the virtual interface:
Hidden text!
interface GigabitEthernet0/1.2
encapsulation dot1Q 6
ip address 85.YY.ZZ.01 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
No positive changes.
There is also a suspicion that the provider did not register routing for itself:
Hidden textip route 85.YY.ZZ.0 255.255.255.0 85.YY.XX.73
Although this is stated in the accompanying documents received from him.
Tomorrow I will call and find out if they forgot to register the above designated routing.
The real question is what did I do wrong. Googling and smoking manuals did not give other food for thought. The only difference in all the examples studied is that the connection network and the address pool are on the same subnet, but for me they are different. Help good people.
2 answer(s)
@Mario_Z
you definitely don't have to do it. Since, I don’t think that the provider has turned on dot1q.
Indeed, you need to check if your /24 subnet is routed to you. Conduct at least a trace to the address 85.YY.ZZ.01 FROM OUTSIDE your network, and compare with the trace to the address 85.YY.XX.73
If at first glance everything is ok (packets go along the same path), see what sh ip nat shows tr when trying to exit the second vlan to the Internet, does PAT work in principle
P
paralon, 2013-11-06 @Mario_Z
Like this:
interface GigabitEthernet0/1.2
encapsulation dot1Q 6
ip address 85.YY.ZZ.01 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
you definitely don't have to do it. Since, I don’t think that the provider has turned on dot1q.
Indeed, you need to check if your /24 subnet is routed to you. Conduct at least a trace to the address 85.YY.ZZ.01 FROM OUTSIDE your network, and compare with the trace to the address 85.YY.XX.73
If at first glance everything is ok (packets go along the same path), see what sh ip nat shows tr when trying to exit the second vlan to the Internet, does PAT work in principle
Similar questions
N
F
F
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question