Cisco WAN :: Static NAT On ME6524 Running VRF-Lite
Nov 17, 2011
I'm having a rather bizarre and highly annoying problem with static NAT on an ME6524. I've created a virtual router (VRF CORPNET) which has one physical L3 interface, one SVI and one Loop back.This Virtual router has the sole purpose of Na Ting our internet-addressable IP addresses to another set of addresses on our Corporate WAN.
There are two NAT rules - a single 1-1 Static NAT, and an overload NAT for everything else, which uses the Loop back address. The 1-1 Static NAT is used to NAT our VPN ASA, which is used to establish a Site-Site VPN to one of our counterparts on the Corporate WAN. This works fine most of the time, however once or twice a day, the NAT just stops working, our Site-site VPN drops, and traffic is being seen on our counterpart's firewall with source address UN-NATed (They see 200.200.200.1, when they should see 30.30.30.65). When we go onto the 6524 and do a show ip Nat translations we get the following (200.200.200.1 is our VPN ASA - 200.200.200.10 is just user traffic):
ZR-BDG1-6524#sh ip Nat translations
Pro Inside global Inside local Outside local Outside global
udp 30.30.30.65:500 200.200.200.1:500 30.30.40.4:500 30.30.40.4:500
udp 30.30.30.65:500 200.200.200.1:500 30.30.40.4:500 30.30.40.4:500
[code].....
As you can see, for some reason we have multiple identical PAT entries for port 500. While this is the case, traffic from our VPN ASA is crossing the box without being Na Ted. If I issue a clear ip Nat trans * then the situation is immediately resolved, and the VPN reconnects without issue.
We have a ME6524 running as a MPLS P router. We want to mirror a port to capture a specific traffic stream (to a probe). As the port is an MPLS LDP port will this work, will both the VACL and SPAN work with MPLS tagged packets, or does the mirror and VACL work after the labels have been removed..?
I have a stack of 2 x 3750X switches these are running 12.2(55)SE5. I needed to add some static IP routes and found that the ‘ip routing’ command is not supported. I came across a document that stated “On switches running the LAN base feature, static routing on VLANs is supported only with Cisco IOS Release 12.2(58)SE and later.” So I have upgraded to 12.2(58)SE2, but ‘ip routing’ is still not a valid command.
The release notes state:“On the Cisco Catalyst 3560-X and 3750-X Series, it adds support for 16 static IPv4 routes in the LAN Base image.”
I have read other posts that talk about running the ‘sdm prefer routing’ command which I have done, but I am still unable to add any routes or run the ‘ip routing’ command.
Imagine organization has about 300 partners. Currently data center has 100 Cisco 1800 routers to accept P2P connections for each partner.
Now organization proposal is:
- Use MPLS and use an extranet network. Advertise a certain unique route to each partner.. - Grant unique VPN ID for each partner and VRF Lite at the data center. Then bring each partner with separate tagged VLAN to the data center via MPLS.
Using the VRF- Lite functionality on Cisco 3750G's (WS-C3750G-24T-S), I've got a situation currently with a set of 3750's running inter- v LAN routing for around 80/90 connected sub nets (140+ gig ports). I'm looking in the coming week at creating a new VRF and enabling OSPF for that VRF while leaving the existing routing arrangements in the Default IP Routing Table.
I'm in a situation where I can't replicate the live config into a lab to test the impact / implications of enabling / creating VRF's. I know the 3750's have a very small support for VRF's (24 if I recall) but I only plan on using 2 or 3 max currently.
I have 30 switched in my corporate network it’s all up and running all switches running by default configuration and connected to WS-C4506 core switch our dhcp server pooling 192.168.100.1/27 network. Now we need to configure new Vlan for finance department this department has more than 200 users. If my server distributes 192.168.200.0 range ip can vlan2 automatically assign ip 200.0 addresses to finance department.All switches running default config no ip address assigned.
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
We want to deploy a NMS (Network Monitoring System), in this case SolarWinds, to monitor devices we have deployed at the customer site. We will make an IP VPN connection (ASA5510 with Cisco 800's) to the customer site. We have one primary NMS installation running in our datacenter. This NMS has to have a connection to all customer sites. We run into a problem when two customers use the same subnet. We want to use VRF-Lite to solve this problem but I am stuck in my design.
I have attached "VRF.jpg" to show the (basic) design I have made. The connection from customer to the router in the datacenter is not a problem. We can put the fa0.1 and vpn interface in the same VRF group. Via one physical cable we will go from router to NMS in which the NMS has multiple virtual interfaces. The datacenter router will route between the 192.168.x.x (NMS) and 10.1.1.x (Customer).What I can't seem to comprehend is how the NMS can decide how to get to Customer 1 or Customer 2. The customer can reach the NMS one-way but the NMS has no way to reply back because if it replies to 10.1.1.1 it can either use interface fa0.1 or interface fa0.2.
I am trying to “build up” a small home-network and using some of following Cisco equipment’s
ASA 5505 v8.4.3 witch base licenseCisco Catalyst 3750G with ipservices version 15.0.xand 1 qty of AP1142N I am not able to get internet access from any VRF’s.
From "MILAN (LAN) VRF, I am able to ping my gw: 10.45.45.1 but I am not able to ping for example: “linknett VRF”.
It seems that i am missing some NAT rules on ASA or ?
If i connect my laptop directly to the ASA, i am able to get internet access!
I am not feeling comfortable with a new ASA 8.4 code yet, so im not so sure which exact code's i am missing on ASA ...
attached digram including configuration files from ASA and 3750 sw.
Thinking of getting one of those 8-port 2960 for a CCNP study. Is the difference between the C2960-8TC-S and the C2960-8TC-L models in Hardware, or in IOS? or both? And if it's in IOS, is the S upgradable to L?
I am trying to test (if possible) the idea of having 2 6509-E switches connected directly to each other while using VRF-lite (Sup 2T). The idea is to have 3-4 separate networks. For example Net-A, Net-B,Net-C, Net-D. There is no PE router*, just these two switches. Also, there sin't any other access layer switches. All users connect directly to the 6509-E's via switch 48 port switch blades.
Net-A and Net-B on separate VRF's, but able to talk to each other. Net-C and Net-D* on separate VRF's without being able to talk to any other. Net-D* will have a PE since it comes from an external network. This is something I would like to test in a lab environment, but I am not familiar with VRF's.
we have inserted into a network with VTP a Cisco Switch 2960-S, not knowing that had installed IOS LAN lite.Now I discovered that it can handle up to 64 vlan. In the network there are currently configured 62 VLAN: what happens when we exceeded the max number (64) of VLAN for that switch?
This two interfaces are in the global route table because there is no vrf indication. These are for internet access (a simple adsl connection) Then, I have this interface in VRF named "lan123"
interface FastEthernet0/1.23 encapsulation dot1Q 123 ip vrf forwarding lan123 ip address 192.168.143.254 255.255.255.0 ip nat enable
Now the issue.If I write:
ip route vrf lan123 0.0.0.0 0.0.0.0 Dialer0
this works and, with nat, internet works. The question is why this works without the "global" keyword? I'm going from the vrf named "lan123" routing table to global table without the using of "global" keyword.
If I try to use:
ip route vrf lan123 0.0.0.0 0.0.0.0 Dialer0 global
We ordered 4x cisco 2960 switch with LAN Lite software by mistake. Can we upgrade them to Lan Base?When I change boot image I get Error: hardware not supported by firmware.
We are trying to setup a new configuration with 2960S as access switchs and a 4507 as a core switch.I want to protect the management IP VLAN of the swich using vrf on the 4507 so we :
SHUT VLAN 1 on every switch (2960 + 4507) CREATE A NEW VLAN 289 (management vlan) -> IP network : 10.32.126.192/26 L3 VLAN on every switch VLAN 289 in the VRF XXX on the 4507 create tunk between the switch and the 4507 : switch mode trunk allowed vlan 200-230 sw trunk native vlan 289
so with this configuration on the 2960 the vlan 289 is UP/DOWN and UP/UP on the 4507 I can access to the 4507 using the IP in the VLAN 289 but i cannot access to the 2960 behind the 4507 CDP connectivity is ok?
A quick one because I'm scratching my head trying to figure the difference between the 2960 LAN Base and LAN Lite IOS installs. I want to put a 2960 into a site which has as layer 2 link on dark fiber taking it elsewhere. This part I'm not concerned about - the WS-C2960--24TC will do what I need without issue - but I don't know if I can get away with LAN Lite, or if I need LAN Base.
I basically need V LAN's with associated SVI's, and a routed link on the up link port (I don't care if it's a switch port with an associated SVI or a no switch port and IP address), but it's got to be able to run OSPF. Can I do this with LAN base on this series switch? Or do I need to go for a higher series (3560?). I *could* get away with static routes, but my boss is walking death on them unless I can 100% prove they're necessary, so I'd rather not right that fight!
I have some 2960 switches with Lan Lite ios in my infrastructure.And I try to configure them to support "trust device cisco-phone" and "switchport priority extend cos 0" on ports with cisco phones.But LAN Lite image does not support "mls qos trust device cisco-phone".can I use any workaround to trust cos of cisco phone and to remark PC traffic with cos 0?
setting up VRF-lite on redundant 6509-E chassis to account for chassis failure? Let's say I have 2x 6509-Es configured with HSRP for 2 vlans, ServerA and ServerB. So
6509-A# ! interface Vlan10 description ServerA VLAN ip address 10.10.10.2 255.255.255.0 ip flow ingress standby 1 ip 10.10.10.1 standby 1 priority 105
[code].....
I now need to create an environment where the Server VLANs can be provided for two customers and they need to be wholly separate. On 6509-A, I make VRF CustomerA and VRF CustomerB and I assign Vlan10 to VRF CustomerA and Vlan20 to CustomerB. Do I create the SAME VRFs on 6509-B with the same logic?
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec [Code]...
Today I installed the 1.0.2.6 Firmware on a RV180W. I only have now two problems regarding the Static DHCP support in the GUI.
1. Via the Networking > LAN (Local Network) > Static DHCP I have no buttons to Add a new static Lease. 2. Via the Networking > LAN (Local Network) > DHCP Lease Clients I can thick a Lease and click on Make Static IP. The result is an error: Operation failed.
Any major difrrence between Netflow v/s Netflow-Lite?
I am trying to understand if Cisco 4948E can do the same job as Cisco 4500E or not and difference between Netflow v/s Netflow-Lite will work for me to select correct product.
I'm not sure how to tell if I'm running ssh version 1 or ssh version 2, or both.I thought a show run would show a line like, "ip ssh version 2" or "no ip ssh version 1", but I don't see these anywhere.
connecting PRI to BRI interface on ISDN. I have all this information provided by the TELCO and i have configured it but due to some reason i am not able to connect them. I have given the questions with answers provided by the TELCO. I am also providing the running configuration of the PRI interface and also the error message i am getting when trying to test call itself.
1. Is the PBX designed for Pre-National or NI-2 protocol? - Protocol using C7MATL 2. Are there any DID station numbers that your CPE cannot accept? - No (i.e. 0 or 9 in the 4th position) 3. Which carriers will be your choices for your PIC and LPIC? - Carrier using DChannel
I can't seem to get my DIR-655 up and running again.I had a DLINK DIR-655 hooked up via RJ-45 cable(s) to my AT&T U-Verse 3800HGV-B Gateway. The DIR-655 was serving as a wireless connection for my laptops and also as a wired networked all-in-one printer that was plugged into it.The Ethernet (RJ-45 cable) traveled from the gateway, through a 4-port switch, and then to the Internet (WAN) jack on the back of the DIR-655.There's a couple of wire- connected computers connected via that switch in between that's why it's there. At the DIR-655 end I had an HP Photo Premium AIO printer (Model: 309A) connected by wire; and of course, the two laptops would connect via that unit too. The laptops are WinXP and Win7.Everything worked fine... BUT, the upstairs iMac and a downstairs home office XP machine couldn't see the networked printer for some reason. That reason (apparently) is that the DIR-655 is part of a "separate network" or something.Well, long story short - I tried to adjust the settings on the DIR-655 but that didn't work and then I tried to go back, but that didn't work. So then I decided to just start from scratch to re-setup the whole thing but NOW I can't even access the router via a browser at url...
