NAT in CISCO 4500x

Similar Messages

• Cisco 4500X VSS & MEC Cisco 2960X

  Hi
  I have Cisco 4500x VSS  connect to  MEC Cisco 2960X using LACP.
  I encountered a problem about C2960X
  Integration reason
  1.C2960X Ten 1/0/2 link flapping interface error-disable .  I am  disable interface then  enable interface , switch show SFP not Present .
     Te1/0/2                      notconnect   1            full    10G Not Present. (SPF plug-in  Correct)
  2.use CLI reload C2960X , Ten 1/0/1 ,Ten 1/0/2   notconnect  SPF Not Present.  (SPF plug-in  Correct)
    error message :
  Dec 18 12:40:25.250: %SYS-5-CONFIG_I: Configured from console by console
  Dec 18 12:41:48.888: % ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization.  This product may contain software that was copied in violation of Cisco's license terms.  If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet.  Please contact Cisco's Technical Assistance Center for more information.
  26F_guest_switch#show license
  Index 1 Feature: lanlite       
          Period left: 0  minute  0  second 
  Index 2 Feature: lanbase       
          Period left: Life time
          License Type: Permanent
          License State: Active, In Use
          License Priority: Medium
          License Count: Non-Counted
  3.C2960X power Cycle ,C2960X  operation normal, ,but recurring problems  every day.
  I do not know where the problem , I have  upgrade C2960X IOS but it had same problem.
  Cisco 2960X IOS version:  15.2(3)E    C2960X-UNIVERSALK9-M 
  Cisco 4500X IOS version: cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin
  Thanks for your help,

  Hi Reza,
  Thanks for your help
  I can not confirm that because I have a few switch have the same problem.
  C2960X 10G port 1 is connected to C4500X slot 1, Port 2 is connected to C4500X Slot2.
   link flapping, On the switch  port 2.
  I need to do a more precise test to confirm the problem is C2960X or 4500VSS

• Cisco 4500X Wireshark capture to usb not working

  Hi, I am Ashley and  i am testing  the Cisco 4500X using wireshark capture. advanced ip services IOS.
  The capture runs fine when storing the wireshark file on the bootflash. No worries.
  But when i configure the destination as USB0 my pendrive, it fails.
  The usb device is fine and is writable. I tested it by copying from bootflash to usb0:
  Followed the instructions in the config guide.
  It still fails.
  Can someone please help.
  Thanks,

  But when i configure the destination as USB0 my pendrive, it fails.
  Could be a bug but I wouldn't recommend configuring the destination as your USB drive because no one has the same luxury as you to have the USB sit there all the time.
  Store to the flash and transfer to USB is probably the best solution.

• Cisco 4500X IOS upgrade through ISSU

  Hi,
  I am having 2 number of cisco 4500x switch and configured with VSS
  so one switch is active and another switch is standby.
  I am panning to upgrade IOS through ISSU
  i read in document that it required auto boot enable in switch.
  My switch current Configuration register = 0x2101
  do i need to change config register or this will ok. If need to change then what will be auto boot and after IOS upgrade do i need to change it again.
  Please help....

  Hello Tarun,
  Please find below the steps to perform the ISSU:
  ISSU Prerequisites
  Before one can perform an ISSU, there are a few prerequisites one must verify for a successful ISSU. The following list explains what is initially required.
  • Must be using a redundant Cisco Catalyst 4500 switch with symmetric hardware (that is, supervisors, memory, rommon, NFL daughter card, and so on).
  • Both new and old Cisco IOS Software images must be preloaded to the file system on both supervisors.
  • SSO must be configured and working properly.
  • Config register must be configured to autoboot (that is, the value should have a "2" in the lowest byte).
  45010R-203# sh bootvar | i register
  Configuration register is 0x2102
  Standby Configuration register is 0x2102
  Several commands are available to verify if SSO is enabled:
  4510R-203# sh module | b Redundancy
  Mod  Redundancy role     Operating mode      Redundancy status
  ----+-------------------+-------------------+-------------------
   1   Standby Supervisor   SSO                  Standby hot        
   2   Active Supervisor    SSO                 Active
  45010R-203# sh redundancy states 
         my state = 13 -ACTIVE 
       peer state = 8   -STANDBY HOT 
             Mode = Duplex
             Unit = Secondary
          Unit ID = 2
  Redundancy Mode (Operational) =  Stateful Switchover
  Redundancy Mode (Configured)  =  Stateful Switchover
  Redundancy State              =  Stateful Switchover
               <snip>
  4507R-ISSU# sh run | b redundancy
  redundancy
   mode  sso
  As a step prior to the beginning of the ISSU process, the new version of the Cisco IOS Software image needs to be loaded into both the active and standby supervisors' file systems. Both active and standby supervisor need to contain both the new and old images in the file system. In order to store both new and old images, the supervisors should be upgraded to contain sufficient amounts of flash memory prior to the ISSU process.
  The new images can be downloaded into both supervisors using commands such as:
  copy tftp: bootflash:
  copy tftp: slavebootflash: 
  The example below illustrates this verification:
  4510R-203#dir
  Directory of bootflash:/
  1  -rwx 13636500 Sep 6 2006 03:18:58 -08:00 cat4500-entservices-mz.122-31.SGA
  2  -rwx 13747611 Sep 9 2006 03:19:58 -08:00 cat4500-entservices-mz.122-31.SGA1
  4510R-203#dir slavebootflash:
  Directory of slavebootflash:/
  1  -rwx 13636500 Sep 6 2006 03:18:58 -08:00 cat4500-entservices-mz.122-31.SGA
  2  -rwx 13747611 Sep 9 2006 03:19:58 -08:00 cat4500-entservices-mz.122-31.SGA1 
  Once this check is verified, one can now proceed with the ISSU process.
  The ISSU process is started by typing the "issu loadversion" command on the active supervisor. This command directs the active supervisor to begin the ISSU process. The active supervisor, through intersupervisor communications, checks that the requested image has been downloaded into both the active and standby supervisors' file systems. If the required images are not present, the command is rejected, and an appropriate warning is generated.
  If the "issu loadversion" command is successful, the switch transitions into the "Load Version" ISSU state. The standby supervisor will reset and boot with the new version of the Cisco IOS Software image loaded into the file system.
  The following actions take place when the command is implemented:
  1. The standby supervisor (B) is reset.
  2. The standby supervisor (B) is booted with the new Cisco IOS Software image: Release 12.2(31)SGA1.
  3. If both Cisco IOS Software images are declared as compatible, the standby supervisor moves into SSO mode and is fully stateful for all compatible clients and applications. Compatibility allows for in-service software upgrade or downgrade between two versions to succeed with minimal service effect.
  4. If both Cisco IOS Software images are incompatible, the system moves into RPR mode, and the ISSU process is terminated with an appropriate message to the user. Images are declared incompatible when "required" clients or applications are not interoperable between two Cisco IOS Software releases.
  5. Standby "B" reaches the standby HOT state.
  6. The user has an option to abort the ISSU process by issuing the "issu abortversion" command.
  7. The "issu loadversion" command also supports a "forced" option that allows the operator to force the system into entering RPR mode when incompatibility is detected.
  Note: When performing an ISSU, disable manual switchovers. Performing manual switchovers during the issu process is strongly discouraged. The current implementation does not prevent it, but it does display a warning to the user.
  An example of the CLI for implementing the issu loadversion command is displayed below.
  On the active supervisor, one would issue the following command:
  4510R-203#issu loadversion 1 bootflash:cat4500-entservices-mz.122-31.SGA1 2 slavebootflash: cat4500-entservices-mz.122-31.SGA1
  Syntax - issu loadversion active-slot active-image-new standby-slot standby-image-new
  The second step of the ISSU process is to perform the issu runversion CLI.
  The user can issue the " issu runversion" command when:
  1. The ISSU state is "Load Version"; this can be verified with the "show issu state detail" CLI.
  2. The standby supervisor is running the new version of the software.
  3. The standby supervisor has moved into the "Standby Hot " state.
  The following actions take place when the " issu runversion" command is executed:
  1. A switchover occurs; that is, the standby (B) becomes the new active, and the old active (A) is rebooted and comes up as a standby.
  2. A timer called "Rollback Timer" is started with a previously configured value.
  3. Move both supervisors to "Run Version" state.
  4. If the command "issu acceptversion" is not issued before the "Rollback timer" fires, then the entire ISSU process is aborted via the automatic rollback.
  5. If the active supervisor console connectivity is established and the "issu acceptversion" command is issued, then the rollback timer is stopped.
  6. The user has an option to abort the ISSU process by issuing the "issu abortversion" command.
  An example of the CLI for implementing the issu runversion command is displayed below:
  On the active supervisor, one would issue the following command:
  4510R-203#issu runversion 2 slavebootflash:cat4500-entservices-mz.122-31.SGA1
  Syntax - issu runversion standby-slot [standby-image-new]
  Prior to issuing the `issu acceptversion' command the system will be counting down the rollback timer. If `issu acceptversion' is not completed before rollback timer expires an automatic abort will occur. This command stops the "Rollback Timer." This command serves as a feedback mechanism. This is an optional command and can be skipped in the ISSU process with the "issu commitversion" CLI.
  If this command is not issued within 45 minutes (default) from the time the standby supervisor moves into the "Standby Hot" state, it is assumed that the new active supervisor is not reachable and the entire ISSU process is rolled back to the previous version of the software. The acceptversion is not intended for long-term network operation. It is also important to note that none of the features available on the new version will work yet.
  The following actions take place when the command is implemented:
  1. The "Rollback Timer" is terminated. This means that the rollback timer is not looked at anymore. Therefore, the system can run in this state for an extended period.
  2. The user has an option to abort the ISSU process by issuing the command "issu abortversion."
  Aborting the ISSU process now causes the newly active supervisor (B) to fail over to the standby supervisor (A) running the old image and will also cause the rebooting supervisor (B) to load the original image. The issu acceptversion halts the rollback timer and helps ensure the ISSU process is not automatically aborted during the process.
  An example of the CLI for implementing the issu acceptversion command is displayed below:
  On the "New" active supervisor, one would issue the following command:
  4510R-203#issu acceptversion 2
  % Rollback timer stopped. Please issue the commitversion command.
  Syntax - issu acceptversion active-slot-number
  This is the last stage of the ISSU procedure. Once the user is satisfied with the new version of software, this must be committed by issuing the "issu commitversion" command. This command resets the standby supervisor and boots it with a new version of the software (same as the active supervisor). This concludes the ISSU process, and the new version of software is permanently committed on both supervisors. Since this is the conclusion of the ISSU process, the system can not be reverted back to the previous version of the software from this point onward as a part of this upgrade cycle. However, if for any reason users wish to go back to the previous version of the software, they can do so by starting a new upgrade/downgrade process.
  The following actions take place if the command is implemented:
  1. The standby supervisor (A) is reset and booted with the new version of Cisco IOS Software image.
  2. The standby supervisor (A) moves into the "Standby Hot" state in SSO mode and is fully stateful for all clients/applications that are compatible.
  3. Both supervisors are moved into "Final State," which is the same as "Initial State."
  4. Users can initiate switchovers from this point onward.
  An example of the CLI for implementing the issu commitversion command is displayed below:
  4510R-203#issu commitversion 1
  Syntax - issu commitversion standby-slot-number
  ISSU Process: issu abortversion
  One can abort the ISSU process at any stage manually (prior to issuing the issu commitversion command) by issuing the exec-level issu abortversion command. The ISSU process also aborts on its own if the software detects a failure.
  If a user aborts the process after issuing the issu loadversion command, then the standby supervisor engine is reset and reloaded with the original software.
  If the process is aborted after a user enters either the issu runversion or issu acceptversion command, then a second switchover is performed to the new standby supervisor engine that is still running the original software version.
  The supervisor engine that had been running the new software is reset and reloaded with the original software version. The command is accepted only in "Load Version" or "Run Version" states. In "Load Version" state, the active supervisor is running an old image and the standby supervisor is running new image.
  Syntax - issu abortversion active-slot [active-image-new]
  Let me know if you have any questions.

• Cisco 4500X + VSS + Trust Sec Switch to Switch Encryption

  Hi,
  actually im testing and evaluationg the Cisco 4500X switch as new distribution switch for our Company.... Now i have some issues with one of our requirements.
  For security reasons i need to encrypt the links between the 4500X and the access switches in other buildings (no issue with Trust Sec)
  But ... now i also need to encrypt the link between the two 4500X if i run VSS ... my question is .. is it possible to encrypt the VSL link with TrustSec Switch to Switch encryption?
  BR,
  Florian

  Hi Frloian,
  If you have 2 switches in different data centers than you do not need VSS. In fact this is very bad design as the whole concept of VSS is grasped on dual home design. In the essence the proper design of VSS system is to have every downsteram switch connected with one link to one VSS switch and other link to second VSS switch, so that when one VSS switch would fail other can take over. Please look at the VSS best practises:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109547-vss-best-practices.html#vss_best
  Update:
  There is possibility to encrypt VSL link, but only in 6500 sup2t environment:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/virtual_switching_systems.html#wp1341144

• Configuring PAT/NAT in cisco routers

  hello, first sorry for my bad english
  i just wanted to know how configuring PAT (port address translation)
  like this :?
  amir(config)#ip nat inside source static tcp 192.168.1.1 1000 172.16.1.1 1000
  or not?
  2nd question i have is:
  when i need to write: "ip nat inside source"... and when i need to write "ip nat outside" ..
  and the last question for now is:
  how i can (if that's possible) to configure dynamic PAT - I mean that any computer on my LAN will go out to the internet with the same address but with diffrent ports - in random mode.(i mean without configuring static one by one)
  i hope i was clear enough, tanks a lot!

  Hi Tiger,
  1) Yes your first statement is a static PAT statement which will say source ip with source port 1000 is translated to 172.16.1.1 with same port number but yes it is a static PAT entry.
  2) Coming to your 2nd question
  "ip nat inside source" is a global config command which says any traffic which hits the inside interface nat the source ip address.
  "ip nat inside" is a interface mode command which should be done going to any interface. This command specifies which will be an inside interface which will nat the incoming traffic.
  3) Coming to your last question
  For dynamic PAT you just need to configure overload command at the end of your nat statement.
  This link will give you a very broad and nice picture of how NAT can be configured in different situation
  http://www.cisco.com/warp/public/556/12.html#6
  HTH
  Ankur

• Nat in Cisco IOS 9.1

  Good afternoon, I need to publish two mail servers
  private IP
  192.168.5.2
  192.168.5.3
  public IP
  190.151.8.2
  190.151.8.3
  Both servers should send emails with IP 190.151.8.4
  The configuration would be the next?
  nat (Inside, Internet) source static 192.168.5.2 190.151.8.2
  nat (Inside, Internet) source static 192.168.5.3 190.151.8.3
  dynamic NAT
  nat (LAN, Internet) source dynamic 192.168.5.2 190.151.8.4
  nat (LAN, Internet) source dynamic 192.168.5.3 190.151.8.4

  Marco,
  You need dynamic for both of them to send emails out and static PAT to receive emails.
  Dynamic
  object net obj-email1
  host 192.168.5.2
    nat (inside,outside) dynamic 190.151.8.4
  object net obj-email2
  host 192.168.5.3
    nat (inside,outside) dynamic 190.151.8.4
  Static PAT
  object net obj-email1-spat
  host 192.168.5.2
    nat (inside,outside) static 190.151.8.2 service tcp 25 25
  object net obj-email2-spat
  host 192.168.5.3
    nat (inside,outside) static 190.151.8.3 service tcp 25 25
  -Kureli
  I will be discussing this problem in my webcast on Tue.
  https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts
  Upcoming Live Webcast in English: January 15, 2013
  Troubleshooting ASA and Firewall Service Modules
  Register today: http://tools.cisco.com/squish/42F25

• Nat in Cisco 4900M device

  Hi there
  Do you know if it´s possible to configure NAT in a Cisco 4900M device?, Is it possible upgrading the IOS version? or we only can do it with a Cisco 6500 device
  Version 15.0(2)SG, RELEASE SOFTWARE (fc4)

  Layer 3 switches, except for the 7200, will NEVER support NAT.  Period.

• Natting in cisco firewall ASA

  Hi,
  Currently I was facing a problem on how do i do a internal natting for my network.
  how do I nat my vlan 116 to vlan 200 in my firewall asa?
  Source                        Natted                     Destination
  192.168.116.0/24  -> 192.168.200.0/24  ->   192.168.102.0/24
  attached was my diagram and appreciate if someone can give me some guideline.

  Hello,
  The link below will help you for any NAT scenario you want.
  https://supportforums.cisco.com/docs/DOC-9129

• Cisco 4500x Support for USB

  Hi,
  Does the catalyst 4500x support any usb drive or does it need to be specific cisco
  USB-X45-4GB-E
  Cisco Catalyst 4500 4-GB USB
  I have tried a generic one. Copy works but wireshark capture to usb0 fails.
  Could it be that switch supports only cisco specific usb drive.
  Thanks

  Can anyone from Cisco confirm this?

• H323 NAT on cisco router

  I get to know that cisco router doesnt do h323 natting properly ,, Is this correct ???
  but D-link and planet routers do .
  actually its looks to me the matter of IOS of cisco , so any cisco IOS available to h323 natting ???

  http://cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080535.html

• Configuring New Interface and NAT on Cisco 1900 Series Router.

  Hello Cisco Team,
  am asking for advise on how to how setup NAT rules and overload on my 2nd interface on my cisco 1900 series router,am not sure where am getting it wrong.
  my router has 2 interface, interface one has IP address 10.5.5.5X and plugs into my ASA firwall and into my switch and works just fine.
  i have just configured my second Interface with a new IP 172.16.0.X- i  want to NAT my new IP address to our public IP address which is 41.77.X.X
  my configuration so far are as follows.
  GigabitEthernet0/0         172.16.0.X      YES manual up                    up - Not working                                                                            
  GigabitEthernet0/1         10.5.5.X      YES NVRAM  up                    up- this works fine
  GigabitEthernet0/0/0       41.77.X.X  YES NVRAM  up                    up   

  Hello Jon,
  Thanks for your feedback, my router configuration are as follows.
   interface GigabitEthernet0/0
   description WL2504
   ip address 172.16.0.2 255.255.254.0
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description WAN
   ip address 10.55.55.2 255.255.255.252
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface GigabitEthernet0/0/0
   description LINK TO CLT INTERNET
   ip address 41.X.X.130 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex full
   speed 100
   media-type sfp
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
  ip route 0.0.0.0 0.0.0.0 41.X.X.129
  ip route 41.X.X.136 255.255.255.248 10.55.55.1
  ip route 192.168.0.0 255.255.255.0 10.55.55.1
  access-list 1 permit 10.55.55.0 0.0.0.255
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 1 permit 192.168.1.0 0.0.0.255
  from the router interface  interface GigabitEthernet0/0- I will connect it to my wireless Controller WL 2504

• Nat transparency Cisco 877

  Hi,
  Can anyone tell me how can I enable NAT-T in a Cisco 877?
  I have setup a VPN between a Cisco 877 and a Cisco VPN client installed in a remote PC which is behind a NAT ADSL router. My vpn is established without problems, but traffic does not go through it. In the remote client I have enable NAT-T, so all VPN traffic travels in UDP packets. I want to enable NAT_T in my 807 Gateway router, so It can understand this traffic. Can anyone help me?
  Thanks in advance.
  Best regards,
  Jorge

  You may disregard this message... Unless you want to check over the config and make comments. It turns out that we stopped using DHCP when we switched to the 877 and we did not add the WINS server to our workstations. I believe this may have been the first issue. The second issue is isolated to a specific remote machine and we are planning on analysing their router and checking with their ISP before looking at the 877.
  Thanks all

• Cisco 4500x vss issue

  i configure vss on 4500x ,with one switch is active and the other switch go into recovery mode,with all port except the vsl links in the amber orange,shutdown,
  i want to make two switch into active state,some one could help in this.
  the configuration which i used is below
  itch virtual domain 100 
  switch 1
  exit
  switch virtual domain 100
  switch 2
  exit
  interface port-channel 10
  switchport
  switch virtual link 1
  no shut
  exit
  interface port-channel 20
  switchport
  switch virtual link 2
  no shut
  exit
  int range tengigabitethernet 1/15 - 16
  switchport
  switchport mode trunk
  switchport nonegotiate
  no shut
  channel-group 10 mode on
  int range tengigabitethernet 1/15 - 16
  switchport
  switchport mode trunk
  switchport nonegotiate
  no shut
  channel-group 20 mode on
  switch convert mode virtual 
  switch convert mode virtual 

  i can share two core switch configuration which is there 
  please suggest if something which i misconfigured and need to be corrected.
  TAKAFUL-CORE-01#show run
  Building configuration...
  Current configuration : 7510 bytes
  ! Last configuration change at 01:57:12 UTC Sun Aug 10 2014
  version 15.2
  service nagle
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service compress-config
  service sequence-numbers
  no service dhcp
  hostname TAKAFUL-CORE-01
  boot-start-marker
  boot system flash bootflash:cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin
  boot-end-marker
  vrf definition mgmtVrf
   address-family ipv4
   exit-address-family
   address-family ipv6
   exit-address-family
  username admin privilege 15 password 7 104F0D140C19
  no aaa new-model
  switch virtual domain 100
   switch mode virtual
   mac-address use-virtual
  no dual-active detection pagp
  no ip source-route
  ip vrf Liin-vrf
  no ip domain-lookup
  ip dhcp pool management
   network 10.2.20.0 255.255.255.0
   default-router 10.2.20.2
   option 43 ascii "10.2.20.1"
  ip dhcp pool Data
   network 10.3.30.0 255.255.255.0
   default-router 10.3.30.2
   dns-server 4.2.2.2 8.8.8.8
  ip dhcp pool Voice
   network 10.1.10.0 255.255.255.0
   default-router 10.1.10.2
  ip dhcp pool wireless
   network 10.4.40.0 255.255.255.0
   default-router 10.4.40.2
   dns-server 4.2.2.2 8.8.8.8
  no ip bootp server
  ip device tracking
  power redundancy-mode redundant
  mac access-list extended VSL-BPDU
   permit any 0180.c200.0000 0000.0000.0003
  mac access-list extended VSL-CDP
   permit any host 0100.0ccc.cccc
  mac access-list extended VSL-DOT1x
   permit any any 0x888E
  mac access-list extended VSL-GARP
   permit any host 0180.c200.0020
  mac access-list extended VSL-LLDP
   permit any host 0180.c200.000e
  mac access-list extended VSL-SSTP
   permit any host 0100.0ccc.cccd
  spanning-tree mode rapid-pvst
  spanning-tree portfast bpduguard default
  spanning-tree extend system-id
  spanning-tree vlan 1-4094 priority 24576
  redundancy
   mode sso
  vlan internal allocation policy ascending
  class-map match-any VSL-MGMT-PACKETS
   match access-group name VSL-MGMT
  class-map match-any VSL-DATA-PACKETS
   match any
  class-map match-any VSL-L2-CONTROL-PACKETS
   match access-group name VSL-DOT1x
   match access-group name VSL-BPDU
   match access-group name VSL-CDP
   match access-group name VSL-LLDP
   match access-group name VSL-SSTP
   match access-group name VSL-GARP
  class-map match-any VSL-L3-CONTROL-PACKETS
   match access-group name VSL-IPV4-ROUTING
   match access-group name VSL-BFD
   match access-group name VSL-DHCP-CLIENT-TO-SERVER
   match access-group name VSL-DHCP-SERVER-TO-CLIENT
   match access-group name VSL-DHCP-SERVER-TO-SERVER
   match access-group name VSL-IPV6-ROUTING
  class-map match-any VSL-MULTIMEDIA-TRAFFIC
   match dscp af41
   match dscp af42
   match dscp af43
   match dscp af31
   match dscp af32
   match dscp af33
   match dscp af21
   match dscp af22
   match dscp af23
  class-map match-any VSL-VOICE-VIDEO-TRAFFIC
   match dscp ef
   match dscp cs4
   match dscp cs5
  class-map match-any VSL-SIGNALING-NETWORK-MGMT
   match dscp cs2
   match dscp cs3
   match dscp cs6
   match dscp cs7
  policy-map VSL-Queuing-Policy
   class VSL-MGMT-PACKETS
    bandwidth percent 5
   class VSL-L2-CONTROL-PACKETS
    bandwidth percent 5
   class VSL-L3-CONTROL-PACKETS
    bandwidth percent 5
   class VSL-VOICE-VIDEO-TRAFFIC
    bandwidth percent 30
   class VSL-SIGNALING-NETWORK-MGMT
    bandwidth percent 10
   class VSL-MULTIMEDIA-TRAFFIC
    bandwidth percent 20
   class VSL-DATA-PACKETS
    bandwidth percent 20
   class class-default
    bandwidth percent 5
  interface Port-channel10
   switchport
   switchport mode trunk
   switchport nonegotiate
   switch virtual link 1
  interface FastEthernet1
   vrf forwarding mgmtVrf
   no ip address
   speed auto
   duplex auto
  interface TenGigabitEthernet1/1/1
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/2
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/3
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/4
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/5
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/6
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/7
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/8
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/9
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/10
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/11
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/12
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/13
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/14
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet1/1/15
   switchport mode trunk
   switchport nonegotiate
   no lldp transmit
   no lldp receive
   no cdp enable
   channel-group 10 mode on
   service-policy output VSL-Queuing-Policy
  interface TenGigabitEthernet1/1/16
   switchport mode trunk
   switchport nonegotiate
   no lldp transmit
   no lldp receive
   no cdp enable
   channel-group 10 mode on
   service-policy output VSL-Queuing-Policy
  interface Vlan1
   no ip address
   shutdown
  interface Vlan10
   description IP Telephony VLAN
   ip address 10.1.10.2 255.255.255.0
   no ip redirects
  interface Vlan20
   description Automation & Management VLAN
   ip address 10.2.20.2 255.255.255.0
   no ip redirects
  interface Vlan30
   description Data VLAN
   ip address 10.3.30.2 255.255.255.0
   no ip redirects
  interface Vlan40
   description Wireless Users VLAN
   ip address 10.4.40.2 255.255.255.0
   no ip redirects
  ip forward-protocol nd
  no ip forward-protocol udp netbios-ns
  no ip forward-protocol udp netbios-dgm
  no ip http server
  no ip http secure-server
  ip access-list extended VSL-BFD
   permit udp any any eq 3784
  ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
   permit udp any eq bootpc any eq bootps
  ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
   permit udp any eq bootps any eq bootpc
  ip access-list extended VSL-DHCP-SERVER-TO-SERVER
   permit udp any eq bootps any eq bootps
  ip access-list extended VSL-IPV4-ROUTING
   permit ip any 224.0.0.0 0.0.0.255
  snmp-server community ro RO
  ipv6 access-list VSL-IPV6-ROUTING
   permit ipv6 any FF02::/124
  banner login ^CC
  #### Login for authorized Takaful IT Personnel ONLY ####
                        TAKAFUL
  #### Login for authorized Takaful IT Personnel ONLY ####
  ^C
  banner motd ^CC
  WARNING, unauthorised access to this network is prohibited.
  Authorized access only
  This system is the property of Takaful Company.^C
  line con 0
   privilege level 15
   login local
   stopbits 1
  line vty 0 4
   privilege level 15
   login local
  line vty 5 15
   privilege level 15
   login local
  module provision switch 1
   chassis-type 70 base-mac F40F.1B56.31D8
   slot 1 slot-type 401 base-mac F40F.1B56.31D8
  module provision switch 2
  end
  TAKAFUL-CORE-01#
  TAKAFUL-CORE-02(recovery-mode)#show run
  Building configuration...
  Current configuration : 5641 bytes
  ! Last configuration change at 02:05:27 UTC Sun Aug 10 2014
  version 15.2
  service nagle
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service compress-config
  service sequence-numbers
  no service dhcp
  hostname TAKAFUL-CORE-02
  boot-start-marker
  boot system flash bootflash:cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin
  boot-end-marker
  vrf definition mgmtVrf
   address-family ipv4
   exit-address-family
   address-family ipv6
   exit-address-family
  no aaa new-model
  switch virtual domain 100
   switch mode virtual
   mac-address use-virtual
  no dual-active detection pagp
  no ip source-route
  ip vrf Liin-vrf
  no ip domain-lookup
  no ip bootp server
  ip device tracking
  vtp mode transparent
  power redundancy-mode redundant
  mac access-list extended VSL-BPDU
   permit any 0180.c200.0000 0000.0000.0003
  mac access-list extended VSL-CDP
   permit any host 0100.0ccc.cccc
  mac access-list extended VSL-DOT1x
   permit any any 0x888E
  mac access-list extended VSL-GARP
   permit any host 0180.c200.0020
  mac access-list extended VSL-LLDP
   permit any host 0180.c200.000e
  mac access-list extended VSL-SSTP
   permit any host 0100.0ccc.cccd
  spanning-tree mode pvst
  spanning-tree extend system-id
  redundancy
   mode sso
  vlan internal allocation policy ascending
  class-map match-any VSL-MGMT-PACKETS
   match access-group name VSL-MGMT
  class-map match-any VSL-DATA-PACKETS
   match any
  class-map match-any VSL-L2-CONTROL-PACKETS
   match access-group name VSL-DOT1x
   match access-group name VSL-BPDU
   match access-group name VSL-CDP
   match access-group name VSL-LLDP
   match access-group name VSL-SSTP
   match access-group name VSL-GARP
  class-map match-any VSL-L3-CONTROL-PACKETS
   match access-group name VSL-IPV4-ROUTING
   match access-group name VSL-BFD
   match access-group name VSL-DHCP-CLIENT-TO-SERVER
   match access-group name VSL-DHCP-SERVER-TO-CLIENT
   match access-group name VSL-DHCP-SERVER-TO-SERVER
   match access-group name VSL-IPV6-ROUTING
  class-map match-any VSL-MULTIMEDIA-TRAFFIC
   match dscp af41
   match dscp af42
   match dscp af43
   match dscp af31
   match dscp af32
   match dscp af33
   match dscp af21
   match dscp af22
   match dscp af23
  class-map match-any VSL-VOICE-VIDEO-TRAFFIC
   match dscp ef
   match dscp cs4
   match dscp cs5
  class-map match-any VSL-SIGNALING-NETWORK-MGMT
   match dscp cs2
   match dscp cs3
   match dscp cs6
   match dscp cs7
  policy-map VSL-Queuing-Policy
   class VSL-MGMT-PACKETS
    bandwidth percent 5
   class VSL-L2-CONTROL-PACKETS
    bandwidth percent 5
   class VSL-L3-CONTROL-PACKETS
    bandwidth percent 5
   class VSL-VOICE-VIDEO-TRAFFIC
    bandwidth percent 30
   class VSL-SIGNALING-NETWORK-MGMT
    bandwidth percent 10
   class VSL-MULTIMEDIA-TRAFFIC
    bandwidth percent 20
   class VSL-DATA-PACKETS
    bandwidth percent 20
   class class-default
    bandwidth percent 5
  interface Port-channel20
   switchport
   switchport mode trunk
   switchport nonegotiate
   switch virtual link 2
  interface FastEthernet1
   vrf forwarding mgmtVrf
   speed auto
   duplex auto
  interface TenGigabitEthernet2/1/1
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/2
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/3
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/4
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/5
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/6
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/7
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/8
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/9
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/10
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/11
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/12
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/13
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/14
   switchport trunk native vlan 20
   switchport mode trunk
  interface TenGigabitEthernet2/1/15
   switchport mode trunk
   switchport nonegotiate
   no lldp transmit
   no lldp receive
   no cdp enable
   channel-group 20 mode on
   service-policy output VSL-Queuing-Policy
  interface TenGigabitEthernet2/1/16
   switchport mode trunk
   switchport nonegotiate
   no lldp transmit
   no lldp receive
   no cdp enable
   channel-group 20 mode on
   service-policy output VSL-Queuing-Policy
  interface Vlan1
   no ip address
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip access-list extended VSL-BFD
   permit udp any any eq 3784
  ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
   permit udp any eq bootpc any eq bootps
  ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
   permit udp any eq bootps any eq bootpc
  ip access-list extended VSL-DHCP-SERVER-TO-SERVER
   permit udp any eq bootps any eq bootps
  ip access-list extended VSL-IPV4-ROUTING
   permit ip any 224.0.0.0 0.0.0.255
  ipv6 access-list VSL-IPV6-ROUTING
   permit ipv6 any FF02::/124
  line con 0
   stopbits 1
  line vty 0 4
   login
   length 0
  module provision switch 1
  module provision switch 2
   chassis-type 70 base-mac 88F0.3104.0058
   slot 1 slot-type 401 base-mac 88F0.3104.0058
  end

• Policy Nat on cisco router

  Hi Dears.
  I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be  10.193.115.11 but our local subnet is
  10.103.70.0/24. our local subnet is also access to internet.
  local subnet: 10.10.3.70.0/24
  peer local  subnet: 10.193.128.11/23
  i think that i must be do policy nat.
  1. ip access-list extended vpn-traffic  
  permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
  2. ip access-list extended nat-ipsec
  permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  3.ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
    ip nat inside source list nat-ipsec pool mswpool
  And i have also PAT Nat for local user.
  access-list 100 permit ip 10.103.70.0 0.0.0.255 any
  ip nat inside source list 100 interface GigabitEthernet0/0 overload
  is this configuration rigth?
  please write your comment.
  thanks.

  ok. thanks.
  at last our configuration is that:
  access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  access-list 100 permit ip 10.103.70.0 0.0.0.255 any
  ip nat inside source list 100 interface GigabitEthernet0/0 overload
  for vpn traffic:
  ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
    ip nat inside source list nat-ipsec pool mswpool
  ip access-list extended vpn-traffic 
  permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
  ip access-list extended nat-ipsec
  permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  you said that this configuration is help me for my aim.
  thanks again.