https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009651#M19954 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>Yes. I use the ALL access-list on the interfaces.</P><P></P><P>Lajos-ACE/Admin# sho access-list ALL</P><P>access-list:ALL, elements: 2, status: ACTIVE</P><P> remark : </P><P>access-list ALL line 10 extended permit ip any any (hitcount=19682682)</P><P>access-list ALL line 20 extended permit icmp any any (hitcount=0)</P><P></P><P>I make a telnet connection from 192.168.13.81 to outside device.</P><P>the connection is made but the source IP is 192.168.16.81 instead of 10.42.16.30.</P><P></P><P>Regards,</P></BODY></HTML> Mon, 21 Jul 2008 07:34:06 GMT KAROLY KOHEGYI 2008-07-21T07:34:06Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009646#M19949 <P>Hello!</P><P></P><P>The below simple config is not working.</P><P>We would like to change the server source IP in the server initiated connection.</P><P>The access-list state is NOT-ACTIVE.</P><P>Why ? Any help would be appreciated !</P><P></P><P>Regards,</P><P></P><P></P><P>class-map match-any NAT_CLASS</P><P> 2 match access-list NAT_ACCESS</P><P></P><P>policy-map multi-match NAT_POLICY</P><P> class NAT_CLASS</P><P> nat dynamic 1 vlan 87</P><P></P><P>interface vlan 73</P><P> description ACE-Application</P><P> ip address 192.168.29.18 255.255.255.248</P><P> alias 192.168.29.22 255.255.255.248</P><P> peer ip address 192.168.29.20 255.255.255.248</P><P> access-group input ALL</P><P> access-group output ALL</P><P> nat-pool 1 10.42.16.30 10.42.16.30 netmask 255.255.255.0 pat</P><P> no shutdown</P><P></P><P>interface vlan 87</P><P> ip address 192.168.13.86 255.255.255.248</P><P> access-group input ALL</P><P> service-policy input NAT_POLICY</P><P> no shutdown</P><P></P><P>access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet</P><P>access-list NAT_ACCESS line 30 extended permit icmp any any </P><P></P><P>--------------------------------------------------------------------------------------------</P><P></P><P>Admin# sho access-list NAT_ACCESS </P><P>access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE</P><P> remark : </P><P>access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet</P><P>access-list NAT_ACCESS line 30 extended permit icmp any any</P><P></P><P></P> Mon, 21 Jul 2008 06:49:42 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009646#M19949 KAROLY KOHEGYI 2008-07-21T06:49:42Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009647#M19950 <HTML><HEAD></HEAD><BODY><P>Make the following change</P><P></P><P>policy-map multi-match NAT_POLICY</P><P>class NAT_CLASS</P><P>nat dynamic 1 vlan 73</P><P></P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Mon, 21 Jul 2008 06:59:01 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009647#M19950 Syed Iftekhar Ahmed 2008-07-21T06:59:01Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009648#M19951 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>I overlooked.</P><P>Situation changed a little.</P><P></P><P>Status : ACTIVE</P><P>-----------------------------------------</P><P>Interface: vlan 87 </P><P> service-policy: NAT_POLICY</P><P> class: NAT_CLASS</P><P> nat:</P><P> nat dynamic 1 vlan 73</P><P> curr conns : 1 , hit count : 3 </P><P> dropped conns : 0 </P><P> client pkt count : 59 , client byte count: 2754 </P><P> server pkt count : 56 , server byte count: 3324 </P><P> conn-rate-limit : 0 , drop-count : 0 </P><P> bandwidth-rate-limit : 0 , drop-count : 0 </P><P></P><P>Lajos-ACE/Admin# sho access-list NAT_ACCESS </P><P>access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE</P><P> remark : </P><P>access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet</P><P>access-list NAT_ACCESS line 30 extended permit icmp any any</P><P></P><P>The policu is working but the accesslist is not.</P><P></P><P>The NAT is not working also.</P><P></P><P>Regards,</P></BODY></HTML> Mon, 21 Jul 2008 07:10:11 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009648#M19951 KAROLY KOHEGYI 2008-07-21T07:10:11Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009649#M19952 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>I overlooked.</P><P>Situation changed a little.</P><P></P><P>Status : ACTIVE</P><P>-----------------------------------------</P><P>Interface: vlan 87 </P><P> service-policy: NAT_POLICY</P><P> class: NAT_CLASS</P><P> nat:</P><P> nat dynamic 1 vlan 73</P><P> curr conns : 1 , hit count : 3 </P><P> dropped conns : 0 </P><P> client pkt count : 59 , client byte count: 2754 </P><P> server pkt count : 56 , server byte count: 3324 </P><P> conn-rate-limit : 0 , drop-count : 0 </P><P> bandwidth-rate-limit : 0 , drop-count : 0 </P><P></P><P>Lajos-ACE/Admin# sho access-list NAT_ACCESS </P><P>access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE</P><P> remark : </P><P>access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet</P><P>access-list NAT_ACCESS line 30 extended permit icmp any any</P><P></P><P>The policu is working but the accesslist is not.</P><P></P><P>The NAT is not working also.</P><P></P><P>Regards,</P></BODY></HTML> Mon, 21 Jul 2008 07:16:54 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009649#M19952 KAROLY KOHEGYI 2008-07-21T07:16:54Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009650#M19953 <HTML><HEAD></HEAD><BODY><P>Access-list "NOT-ACTIVE " means that it is not applied to an interface. Which is normal for ACLs that are only used in class maps.</P><P></P><P>Is the traffic for NAT is covered by the ACL (ACL applied to the interfaces) to allow the traffic through the ACE?</P><P></P><P>Syed Iftekhar Ahmed</P><P></P><P></P></BODY></HTML> Mon, 21 Jul 2008 07:25:20 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009650#M19953 Syed Iftekhar Ahmed 2008-07-21T07:25:20Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009651#M19954 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>Yes. I use the ALL access-list on the interfaces.</P><P></P><P>Lajos-ACE/Admin# sho access-list ALL</P><P>access-list:ALL, elements: 2, status: ACTIVE</P><P> remark : </P><P>access-list ALL line 10 extended permit ip any any (hitcount=19682682)</P><P>access-list ALL line 20 extended permit icmp any any (hitcount=0)</P><P></P><P>I make a telnet connection from 192.168.13.81 to outside device.</P><P>the connection is made but the source IP is 192.168.16.81 instead of 10.42.16.30.</P><P></P><P>Regards,</P></BODY></HTML> Mon, 21 Jul 2008 07:34:06 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009651#M19954 KAROLY KOHEGYI 2008-07-21T07:34:06Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009652#M19955 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>sorry it is working !</P><P></P><P>Regards</P></BODY></HTML> Mon, 21 Jul 2008 08:12:22 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009652#M19955 KAROLY KOHEGYI 2008-07-21T08:12:22Z https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009653#M19956 <HTML><HEAD></HEAD><BODY><P>Your config looks ok.</P><P>Are you sure the server initiated connection is not bypassing ACE? Do you see this conn on ACE (sh conn)?</P><P></P><P>Just for testing remove ACL from the class-map ,Instead use source-address</P><P></P><P></P><P>class-map match-any NAT_CLASS</P><P>2 match source 192.168.13.81 255.255.255.255</P><P></P><P></P><P>Syed</P></BODY></HTML> Mon, 21 Jul 2008 08:13:29 GMT https://community.cisco.com/t5/application-networking/server-side-source-nat/m-p/1009653#M19956 Syed Iftekhar Ahmed 2008-07-21T08:13:29Z