09-16-2010 07:26 AM
Hello,
basically I want to static two-way nat 2 networks:
network 192.168.1.x into 20.168.1.x
network 10.x.x.x into 20.x.x.x
this is my actual config:
class-map match-all NAT_192.168.1.0_24
2 match source-address 192.168.1.0 255.255.255.0
class-map match-all GLOBAL_NAT
2 match source-address 10.0.0.0 255.0.0.0
policy-map multi-match Policy_NAT
class NAT_192.168.1.0_24
nat static 20.168.1.0 netmask 255.255.255.0 vlan 2
nat static 20.168.1.0 netmask 255.255.255.0 vlan 3
class GLOBAL_NAT
nat static 20.0.0.0 netmask 255.0.0.0 vlan 2
nat static 20.0.0.0 netmask 255.0.0.0 vlan 3
interface vlan 1 (global outside interface)
service-policy input Policy_NAT
....
interface vlan 2 (inside / server interface)
.....
interface vlan 3 (inside / server interface)
.....
i want to accomplish bi-directional nat, but this seems to work in an odd way:
it is good when the traffic comes from vlan 1 to vlans 2 and 3
when traffic originates from vlans 2 and 3, headed towards vlan 1, everything
gets natted into 10.x.x.x regardless if traffic is destined 20.168.1.x that should become,
in my intentions,192.168.1.x, it becames 10.168.1.x instead.
What could be wrong? Am I missing something basic here?
thanks in advance.
09-22-2010 08:28 AM
In Your config you only have a nat service policy applied on vlan 1 so your nat actions will happen only if traffic comes into the ace on vlan 1.
so if you want to nat traffic that originates to the ace on vlan 2 or 3 and goes out vlan 1 you need a policy applied to those interfaces along with nat statements that nat if egress is vlan 1.
ie
policy-map multi-match Policy_NAT
class NAT_192.168.1.0_24
nat static 20.168.1.0 netmask 255.255.255.0 vlan 2
nat static 20.168.1.0 netmask 255.255.255.0 vlan 3
nat static 20.168.1.0 netmask 255.255.255.0 vlan 1
class GLOBAL_NAT
nat static 20.0.0.0 netmask 255.0.0.0 vlan 2
nat static 20.0.0.0 netmask 255.0.0.0 vlan 3
nat static 20.0.0.0 netmask 255.0.0.0 vlan 1
then apply
service-policy input Policy_NAT
to vlan 2 and 3 interfaces.
09-22-2010 08:49 AM
Thanks for your reply.
that would be certainly a good solution unfortunately I can't configure it.
When I try to apply the policy to the other interface vlan I get this error:
Error: Cannot service a policy to more than one interface when it has nat static configured!
so I can't apply it to both directions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide