cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
650
Views
0
Helpful
2
Replies

ACE static nat issue

silk
Level 1
Level 1

Hello,

basically I want to static two-way nat 2 networks:

network 192.168.1.x into 20.168.1.x

network 10.x.x.x into 20.x.x.x

this is my actual config:

class-map match-all NAT_192.168.1.0_24
  2 match source-address 192.168.1.0 255.255.255.0

class-map match-all GLOBAL_NAT

  2 match source-address 10.0.0.0 255.0.0.0

policy-map multi-match Policy_NAT
  class NAT_192.168.1.0_24
    nat static 20.168.1.0 netmask 255.255.255.0 vlan 2

    nat static 20.168.1.0 netmask 255.255.255.0 vlan 3
  class GLOBAL_NAT
    nat static 20.0.0.0 netmask 255.0.0.0 vlan 2

    nat static 20.0.0.0 netmask 255.0.0.0 vlan 3


interface vlan 1  (global outside interface)

service-policy input Policy_NAT

....

interface vlan 2  (inside / server interface)

.....

interface vlan 3  (inside / server interface)

.....

i want to accomplish bi-directional nat, but this seems to work in an odd way:

it is good when the traffic comes from vlan 1 to vlans 2 and 3

when traffic originates from vlans 2 and 3, headed towards vlan 1, everything

gets natted into 10.x.x.x regardless if traffic is destined 20.168.1.x that should become,

in my intentions,192.168.1.x, it becames 10.168.1.x instead.

What could be wrong? Am I missing something basic here?

thanks in advance.

2 Replies 2

litrenta
Level 3
Level 3

In Your config you only have a nat service policy applied on vlan 1 so your nat actions will happen only if traffic comes into the ace on vlan 1.

so if you want to nat traffic that originates to the ace on vlan 2 or 3 and goes out vlan 1 you need a policy applied to those interfaces along with nat statements that nat if egress is vlan 1.

ie

policy-map multi-match Policy_NAT
  class NAT_192.168.1.0_24
    nat static 20.168.1.0 netmask 255.255.255.0 vlan 2

    nat static 20.168.1.0 netmask 255.255.255.0 vlan 3

    nat static 20.168.1.0 netmask 255.255.255.0 vlan 1
  class GLOBAL_NAT
    nat static 20.0.0.0 netmask 255.0.0.0 vlan 2

    nat static 20.0.0.0 netmask 255.0.0.0 vlan 3

   nat static 20.0.0.0 netmask 255.0.0.0 vlan 1

then apply

service-policy input Policy_NAT

to vlan 2 and 3 interfaces.

Thanks for your reply.

that would be certainly a good solution unfortunately I can't configure it.

When I try to apply the policy to the other interface vlan I get this error:

Error: Cannot service a policy to more than one interface when it has nat static configured!

so I can't apply it to both directions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: