12-26-2023 07:46 PM
I am using a Cisco ASR1001-X router. I have two different public IP blocks with CIDR /27 each. Here minimum 20 private IP blocks for my LAN network. That's why I am using two IP nat pools for two public IP blocks for load balancing. But the problem is, 1st ip nat pool is working fine. But for the 2nd IP nat pool is not working properly. Users of 2nd pool translated with only a single public IP address. Please suggest what should I do now.
: Dynamic NAT Working Fine:
ip nat pool NAT-Pri X.X.X.X X.X.X.X netmask 255.255.255.224
ip nat inside source list Primary_LAN pool NAT-Pri overload
ip access-list extended Primary_LAN
permit ip 10.204.0.0 0.0.31.255 any
permit ip 192.168.122.0 0.0.0.255 any
permit ip 192.168.124.0 0.0.0.255 any
: Dynamic NAT not Working:
ip nat pool NAT-Sec Y.Y.Y.Y Y.Y.Y.Y netmask 255.255.255.224
ip nat inside source list Secondary-LAN pool NAT-Sec overload
ip access-list extended Secondary-LAN
permit ip 192.168.112.0 0.0.0.255 any
permit ip 192.168.113.0 0.0.0.255 any
permit ip 10.98.0.0 0.0.255.255 any
12-26-2023 08:21 PM
can I see
show ip nat statistic
MHM
12-26-2023 11:03 PM
Core-RT2#sh ip nat statistics
Total active translations: 638565 (0 static, 638565 dynamic; 638565 extended)
Outside interfaces:
TenGigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/0/4
Loopback1
Inside interfaces:
GigabitEthernet0/0/1.808, GigabitEthernet0/0/2
Hits: 106102622845 Misses: 1892762614
Expired translations: 1875142437
Dynamic mappings:
-- Inside Source
[Id: 1] access-list Primary_LAN pool NAT-Pri refcount 489391
pool NAT-Pri: id 3, netmask 255.255.255.224
start X.X.X.X end X.X.X.X
type generic, total addresses 29, allocated 10 (34%), misses 0
[Id: 2] access-list secondary-LAN pool NAT-Sec refcount 1
pool NAT-Sec: id 5, netmask 255.255.255.224
start Y.Y.Y.Y end Y.Y.Y.Y
type generic, total addresses 29, allocated 1 (3%), misses 0
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 21736 Out-to-in drops: 6111
Pool stats drop: 1 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
12-27-2023 02:22 AM
Did you use any pbr?
MHM
12-27-2023 03:00 AM
No
12-27-2023 03:13 AM
Outside interfaces:
TenGigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/0/4
Loopback1
Inside interfaces:
GigabitEthernet0/0/1.808, GigabitEthernet0/0/2
but there is four Port OUTside, how traffic is forward to these port.
the NAT work when the traffic pass from specific INside port to specific OUTside port
MHM
12-27-2023 01:00 AM
Hello @raficulopu
Also please confirm that the ACL Secondary-LAN is matching the correct traffic. Use the command show access-list Secondary-LAN to check if there are any hits on the ACL for the desired traffic and share output. Thanks.
12-27-2023 01:41 AM
Core-RT2#show access-lists Secondary-LAN
Extended IP access list Secondary-LAN
10 permit ip 192.168.112.0 0.0.0.255 any
20 permit ip 192.168.113.0 0.0.0.255 any
30 permit ip 10.98.0.0 0.0.255.255 any
40 permit ip 192.168.114.0 0.0.0.255 any
50 permit ip 192.168.116.0 0.0.0.255 any
70 permit ip 192.168.119.0 0.0.0.255 any
12-27-2023 08:43 AM
The toplogy not clear to use - can you post show run complete output (removing the information)
below information not clear what is the configuration on that port.
Outside interfaces:
TenGigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/0/4
Loopback1
Inside interfaces:
GigabitEthernet0/0/1.808, GigabitEthernet0/0/2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide