Secondary IP NAT Pool not Working

raficulopu · ‎12-26-2023

I am using a Cisco ASR1001-X router. I have two different public IP blocks with CIDR /27 each. Here minimum 20 private IP blocks for my LAN network. That's why I am using two IP nat pools for two public IP blocks for load balancing. But the problem is, 1st ip nat pool is working fine. But for the 2nd IP nat pool is not working properly. Users of 2nd pool translated with only a single public IP address. Please suggest what should I do now.

: Dynamic NAT Working Fine:

ip nat pool NAT-Pri X.X.X.X X.X.X.X netmask 255.255.255.224
ip nat inside source list Primary_LAN pool NAT-Pri overload
ip access-list extended Primary_LAN
permit ip 10.204.0.0 0.0.31.255 any
permit ip 192.168.122.0 0.0.0.255 any
permit ip 192.168.124.0 0.0.0.255 any

: Dynamic NAT not Working:

ip nat pool NAT-Sec Y.Y.Y.Y Y.Y.Y.Y netmask 255.255.255.224
ip nat inside source list Secondary-LAN pool NAT-Sec overload
ip access-list extended Secondary-LAN
permit ip 192.168.112.0 0.0.0.255 any
permit ip 192.168.113.0 0.0.0.255 any
permit ip 10.98.0.0 0.0.255.255 any

MHM Cisco World · ‎12-26-2023

can I see
show ip nat statistic
MHM

raficulopu · ‎12-26-2023

Core-RT2#sh ip nat statistics
Total active translations: 638565 (0 static, 638565 dynamic; 638565 extended)
Outside interfaces:
TenGigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/0/4
Loopback1
Inside interfaces:
GigabitEthernet0/0/1.808, GigabitEthernet0/0/2
Hits: 106102622845 Misses: 1892762614
Expired translations: 1875142437
Dynamic mappings:
-- Inside Source

[Id: 1] access-list Primary_LAN pool NAT-Pri refcount 489391
pool NAT-Pri: id 3, netmask 255.255.255.224
start X.X.X.X end X.X.X.X
type generic, total addresses 29, allocated 10 (34%), misses 0
[Id: 2] access-list secondary-LAN pool NAT-Sec refcount 1
pool NAT-Sec: id 5, netmask 255.255.255.224
start Y.Y.Y.Y end Y.Y.Y.Y
type generic, total addresses 29, allocated 1 (3%), misses 0

nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 21736 Out-to-in drops: 6111
Pool stats drop: 1 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

MHM Cisco World · ‎12-27-2023

Did you use any pbr?

MHM

raficulopu · ‎12-27-2023

No

MHM Cisco World · ‎12-27-2023

Outside interfaces:
TenGigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/0/4
Loopback1
Inside interfaces:
GigabitEthernet0/0/1.808, GigabitEthernet0/0/2

but there is four Port OUTside, how traffic is forward to these port.
the NAT work when the traffic pass from specific INside port to specific OUTside port
MHM

M02@rt37 · ‎12-27-2023

Hello @raficulopu

Also please confirm that the ACL Secondary-LAN is matching the correct traffic. Use the command show access-list Secondary-LAN to check if there are any hits on the ACL for the desired traffic and share output. Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

raficulopu · ‎12-27-2023

Core-RT2#show access-lists Secondary-LAN
Extended IP access list Secondary-LAN
10 permit ip 192.168.112.0 0.0.0.255 any
20 permit ip 192.168.113.0 0.0.0.255 any
30 permit ip 10.98.0.0 0.0.255.255 any
40 permit ip 192.168.114.0 0.0.0.255 any
50 permit ip 192.168.116.0 0.0.0.255 any
70 permit ip 192.168.119.0 0.0.0.255 any

balaji.bandi · ‎12-27-2023

The toplogy not clear to use - can you post show run complete output (removing the information)

below information not clear what is the configuration on that port.

Outside interfaces:
TenGigabitEthernet0/0/1, GigabitEthernet0/0/3, GigabitEthernet0/0/4
Loopback1
Inside interfaces:
GigabitEthernet0/0/1.808, GigabitEthernet0/0/2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help