Conflict between static and dynamic NAT from two # pools

Tshi M · ‎02-26-2013

Hi all,

I have a Cisco 6509 with connections to multiple venues. Both destinations require that I NAT my internal network to their assigned IP. The problem is that one of their venue require one to one translation. When I do this, the host with the static NAT is unable to connect to the venue that does not request the one to one NAT. Below is the relevant configuration:

For Venue not requesting one to one NAT:

ip access-list extented CMX_NAT

permit ip 10.1.21.0 0.0.0.255 199.2.14.0 0.0.0.15

permit ip 10.1.31.0 0.0.0.255 199.2.14.0 0.0.0.15

permit ip 10.1.32.0 0.0.0.255 199.2.14.0 0.0.0.15

ip nat pool Dynamic-Pool 10.20.22.2 10.20.22.14 prefix-length 28

ip nat inside source route-map CMX_map pool Dynamic-Pool

route-map CMX_map permit 10

match ip address CMX_NAT

For Venue requesting one to one NAT

ip access-list ext BMX_NAT

permit ip 10.1.21.0 0.0.0.255 192.168.25.25 0.0.0.0

permit ip 10.1.31.0 0.0.0.255 192.168.25.25 0.0.0.0

permit ip 10.1.32.0 0.0.0.255 192.168.25.25 0.0.0.0

ip nat pool BMX_pool 10.10.89.245 10.10.89.254 prefix-length 28

ip nat inside source route-map BMX_map pool BMX_pool

ip nat inside source static 10.1.31.240 10.10.89.242

ip nat inside source static 10.1.21.227 10.10.89.243

route-map BMX_map permit 10

match ip address BMX_NAT

Because of the one to one NAT, 10.1.21.227 and 10.1.31.240 can no longer access the CMX venue.

Peter Koltl · ‎02-27-2013

IOS NAT table entries contains only 4 fields:

R101#sh ip nat tr

Pro Inside global Inside local Outside local Outside global

--- 10.10.89.243 10.1.21.227 --- ---

--- 10.10.89.242 10.1.31.240 --- ---

On the contrary, ASA NAT table entries also contain the ACL in case of policy NAT so an ASA could cope with such a situation easily.

So my assumption is that IOS is unable to handle the incoming packet from CMX as the route-map is not referenced in the NAT table.

Maybe you could try to translate CMX addresses too with a destination NAT.