Direct specific LAN subnet to use specific NAT pool to reach internet

M-Square · ‎10-14-2017

Hello all,

I am working on a design to get some granular control over NAT/PAT but it seems to be a challenge.

Our ISP has provided us a small block of routable IPs. Our IOS edge router has multiple VLANs behind it. We presently have all traffic egressing out a single WAN IP using overload, works great. I am now reconfiguring things so one specific LAN subnet will use a different IP from the WAN pool. After making the change it looks selected subnet should be using the noted NAT pool but it simply does not pass traffic, It looks subnet is in the NAT table and associated the .179 address but it simply does not pass traffic. The other VLAN traffic continues to use the main overload just fine.

Any thought? Should I be tweaking the prefix length on the NAT pool lines maybe?

interface GigabitEthernet0/0
description outside-public-IP
ip address 207.22.33.178 255.255.255.248 <--small public range
ip nat outside

interface GigabitEthernet0/1
description inside (multiple VLANs behind this segment)
ip address 192.168.254.254 255.255.255.0
ip nat inside
!
ip access-list extended ACL_NAT_100
permit ip 192.168.100.0 0.0.0.255 any
!
ip access-list extended ACL_NAT_200
permit ip 192.168.200.0 0.0.0.255 any
!

route-map NAT100 permit 10
match ip address ACL_NAT_100

route-map NAT200 permit 20
match ip address ACL_NAT_200
!

ip nat inside source route-map NAT100 pool POOL_100 overload
ip nat inside source route-map NAT200 pool POOL_200 overload

ip nat pool POOL_100 184.70.155.178 207.22.33.178 prefix-length 29 <-- Main overload IP for all internal VLANs minus the issolated 192.168.200.0
ip nat pool POOL_200 184.70.155.179 207.22.33.179 prefix-length 29 <--would like all 192.168.200.0 subnet traffic to use this WAN IP

Public IP Range(s): 207.22.33.178 - 207.22.33.180
Gatway: 207.22.33.177
Subnet Mask: 255.255.255.248

Georg Pauwen · ‎10-14-2017

Hello,

first of all, you have no layer 3 interface with an IP address in the 192.168.100.0/24 and 192.168.200.0/24 range. What default gateway are your clients using ? If you configure these addresses as secondary address on your inside NAT interface, at least the router knows what to translate:

interface GigabitEthernet0/1
description inside (multiple VLANs behind this segment)
ip address 192.168.254.254 255.255.255.0

ip address 192.168.100.1 255.255.255.0 secondary

ip address 192.168.200.1 255.255.255.0 secondary
ip nat inside

Once you have done that, your NAT pools don't look right:

ip nat pool POOL_100 184.70.155.178 207.22.33.178 prefix-length 29 <-- Main overload IP for all internal VLANs minus the issolated 192.168.200.0
ip nat pool POOL_200 184.70.155.179 207.22.33.179 prefix-length 29 <--would like all 192.168.200.0 subnet traffic to use this WAN IP

Are these typos ? It should look like this:

ip nat pool POOL_100 207.22.33.178 207.22.33.178 prefix-length 29 <-- Main overload IP for all internal VLANs minus the issolated 192.168.200.0
ip nat pool POOL_200 207.22.33.179 207.22.33.179 prefix-length 29 <--would like all 192.168.200.0 subnet traffic to use this WAN IP

M-Square · ‎10-15-2017

Hi George,

Sorry about the confusion, correct it was just a typo. What you corrected is indeed the syntax used. The L3 portion is good and is presently running fine. The two routable IPs are from the same block as you can see so the we simply have a single default route.

It gets interesting. When I implement and test the .200 trying to ping an Internet destination the show ip nat trans shows it has create the table. It is in the table but passing traffic does not work

ISR1#sh ip nat tran | i 207.22.33.179
icmp 207.22.33.179:0 192.168.200.254:0 4.2.2.5:0 4.2.2.5:0

If I leave the 192.168.200.0 entry in the ACL that is used for 207.22.33.178 ICMP passes just fine using the overload / pool for the .178 IP.
ISR1# sh log | i 4.2.2.5
011132: Oct 15 20:51:39.263 PST: NAT*: i: icmp (192.168.200.254, 0) -> (4.2.2.5, 0) [64564]
011133: Oct 15 20:51:39.263 PST: NAT*: s=192.168.200.254->207.22.33.178, d=4.2.2.5 [64564]
011152: Oct 15 20:51:39.295 PST: NAT*: o: icmp (4.2.2.5, 0) -> (207.22.33.178, 0) [51211]
011153: Oct 15 20:51:39.295 PST: NAT*: s=4.2.2.5, d=207.22.33.178->192.168.200.254 [51211]

When I remove 192.168.200.0 from the 207.22.33.178 ACL so it is forced to used the .179 route map
it does build a NAT table but does not pass traffic
ISR1# sh log | i 4.2.2.5
011518: Oct 15 20:52:53.680 PST: NAT*: i: icmp (192.168.200.254, 0) -> (4.2.2.5, 0) [64583]
011519: Oct 15 20:52:53.680 PST: NAT*: s=192.168.200.254->207.22.33.179, d=4.2.2.5 [64583]
011612: Oct 15 20:52:56.688 PST: NAT*: i: icmp (192.168.200.254, 0) -> (4.2.2.5, 0) [64586]
011613: Oct 15 20:52:56.688 PST: NAT*: s=192.168.200.254->207.22.33.179, d=4.2.2.5 [64586]

Not sure what the i:, s= and o: represent

Georg Pauwen · ‎10-15-2017

Hello,

post the full configuration, you might be missing something else...

Meheretab Mengistu · ‎10-14-2017

Hi Merlin,

ip nat pool POOL_100 184.70.155.178 207.22.33.178 prefix-length 29 <-- Main overload IP for all internal VLANs minus the issolated 192.168.200.0
ip nat pool POOL_200 184.70.155.179 207.22.33.179 prefix-length 29 <--would like all 192.168.200.0 subnet traffic to use this WAN IP

I am wondering what are 184.70.155.178/179 addresses.

Since your ISP provides you with /29, the following two configs should work for you (I do not run my tests though):

ip nat pool POOL_100 207.22.33.178 207.22.33.178 prefix-length 32

ip nat pool POOL_200 207.22.33.179 207.22.33.180 prefix-length 31

HTH,

Meheretab

HTH,
Meheretab