01-17-2014 03:32 PM - edited 03-04-2019 10:06 PM
Dears,
please find the attached topology.
When i confgure a nat overload for my internal subnet to go through the ADSL i am not able to ping leased line next-hop which is conencted to my internet router, when i remove the command ip nat inside source list 1 interface gig0/0 overload then i am able to ping, why that so ???? Is it i have to deny my leased line ip in below access-list to be denied for natting.
how nat is chosen in cisco router as what i know in ASA there is a sequence, ASA choose when there are multiple NAT.
ip nat inside source list 1 interface gig0/0 overload
ip access-list standard internal
permit any
ip nat inside source static 10.10.10.10 94.94.94.94
Solved! Go to Solution.
01-17-2014 05:20 PM
Hello
Your nat statement is okay but you not actually specifying any internal network with the current acl
Try using a standard numbered acl referencing your internal network to be natted
Say you internal network is 10.10.10.0/24/24
Access-list 1 permit 10.10.10.0 0.0.0.255
Res
Paul
01-18-2014 02:58 AM
Hi,
When you have 2 WAN interfaces to nat on, you must use a route-map for NAT statement where you match the traffic and outgoing interface.
You should also try to avoid permit any in NAT ACL because it can cause some problems on some platforms/codes.
Regards
Alain
Don't forget to rate helpful posts.
01-19-2014 02:06 PM
Hi,
According to your reply above, we need to distribute matching traffic in 2 subnets for 2 Nat statements, If suppose i am using 10.X.X.X subnet in my internal network, then how we can break them.
What I said is that when you are natting on 2 outside interface you should use a route-map in your NAT statements instead of simply ACLs.
Now this is for 1 internal subnet being load-balanced out the WAN interface, if you want some subnet(or some part of the subnet and/or some traffic type segregation) you'll have to use Policy based routing in addition.
For 1 subnet only here is what to do:
access-list 1 permit 10.0.0.0 0.0.0.255
route-map NAT1
match ip add 1
match interface dialer1
route-map NAT2
match ip add 1
match interface dialer2
ip nat inside source route-map NAT1 interface dialer1
ip nat inside source route-map NAT2 interface dialer2
ip route 0.0.0.0 0.0.0.0 dialer1
ip route 0.0.0.0 0.0.0.0 dialer2
int dialer1
ip nat out
int dialer2
ip nat out
int vlan 1
ip add 10.0.0.1 255.255.255.0
ip nat in
Regards
Alain
Don't forget to rate helpful posts.
01-17-2014 05:20 PM
Hello
Your nat statement is okay but you not actually specifying any internal network with the current acl
Try using a standard numbered acl referencing your internal network to be natted
Say you internal network is 10.10.10.0/24/24
Access-list 1 permit 10.10.10.0 0.0.0.255
Res
Paul
01-17-2014 06:47 PM
Dear Paul,
Thanks for replying my post.
i have just created one small setup in dynamips and confgured according to what i have posted above and ping is still working with below commands, i have not specfied any specifc internal networks. The IOS on dynamips is
c3640-js-mz.124-21.bin and the IOS on actual setup is flash0:c2900-universalk9-mz.SPA.150-1.M4.bin" does it makes difference ?????
ip access-list standard internal
permit any
I have one more doubt please clear.
If i removed the switch which is in between of ADSL and internet router then i can specify two nat statement as below with two default route, the traffic will be distributed among both the links ???
ip nat inside source list 1 interface gig0/0 overload
ip nat inside source list 1 interface gig0/1 overload
ip route 0.0.0.0.0.0.0.0 192.168.10.1
ip route 0.0.0.0.0.0.0.0 192.168.20.1
01-18-2014 02:58 AM
Hi,
When you have 2 WAN interfaces to nat on, you must use a route-map for NAT statement where you match the traffic and outgoing interface.
You should also try to avoid permit any in NAT ACL because it can cause some problems on some platforms/codes.
Regards
Alain
Don't forget to rate helpful posts.
01-18-2014 09:30 AM
Hello
"ping is still working with below commands"
Hum do you have nat apply to any interfaces?
Internal interface(s)
==============
Ip nat inside
Wan interface(s)
============
Ip nat outside
Single wan interface
Access-list 1 permit x.x.x.x y.y.y.y
Ip nat inside source list 1 interface xx overload
Or
Dual wan interfaces
ip access-list extended Nat
Permit ip x.x.x.x y.y.y.y any
Route-map Nat permit 10
Match IP address Nat
Ip nat inside source route-map Nat interface gig0/1 overload
Ip nat inside source route-map Nat interface gig0/2 overload
Res
Paul
Sent from Cisco Technical Support iPad App
01-18-2014 12:11 PM
Hello,
Hum do you have nat apply to any interfaces?
yes i have applied to internal interface ip nat inside and wan interface ip nat outside
I have a single WAN interface,
Question:
If i have a ip nat inside on internal interface and ip nat outside on WAN interface but assume i dont have any
Ip nat inside source route-map Nat interface gig0/1 overload command , so still the traffic will passed to the switch or the traffic will dropped????
Thanks
01-18-2014 01:01 PM
Hello
Then NAT isnt used whatsoever
Meaning NOTHING will be translated So if your topology is using nat to provide connectivity for private address ranges to public internet then you be will restricted from doing so.
You will however be able.to connect sourced from your Lan/wan interfaces if.these interfaces have public routable ip addresses assigned
Res
Paul
Sent from Cisco Technical Support Android App
01-18-2014 01:50 PM
Dears,
Thanks for the replies
01-19-2014 12:24 PM
Hello Cadet
When you have 2 WAN interfaces to nat on, you must use a route-map for NAT statement where you match the traffic and outgoing interface.
You should also try to avoid permit any in NAT ACL because it can cause some problems on some platforms/codes.
According to your reply above, we need to distribute matching traffic in 2 subnets for 2 Nat statements, If suppose i am using 10.X.X.X subnet in my internal network, then how we can break them.
Thanks
01-19-2014 02:06 PM
Hi,
According to your reply above, we need to distribute matching traffic in 2 subnets for 2 Nat statements, If suppose i am using 10.X.X.X subnet in my internal network, then how we can break them.
What I said is that when you are natting on 2 outside interface you should use a route-map in your NAT statements instead of simply ACLs.
Now this is for 1 internal subnet being load-balanced out the WAN interface, if you want some subnet(or some part of the subnet and/or some traffic type segregation) you'll have to use Policy based routing in addition.
For 1 subnet only here is what to do:
access-list 1 permit 10.0.0.0 0.0.0.255
route-map NAT1
match ip add 1
match interface dialer1
route-map NAT2
match ip add 1
match interface dialer2
ip nat inside source route-map NAT1 interface dialer1
ip nat inside source route-map NAT2 interface dialer2
ip route 0.0.0.0 0.0.0.0 dialer1
ip route 0.0.0.0 0.0.0.0 dialer2
int dialer1
ip nat out
int dialer2
ip nat out
int vlan 1
ip add 10.0.0.1 255.255.255.0
ip nat in
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide