04-30-2019 12:34 AM
All,
I have an Issue where I have a network 192.168.1.0/24 needs to have static NAT for two devices and NAT overload for the remainder. The static NAT's are working but the Overload is not.......
The public IP's below are hidden but highlighted in ORANGE.
My setup
interface GigabitEthernet0/1
Description to Core
ip nat inside
ip address x.x.x.x
!
interface GigabitEthernet0/2
Description to Rourter7
ip nat outside
ip address x.x.x.x
!
ip nat pool Pool1 X.X.X.100 X.X.X.100 netmask 255.255.255.0 ***Just using one IP for NAT overload***
!
ip nat inside source static 192.168.1.101 X.X.X.101 route-map StaticRM
ip nat inside source static 192.168.1.102 X.X.X.102 route-map StaticRM
!
ip nat inside source list NAT pool Pool1 overload
!
ip access-list extended NAT ***If I do not have this, then my static NAT are ignored and everything is NAT overloaded***
deny ip host 192.168.1.101 any
deny ip host 192.168.1.102 any
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended StaticNat
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 ***Do not want this static not when going to Router7***
deny ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255 ***Do not want this static not when going to Router7***
permit ip 192.168.1.0 0.0.0.255 any
!
route-map StaticRM permit 10 ***I have this because I need to exclude the Static NAT for some networks going to Router7***
match ip address StaticNat
!
Thanks in advance!
Solved! Go to Solution.
04-30-2019 01:55 AM
Replace this line in your route map acl -
permit ip 192.168.1.0 0.0.0.255 any
with permit lines for each specific host you are doing static NAT for.
Jon
04-30-2019 12:51 AM
Hello,
static NAT takes precedence, so in theory you would not need the route maps for static NAT. Try the simplified config below:
ip nat inside source static 192.168.1.101 X.X.X.101
ip nat inside source static 192.168.1.102 X.X.X.102
!
ip nat inside source list 1 pool Pool1 overload
!
access-list 1 permit 192.168.1.0
04-30-2019 01:47 AM - edited 04-30-2019 10:44 PM
Georg,
Thanks for the input but....If I remove the route map then how will I tell the Static NAT, not to NAT when going to the 10.1.1.0 0.0.0.255 network?
04-30-2019 02:23 AM
Hello,
where in your topology is R7 (and networks 10.1.1.024 and 10.1.2.0/24) ? Actually, what does your entire topology look like ?
04-30-2019 01:21 AM - edited 04-30-2019 01:32 AM
Hello
Just like to add , i would suggest to keep the specific hosts from the dynamic nat acl and just amend your config a little then test again.
no route-map StaticRM
no ip nat inside source static 192.168.1.101 X.X.X.101 route-map StaticRM
no ip nat inside source static 192.168.1.102 X.X.X.102 route-map StaticRM
ip nat inside source static 192.168.1.101 X.X.X.101
ip nat inside source static 192.168.1.102 X.X.X.102
04-30-2019 01:51 AM
Paul,
I replied to Georg, the only reason I use the Route map on my static NAT's is to ensure when a packet with a source address of 192.168.1.101 going to 10.1.1.0/24 or 10.1.2.0/24 will not NAT but if it goes to any other network it will NAT
04-30-2019 01:55 AM
Replace this line in your route map acl -
permit ip 192.168.1.0 0.0.0.255 any
with permit lines for each specific host you are doing static NAT for.
Jon
04-30-2019 02:20 AM
Jon,
Not all heroes wear capes!
You are the Bomb.com
Thanks again...all I needed to do is explicitly list each static NAT in the ACL just like you said.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide