Multiple Nat Conf

dreams_as_money · ‎10-14-2011

Hi everyone

I hope U are doing well

I have faced configuration of multiple nat/pat problem

Point is when I paste into router another nat pool or nat with route-map or just static nat they doesn't work I mean only one of them works

so could someone tell me whats wrong and why it didn't work

So, I have several connection

hardware cisco 2811 latest ios 15.1

1. internet

2. Local host that must be translated into global local ip addresses be routed

3. vpn local hosts that must be translated into local global addres

here is conf. example

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0.2 overload

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1.4 overload

New nat conf...

ip nat pool hk 172.********* 172.********** netmask 255.255.255.128

ip nat inside source list 108 pool hk overload

ip nat pool ap 172.********* 172.********** netmask 255.255.255.128

ip nat inside source list 107 pool ap overload

ip nat inside source static tcp 192.168.0.65 22 *****(Wan) 2220 extendable

ip nat inside source static tcp 192.168.0.65 80 ******(Wan) 4430 extendable

ip nat inside source static tcp 192.168.0.65 443 *****(Wan) 4431 extendable

access-list 106 permit ip host 192.168.0.193 any

access-list 107 per ip host 192.168.0.66 any

access-list 108 per ip host 192.168.0.66 any

route-map SDM_RMAP_1 permit 1

match ip address 100

!

route-map SDM_RMAP_2 permit 1

match ip address 106

Marwan ALshawi · ‎10-15-2011

when you use NATing over multiple physical interface you need to use the command match interface ( exit interface ) with the route-map

see the bellow doc

https://supportforums.cisco.com/docs/DOC-8313

hope this help

if helpful Rate

dreams_as_money · ‎10-15-2011

Thanks

I tried it but it didn't work

could U clarify?

route-map ap permit 1

match ip address 107

match interface FastEthernet0/1.5

access-list 107 permit ip 192.168.0.0 0.0.255.255 any

ip nat inside source route-map ap interface FastEthernet0/1.5 overload

interface FastEthernet0/1.5 (Local wan)

encapsulation dot1Q 129

ip address ***************** 255.255.255.128

no ip redirects

ip nat inside

ip virtual-reassembly in

interface FastEthernet0/0.4 wan

description Ap

encapsulation dot1Q 99

ip address************** 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

no cdp enable

Marwan ALshawi · ‎10-15-2011

Have you updated the route map of int 0/0.4 ?

dreams_as_money · ‎10-16-2011

Hey Man

Let me clarify

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0.1 (wan for fa 0/1.6)

description Ho

encapsulation dot1Q 31

ip address ******** 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

no cdp enable

!

interface FastEthernet0/0.2 (internet)

description m$ETH-LAN$

encapsulation dot1Q 143

ip address ************* 255.255.255.240

ip access-group udp in

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

no cdp enable

crypto map ****

!

interface FastEthernet0/0.3 (Wan-another service)

description MC

encapsulation dot1Q 100

ip address ******* 255.255.255.224

ip access-group udp-mc in

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip virtual-reassembly in

no cdp enable

crypto map ********

!

interface FastEthernet0/0.4 (Wan for fa 0/1.5)

description Ap

encapsulation dot1Q 99

ip address ************* 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

no cdp enable

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.1 (Local for Vpn traffic)

encapsulation dot1Q 9

ip address *************** 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface FastEthernet0/1.2 (Local lan)

encapsulation dot1Q 8

ip address ************ 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3 (Local for fast 0/0.3)

description MC-Lan

encapsulation dot1Q 300

ip address ******************* 255.255.255.224

no cdp enable

!

interface FastEthernet0/1.4 (Local for vpn traffic)

description PAy local

encapsulation dot1Q 304

ip address*************** 255.255.255.248

ip nat inside

ip virtual-reassembly in

no cdp enable

!

interface FastEthernet0/1.5 Local for fast 0/0.4 I want translate this local traffic to my local addres 192.168.0.0/24

description ap

encapsulation dot1Q 129

ip address *************** 255.255.255.128

ip virtual-reassembly in

!

interface FastEthernet0/1.6 (Local for fast 0/0.1) I want translate this local traffic to my local addres 192.168.0.0/24

desc Ho

encapsulation dot1Q 127

ip address ********* 255.255.255.128

ip virtual-reassembly in

!

ip nat inside source route-map ap interface FastEthernet0/1.5 overload

ip nat inside source route-map Ho interface FastEthernet0/1.6 overload

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0.2 overload

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1.4 overload

ip nat inside source static tcp 192.168.0.65 22 ************ 2220 extendable

ip nat inside source static tcp 192.168.0.65 80 ****************** 4430 extendable

ip nat inside source static tcp 192.168.0.65 443 ************** 4431 extendable

ip acce ex 100 per hosts *****

ip acce ex 106 per hosts *********

ip acce ex 107 per **********

ip acce ex 108 per *********

!

route-map SDM_RMAP_1 permit 1

match ip address 100

match interface FastEthernet0/0.2

!

route-map SDM_RMAP_2 permit 1

match ip address 106

match interface FastEthernet0/1.4

!

route-map Ho per 1

match ip add 107

match int fa 0/1.6

route-map ap per 1

match ip add 108

match int fa 0/1.5