Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
15
Helpful
2
Replies

NAT overload not working as expected

ac5nwdude
Level 1
Level 1

‎10-29-2020 04:32 AM - edited ‎10-29-2020 05:55 AM

I have a CISCO1921 with IOS 15.3(3)M5 and its behaviour differs from what I would expect from the config.

Overview:

  • 10.4.10.0/23 local network for clients (no overload, web access via proxy, see below)
  • 10.4.12.0/24 local network for guests
  • 10.4.14.0/24 local network for mgmt
  • the rest of 10.4.0.0/16 reachable behind ipsec-tunnel (no nat)
  • clients from 10.4.10.0/23 normally access the web via a proxy (10.4.0.152:3128)
  • for testing purposes, host 10.4.11.150 should be allowed to reach the web directly (nat overload on outside interface)

Problem:

Connections to NAT overload are matched in ACL_NAT_FROM_LAN (see below), but the behaviour and output of 'show ip nat translations' differs from what I would expect from the ACL/ configuration:

1) first discrepancy:
Connections to a public IP Z.Z.Z.Z sourced from within 10.4.10.0/23 get overloaded with X.X.X.X (BUT WHY?!) - anyways a connection or ping the the public IP does not work. (There is no outgoing ACL configured.)

# show ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp X.X.X.X:58993 10.4.10.65:58993 Z.Z.Z.Z:80 Z.Z.Z.Z:80

2) second discrepancy:
Connections to private addresses reachable behind the IPSEC-tunnel (10.4.0.0/24) sourced from 10.4.10.0/23 show up as overloaded (BUT WHY?!) - anyways connections or pings to the private network behind the tunnel work - so obviously they don't get overloaded with the public IP X.X.X.X on the outside interface..

# show ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp X.X.X.X:55800 10.4.11.150:55800 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55825 10.4.11.150:55825 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55827 10.4.11.150:55827 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55828 10.4.11.150:55828 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55862 10.4.11.150:55862 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55863 10.4.11.150:55863 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55864 10.4.11.150:55864 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55865 10.4.11.150:55865 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:55866 10.4.11.150:55866 10.4.0.152:3128 10.4.0.152:3128
tcp X.X.X.X:56442 10.4.11.150:56442 10.4.0.130:8080 10.4.0.130:8080

Configuration

Please see the shortened config below & and thanks in advance for your feedback!

!
crypto map CM_VPN 20 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set ESP-AES-128-SHA
match address VPN_MATCH
!
!
object-group network NETS_LOCAL
10.4.10.0 255.255.254.0
!
object-group network RFC_Private
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
!
!
interface GigabitEthernet0/0
description *** OUTSIDE ***
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface GigabitEthernet0/1
description *** INSIDE ***
ip address 10.4.11.254 255.255.254.0
ip helper-address 10.4.0.150
ip nat inside
!
!
interface Dialer1
description *** 10 MBIT RR ***
ip access-group ACL_FW_FROM_OUTSIDE in
ip nat outside
dialer pool 1
dialer-group 1
crypto map CM_VPN
!
ip nat inside source list ACL_NAT_FROM_LAN interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.4.12.0 255.255.255.0 10.4.11.253
ip route 10.4.14.0 255.255.255.0 10.4.11.253
!
ip access-list extended ACL_NAT_FROM_LAN
permit ip host 10.4.11.150 any log
deny ip 10.4.10.0 0.0.1.255 10.4.0.0 0.0.255.255
deny ip object-group NETS_LOCAL object-group RFC_Private
deny gre any any
deny ip 10.4.12.0 0.0.0.255 10.4.0.0 0.0.255.255
permit ip host 10.4.10.68 any
permit ip 10.4.12.0 0.0.0.255 any
permit ip 10.4.0.0 0.0.255.255 any log
!
ip access-list extended VPN_MATCH
permit ip 10.4.10.0 0.0.1.255 10.4.0.0 0.0.0.255
permit ip 10.4.10.0 0.0.1.255 10.4.1.0 0.0.0.255
permit ip 10.4.10.0 0.0.1.255 10.4.4.0 0.0.0.255
permit ip 10.4.10.0 0.0.1.255 10.4.5.0 0.0.0.255
permit ip 10.4.10.0 0.0.1.255 10.4.20.0 0.0.1.255
permit ip 10.4.10.0 0.0.1.255 10.4.30.0 0.0.1.255
permit ip 10.4.10.0 0.0.1.255 10.4.40.0 0.0.1.255
permit ip 10.4.10.0 0.0.1.255 10.4.50.0 0.0.1.255
permit ip 10.4.10.0 0.0.1.255 10.10.14.0 0.0.0.255
permit ip 10.4.12.0 0.0.0.255 10.4.0.0 0.0.0.255
permit ip 10.4.12.0 0.0.0.255 10.4.1.0 0.0.0.255
permit ip 10.4.12.0 0.0.0.255 10.4.4.0 0.0.0.255
permit ip 10.4.12.0 0.0.0.255 10.4.5.0 0.0.0.255
permit ip 10.4.12.0 0.0.0.255 10.4.20.0 0.0.1.255
permit ip 10.4.12.0 0.0.0.255 10.4.30.0 0.0.1.255
permit ip 10.4.12.0 0.0.0.255 10.4.40.0 0.0.1.255
permit ip 10.4.12.0 0.0.0.255 10.4.50.0 0.0.1.255
permit ip 10.4.12.0 0.0.0.255 10.10.14.0 0.0.0.255
permit ip 10.4.14.0 0.0.0.255 10.4.0.0 0.0.0.255
permit ip 10.4.14.0 0.0.0.255 10.4.20.0 0.0.1.255
permit ip 10.4.14.0 0.0.0.255 10.4.24.0 0.0.0.255
permit ip 10.4.14.0 0.0.0.255 10.10.14.0 0.0.0.255
permit gre any any
!

 /edit

Added ip routes to the configuration excerpt.

Labels:
2 Replies 2

paul driver
VIP
VIP

‎10-29-2020 04:57 AM - edited ‎10-29-2020 05:07 AM

Hello
You have quite a convoluted nat access-list which doesn’t make sense
First of all nat doesn’t like LOG keyword appended to any access-list it relates to
Then it seems you have ace entries that is denying nat on a subnet range which includes the subnet you want to nat and lasty you have entries that nat wont even use?

interface GigabitEthernet0/1
description *** INSIDE ***
ip address 10.4.11.254 255.255.254.0
ip nat inside

ip access-list extended ACL_NAT_FROM_LAN
permit ip host 10.4.11.150 any log
deny ip 10.4.10.0 0.0.1.255 10.4.0.0 0.0.255.255
deny ip object-group NETS_LOCAL object-group RFC_Private <- denying 10.4.10.0/23 ip range to other RFC addressing (does your global addressing incorporate this?)
deny gre any any
deny ip 10.4.12.0 0.0.0.255 10.4.0.0 0.0.255.255 < 10.4.12.0/24 isn’t on the lan interface
permit ip host 10.4.10.68 any
permit ip 10.4.12.0 0.0.0.255 any <- doesn’t exist on the lan interface
permit ip 10.4.0.0 0.0.255.255 any log and not specific enough  (10.4.10.0 0.0.254.255)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World
VIP
VIP

‎10-29-2020 05:10 AM

I think the subnet is issue here 

ip address 10.4.11.254 255.255.254.0


this for interface that meaning  /23 so
IPSec without NAT which host ?
with overload which host?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card