03-28-2008 12:39 AM - edited 03-03-2019 09:18 PM
Hi All
I wonder if someone can help me with a NAT problem.
It's seems to be a relatively simple setup, but I cant get it to work properly.
Ive set up a simple lab as follows:
laptop1<-->fe0/1-router-fe0/0<-->laptop2
laptop1-eth1 = 1.1.1.100
laptop1-eth1:1 = 10.1.1.100
fe0/1 = 1.1.1.1
fe0/1 = 10.1.1.1 (secondary)
fe0/0 = 2.2.2.1
laptop2 = 2.2.2.100
Now, when laptop2 pings 1.1.1.100, I want the router to NAT the source into something (say 200.0.0.0/24).
But I *dont* want it to NAT when pinging 10.1.1.100.
So I figure I need a NAT rule with a route-map/access-list. Here is my config:
----------config-------------
int fa0/0
ip nat inside
!
int fa0/1
ip nat outside
!
ip nat inside source static network 2.2.2.0 200.0.0.0 /24 route-map nat
!
access-list 101 permit ip any 1.1.1.0 0.0.0.255
!
route-map nat permit 10
match ip address 101
set ip next-hop 1.1.1.100
----------/config-------------
The thing is, the route-map seems to match (debug ip nat detail gives: "NAT: map match nat") but the actual NAT'ing does not take place
(there are no translations and tcpdump on laptop 1 shows original source IP address).
Have I missed something here?
TIA
03-28-2008 02:44 AM
Hi Matthew,
Do you want to use route-map commands to do nat operations?
I would not use a set ip next-hop command in this case.
For testing
ip nat inside source static network 2.2.2.0 200.0.0.0 /24 route-map nat
!
access-list 101 permit ip any 1.1.1.0 0.0.0.255
!
route-map nat permit 10
match ip address 101
Let's us know how things work out.
Thot
03-28-2008 03:13 AM
Hi Thot
Actually Ive tried not using the set ip next-hop also. Doesnt seem to have any effect either way.
If I dont use the route-map at all, the NAT works fine (for all packets), but putting in this simple route-map/access-list seems to kill the nat altogether.
03-28-2008 03:32 AM
Just to add some more info...
A "sho ip access-lists" shows that my access list is being matched
But a "show route-map" says:
"Policy routing matches: 0 packets, 0 bytes"
On the other hand, a "debug ip nat detail" says:
"NAT: map match nat" for every packet that is sent.
...but the final result is still the same. the packets arent being NAT'd for some reason.
03-28-2008 09:13 AM
Hi Matthew,
please post "debug ip nat detail" & "show ver" outputs here.
Kind Regards
Thot
03-28-2008 07:51 PM
Hi Matt,
Can you please provide o/p of "debug ip nat detail" as well as " sh ip nat translations" I think the problem lies in the port translation.
I cant confirm on this unless i get the outputs. Also, i'll try to simulate your scenario in my lab and let u know.
HTH.
Cheers,
Nikhil E.
03-29-2008 08:34 PM
03-30-2008 12:22 AM
Hi Matthew,
I would recommend you to upgrade IOS to a new version that hardware supports.
I just read information you provided. It didn't make me completely clear about nat information as expected.
Let us know how things work out
Thot
03-30-2008 04:39 PM
Hi Thot
Yes, that was going to be my next step. I figured there may be something wrong with the sequence of events (routing/acl/nat/etc). Bug maybe?
But actually, I ran out of time and used a dedicated box for NAT'ing those specific networks instead of policy routing.
Would still be interested if anyone has a solution.
Thanks again.
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: