07-12-2010 08:14 AM - edited 03-04-2019 09:02 AM
Hi All,
I have a 2811 router with 2 external "outside" interfaces Fa0/1 and Fa0/2/0. My problem is when I come to NAT inside source addresses, 'nat'ing only works for addresses listed in the first access list of the first NAT statement. I have included config snippets below.
interface FastEthernet0/1
ip address 172.24.170.39 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
ip address 10.1.1.198 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 30 permit 172.16.4.0 0.0.3.255
access-list 30 permit 172.16.8.0 0.0.3.255
access-list 30 permit 172.16.20.0 0.0.3.255
access-list 30 permit 192.168.100.0 0.0.0.255
access-list 31 permit 172.16.20.0 0.0.3.255 log
ip nat inside source list 30 interface FastEthernet0/1 overload
ip nat inside source list 31 interface FastEthernet0/2/0 overload
172.17.0.0/30 is subnetted, 1 subnets
C 172.17.254.4 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
S 172.16.20.0/22 [1/0] via 172.17.254.6
S 172.16.16.0/22 [1/0] via 172.17.254.6
S 172.16.12.0/22 [1/0] via 172.17.254.6
S 172.16.8.0/22 [1/0] via 172.17.254.6
S 172.16.10.14/32 [1/0] via 172.24.170.1
S 172.16.4.0/22 [1/0] via 172.17.254.6
172.24.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 172.24.42.132/32 [1/0] via 172.24.170.1
C 172.24.170.0/25 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.8.0.0/16 [1/0] via 172.24.170.1
C 10.1.1.0/24 is directly connected, FastEthernet0/2/0
S 192.168.100.0/24 [1/0] via 172.17.254.6
For example client with IP 172.16.20.25 ping s 10.8.27.71 -> nat takes place with new source IP of fa0/1 which is 172.24.170.39 shown with debug below:
NAT*: s=172.16.20.25->172.24.170.39, d=10.8.27.71 [11077]
Now same client pings 10.1.1.254 but the router is still nating with new source ip of fa0/1
NAT*: s=172.16.20.25->172.24.170.39, d=10.1.1.254 [11175]
Why is it not using the routing table and 'nat'ing to fa0/2/0 ???
I must be overlooking something.
Thanks,
Solved! Go to Solution.
07-13-2010 01:17 AM
ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.
The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.
I would suggest that you use extended ACL like below:
access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload
The route table looks okay to me.
Try this and let me know if it works out.
07-13-2010 01:17 AM
ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.
The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.
I would suggest that you use extended ACL like below:
access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload
The route table looks okay to me.
Try this and let me know if it works out.
07-13-2010 06:22 AM
Thanks!, that worked a treat but I now have another issue.
When I am adding more subnets to ACL 101 they are not being translated!! for example this is how my ACL looks
Extended IP access list 101
10 permit ip 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
20 permit ip 172.16.20.0 0.0.3.255 172.24.42.0 0.0.0.255
30 permit ip 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
For subnet 172.16.20.x everything works fine so I added subnet 172.16.4.0 and nothing happens, no tranlation takes place. I have played about with this and I think it must be something to do with the way I am adding addresses to the list.
This is the method I am using to add more addresses to ACL 101,
conf t
ip access-list extended 101 (enter)
permit ip 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255 log
exit
That subnet can access the router fine so I know routing is OK.
07-13-2010 11:42 AM
Well, there's nothing wrong in your method of appending lines in the existing ACL. What IOS version are you using?
Can you try re-applying the whole ACL access-list command.
07-14-2010 11:36 AM
Got it working now. I had to strip out all the NAT configuration and apply the all the steps again.
Thanks for your replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide