05-13-2014 01:55 AM - edited 03-04-2019 10:58 PM
Hi,
My Problem is:
If I initiate traffic for both outside NAT interface (G0/1 and G0/2) from NAT inside interface G0/0 the NAT translation table for both interfaces will be established but only from outside interface G0/1 targets got responses. If I remove the configuration for interface G0/1, I got answers from targets at G0/2.
The problem results from subneting/overlapping of the address spaces of g0/1 and G0/2.
If I use two class C network masks for G0/1 and G0/2 it all works fine. Because I can't change the address space, my question is: Is there any possibility to configure a functionable NAT-configuration by keep the address overlapping for G0/1 and G0/2.
C2911 with IOS: 15.4(2)T
Int G0/0
IP address 10.58.7.1 255.255.255.0
Ip nat inside
Int G0/1
IP address 10.10.58.1 255.255.255.0
Ip nat outside
Int G0/2
Ip address 10.10.0.1 255.255.240.0
Ip nat outside
ip nat inside source route-map RM-G1 interface GigabitEthernet0/1 overload
ip nat inside source route-map RM-G2 interface GigabitEthernet0/2 overload
route-map RM-G1 permit 10
match ip address 110
route-map RM-G2 permit 10
match ip address 120
access-list 110 permit ip 10.58.7.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 permit ip 10.58.7.0 0.0.0.255 10.20.20.0 0.0.0.255
IP route 10.10.50.0 255.255.255.0 10.10.58.2
IP route 10.20.20.0 255.255.255.0 10.10.0.2
05-13-2014 02:18 AM
Sorry wrong message response!!!!!!
Please ignore.
05-13-2014 12:14 PM
Hi,
route-map RM-G1 permit 10
match ip address 110
match interface g0/1
route-map RM-G2 permit 10
match ip address 120
match interface g0/2
Regards
Alain
05-14-2014 12:55 AM
Hi Alain,
thanks for your answer. I did it already without success.
I believe, that IOS (I tried two different IOS versions) in conjunction with my C2911 can’t handle the configuration of two outside NAT interfaces. The NAT-debug message is:
NAT-SymDB: DB is either not enabled or not initiated.
Only the first NAT-statement (ip nat inside source route-map RM-G1 interface GigabitEthernet0/1 overload) works. But I have to delete the second NAT-statement (ip nat inside source route-map RM-G2 interface GigabitEthernet0/2 overload) and set the interface (GigabitEthernet0/2) pointing to the second NAT-statement to shut down.
At time I use two router (C1841) for the connections and wanted to reduce one, but I believe CISCO doesn't like it ;-)
05-14-2014 11:36 AM
Alain's answer is the correct solution at least as per the doc's :-) for multiple PAT interfaces with route-maps.
Can you post the output of :
"debug ip nat detailed" & also try the solution from the following link for your 2900 series router.
http://www.addoway.com/cisco2900router/blog/b/Cisco-2901-Unable-to-NAT-to-Internet
or
https://supportforums.cisco.com/discussion/11444666/unable-nat-internet-cisco-2901
both show the same NAT debug error.
Manish
05-14-2014 01:28 PM
Actually he is using different destinations on the access-lists used for the route-maps.
Because of it, I believe he doesn't need to specify the interface also.
05-15-2014 01:37 AM
Sending PINGs from my PC (10.58.7.254) connected at G0/0: to 10.130.13.140 reachable over Interface G0/1
Part of Debug NAT detail:
001167: *May 15 09:16:07.171 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14912]
001168: *May 15 09:16:07.171 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14912]
001169: *May 15 09:16:12.179 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14919]
001170: *May 15 09:16:12.179 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14919]
001171: *May 15 09:16:17.171 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14920]
001172: *May 15 09:16:17.171 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14920]
001173: *May 15 09:16:22.179 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14922]
001174: *May 15 09:16:22.179 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14922]
001175: *May 15 09:16:27.171 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14923]
001176: *May 15 09:16:27.171 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14923]
001177: *May 15 09:16:32.175 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14924]
001178: *May 15 09:16:32.175 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14924]
001179: *May 15 09:16:32.855 PCTime: NAT: expiring 10.246.58.253 (10.58.7.254) icmp 1 (1)
001180: *May 15 09:16:32.855 PCTime: NAT-SymDB: DB is either not enabled or not initiated.
#######################################################################
I only have to change the netmask for the IP address of the interface G0/1
to: ip address 10.246.0.2 255.255.255.0
and all works fine. But that is not really possible for me in my real network.
Complete Config
###################### S T A R T ######################################
!
! Last configuration change at 09:05:23 PCTime Thu May 15 2014 by shanjue
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname F26-BVA-H88
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-2.T.bin
boot system flash:c2900-universalk9-mz.SPA.152-4.M5.bin
boot system flash:
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 10000000
!
no aaa new-model
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ip source-route
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name bgr.de
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-441080002
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-441080002
revocation-check none
rsakeypair TP-self-signed-441080002
!
!
crypto pki certificate chain TP-self-signed-441080002
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
license udi pid CISCO2911/K9 sn FTX1712AJ65
!
!
archive
log config
hidekeys
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description to:C148:P39:VL104
ip address 10.58.7.249 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description to:X2:1(SINA-IVBV)
ip address 10.246.0.2 255.255.240.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
description to-X3:1(SINA-BMWi)
ip address 10.246.58.253 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no mop enabled
!
router ospf 100
redistribute static metric 1 subnets
network 10.58.7.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map RM-BMWI interface GigabitEthernet0/2 overload
ip nat inside source route-map RM-IVBV interface GigabitEthernet0/1 overload
ip nat inside source static 10.58.7.221 10.246.0.21 route-map RM-IVBV
ip nat inside source static 10.58.7.222 10.246.0.22 route-map RM-IVBV
ip nat inside source static 10.58.7.30 10.246.0.30 route-map RM-IVBV
ip nat inside source static 10.58.7.233 10.246.0.233 route-map RM-IVBV
ip route 10.6.77.0 255.255.255.0 10.246.0.1
ip route 10.6.79.0 255.255.255.0 10.246.0.1
ip route 10.130.13.0 255.255.255.0 10.246.0.1
ip route 10.130.145.0 255.255.255.0 10.246.0.1
ip route 10.130.164.0 255.255.255.0 10.246.0.1
ip route 10.192.0.0 255.255.255.0 10.246.0.1
ip route 10.246.0.0 255.255.255.0 10.246.58.254
ip route 10.246.50.0 255.255.255.0 10.246.58.254
ip route 10.247.32.0 255.255.255.0 10.246.0.1
ip route 10.248.155.0 255.255.255.0 10.246.0.1
ip route 10.248.200.0 255.255.255.0 10.246.0.1
ip route 10.248.204.0 255.255.255.0 10.246.0.1
ip route 10.248.208.0 255.255.255.0 10.246.0.1
ip route 10.248.252.0 255.255.255.0 10.246.0.1
ip route 10.251.128.0 255.255.255.0 10.246.0.1
!
no logging trap
!
route-map RM-BMWI permit 10
match ip address 122
match interface GigabitEthernet0/2
!
route-map RM-IVBV permit 10
match ip address 121
match interface GigabitEthernet0/1
!
!
access-list 1 permit 10.58.7.0 0.0.0.255 log
access-list 2 permit 10.58.7.0 0.0.0.255 log
access-list 3 permit 10.246.0.0 0.0.0.255
access-list 3 permit 10.246.50.0 0.0.0.255
access-list 99 permit 10.58.7.0 0.0.0.255 log
access-list 100 permit ip any any log
access-list 101 permit ip any any log
access-list 102 permit ip any any log
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.6.77.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.6.79.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.130.13.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.130.145.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.130.164.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.192.0.0 0.0.255.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.248.0.0 0.0.255.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.251.128.0 0.0.0.255
access-list 122 permit ip 10.58.7.0 0.0.0.255 10.246.50.0 0.0.0.255
!
control-plane
!
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 180
access-class 99 in
exec-timeout 60 0
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
############################ E N D ##############################
05-15-2014 04:45 AM
Sometimes one has tomatoes at the eyes. I wrote the solution (work around) already. In my special situation I simply have to change the netmask for interface G0/1 to 255.255.255.0 at my side and nothing else.
05-14-2014 11:07 AM
It's not clear to me what is the overlapping you said you have. Can you detail it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide