NAT works for Host destination but not for network statement

Mehdi Talei · ‎10-29-2014

I have a weird situation and try to find an answer for...

In my NAT ACL if I put a host as destination, NAT works and the destination is reachable however if I use the network, I can't get out to destination! No match will appear on my statement in ACL and no NAT will appear in sh ip nat tr

Here is the config (only two hosts 207.2.207.132 and 8.8.8.8 are reachable and nothing on network 207.2.204.0/22):

int vlan20

ip address 10.23.254.1 255.255.255.128

ip nat inside

no ip redirects
no ip unreachables
no ip proxy-arp

!

interface FastEthernet8
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

!

ip access-list extended AW-nat
deny ip 10.23.254.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.23.254.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.23.254.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.23.254.0 0.0.0.255 host 8.8.8.8
permit ip 10.23.254.0 0.0.0.255 207.2.204.0 0.0.3.255 log
permit ip 10.23.254.0 0.0.0.255 host 207.2.207.132

!

ip nat inside source list AW-nat interface FastEthernet8 overload

!

ip route 207.2.204.0 255.255.252.0 FastEthernet8 dhcp

Any idea please??? The test is done on Cisco 891 router.

Thanks

Yunas · ‎10-30-2014

The best way to do your task is:

Select your source networks which you want to be NAT in the NAT ACL, and if you don't want some host access some destination, use different inbound ACL filter on interface vlan 20.

SATISH KATTIKA · ‎11-02-2014

Did you configured the NAT on the switch ? what is the model of the switch do you have ip routing enabled for that.. ?

I don't see any issues with the configuration.

Aref Alsouqi · ‎11-02-2014

Hi,

Just remove the "log" keyword at the end of the ace of the network 207.2.204.0/22. Log keyword won't work neither with PBR.

Regards,

Aref