12-19-2006 06:58 PM - edited 03-03-2019 03:06 PM
Hi all
We have many cisco 831 and we have to nat (for Internet traffic purpose) on a Ethernet interface that has is
IP address assign from an ISP with DHCP protocol.
We put the following line in our router
ip nat inside source list 2 interface Ethernet 1 overload
access-list 2 permit x.x.x.x x.x.x.x (Lan subnet)
We gonna have to nat also on our dial-backup interface for the same purpose.
If I only put the "ip nat inside source list 3 interface Async 1 overload"
and the "access-list 3 permit x.x.x.x x.x.x.x" (same subnet that the Ethernet 1 nating)
then remove the "ip nat inside source list 2 interface Ethernet 1 overload" everythings work fine but if I let the 2 line of nating I'm not able to nat on the Async interface.
Is this normal ?
Thank you very much
Solved! Go to Solution.
12-22-2006 02:37 PM
that is what he tried to start.
The problem isn't that it routes wrong its that it does not know which ip nat inside to use. When configured in this method it only uses the ip address in the access list to make the selection. It cannot decided and you kinda get random results. They added the route-map to allow you to use the outbound interface as the selection method. You can also put a match entry to match the access list if you want to do both.
12-19-2006 07:07 PM
The router basically cannot decide which to use when you have the same access list on both. It is even more strange when they paritally overlap.
The solution to this is to use route-maps and match the outside interface name. You can also restrict it to addresses if you wish somethings to be natted and other not. This in effect allows selection of the nat pool/address by the outgoing interface.
12-22-2006 12:29 PM
Must I put the match interface Ethernet1 Async1 on the same route-map ?
I try many possibility but the only one that seems to work it's to put
ip nat inside source route-map NATINGAS1 interface Async1 overload
ip nat inside source route-map NATINGET1 interface Ethernet1 overload
!
route-map NATINGDI1 permit 10
match interface Ethernet1
!
route-map NATINGAS1 permit 10
match interface Async1
!
But my VPN that I use on those interface are flapping.
12-19-2006 10:00 PM
Hi Martin
In this case if you could one public static ip you can assign the same under a loopback interface which you can make use for single overloading statement..
This will avoid configuring 2 different overload statements over 2 different interfaces..
regds
12-20-2006 08:06 AM
Thanks
But the problem is that the Ethernet public IP address is assign dynamicly and it's the same thing for the dial-backup Async interface.
12-22-2006 12:58 PM
Not sure what would cause the VPN to flap.
You should be able to find out if it is nat doing it by doing debug ip nat detail
If it particular addresses you can add another match statement to match ip addresses also. This would allow you to not nat certain addresses. It would then only apply the nat pool if both match conditions were true.
12-22-2006 02:22 PM
Why cant you just do this:
ip nat inside source list 2 interface ethernet 1 overload
ip nat inside source list 2 interface async 1 overload
access-list 2 permit x.x.x.x
and then add the "ip nat inside" and "ip nat outside" statements on the corresponding interfaces.
NATing is the last step in the order of operations chain. The router will receive a packet on its inside interface, do a route table look-up (assuming process switching), switch the packet to the correct interface, then follow the NAT commands that apply to it.
No?
12-22-2006 02:37 PM
that is what he tried to start.
The problem isn't that it routes wrong its that it does not know which ip nat inside to use. When configured in this method it only uses the ip address in the access list to make the selection. It cannot decided and you kinda get random results. They added the route-map to allow you to use the outbound interface as the selection method. You can also put a match entry to match the access list if you want to do both.
12-22-2006 03:05 PM
I hear what you're saying, but one would think that the router would choose the correct ip nat statement/directive based on the interface to where it switches the packet. In other words, if it switches the packet to the ethernet 1 interface, it should recognize the "ip nat outside" statement under the interface configs and then know that it would have to follow the nat directive that corresponds to that interface.
Anyway, would you kindly show me how you would configure this?
Thank you very much for your time.
12-29-2006 07:02 AM
Thanks you very much, everything works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: