cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
0
Helpful
9
Replies

Nating 1 subnet on 2 different interface

Hi all

We have many cisco 831 and we have to nat (for Internet traffic purpose) on a Ethernet interface that has is

IP address assign from an ISP with DHCP protocol.

We put the following line in our router

ip nat inside source list 2 interface Ethernet 1 overload

access-list 2 permit x.x.x.x x.x.x.x (Lan subnet)

We gonna have to nat also on our dial-backup interface for the same purpose.

If I only put the "ip nat inside source list 3 interface Async 1 overload"

and the "access-list 3 permit x.x.x.x x.x.x.x" (same subnet that the Ethernet 1 nating)

then remove the "ip nat inside source list 2 interface Ethernet 1 overload" everythings work fine but if I let the 2 line of nating I'm not able to nat on the Async interface.

Is this normal ?

Thank you very much

1 Accepted Solution

Accepted Solutions

that is what he tried to start.

The problem isn't that it routes wrong its that it does not know which ip nat inside to use. When configured in this method it only uses the ip address in the access list to make the selection. It cannot decided and you kinda get random results. They added the route-map to allow you to use the outbound interface as the selection method. You can also put a match entry to match the access list if you want to do both.

View solution in original post

9 Replies 9

tdrais
Level 7
Level 7

The router basically cannot decide which to use when you have the same access list on both. It is even more strange when they paritally overlap.

The solution to this is to use route-maps and match the outside interface name. You can also restrict it to addresses if you wish somethings to be natted and other not. This in effect allows selection of the nat pool/address by the outgoing interface.

Must I put the match interface Ethernet1 Async1 on the same route-map ?

I try many possibility but the only one that seems to work it's to put

ip nat inside source route-map NATINGAS1 interface Async1 overload

ip nat inside source route-map NATINGET1 interface Ethernet1 overload

!

route-map NATINGDI1 permit 10

match interface Ethernet1

!

route-map NATINGAS1 permit 10

match interface Async1

!

But my VPN that I use on those interface are flapping.

spremkumar
Level 9
Level 9

Hi Martin

In this case if you could one public static ip you can assign the same under a loopback interface which you can make use for single overloading statement..

This will avoid configuring 2 different overload statements over 2 different interfaces..

regds

Thanks

But the problem is that the Ethernet public IP address is assign dynamicly and it's the same thing for the dial-backup Async interface.

Not sure what would cause the VPN to flap.

You should be able to find out if it is nat doing it by doing debug ip nat detail

If it particular addresses you can add another match statement to match ip addresses also. This would allow you to not nat certain addresses. It would then only apply the nat pool if both match conditions were true.

Why cant you just do this:

ip nat inside source list 2 interface ethernet 1 overload

ip nat inside source list 2 interface async 1 overload

access-list 2 permit x.x.x.x

and then add the "ip nat inside" and "ip nat outside" statements on the corresponding interfaces.

NATing is the last step in the order of operations chain. The router will receive a packet on its inside interface, do a route table look-up (assuming process switching), switch the packet to the correct interface, then follow the NAT commands that apply to it.

No?

that is what he tried to start.

The problem isn't that it routes wrong its that it does not know which ip nat inside to use. When configured in this method it only uses the ip address in the access list to make the selection. It cannot decided and you kinda get random results. They added the route-map to allow you to use the outbound interface as the selection method. You can also put a match entry to match the access list if you want to do both.

I hear what you're saying, but one would think that the router would choose the correct ip nat statement/directive based on the interface to where it switches the packet. In other words, if it switches the packet to the ethernet 1 interface, it should recognize the "ip nat outside" statement under the interface configs and then know that it would have to follow the nat directive that corresponds to that interface.

Anyway, would you kindly show me how you would configure this?

Thank you very much for your time.

Thanks you very much, everything works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco