The problem with "service-policy input" and "ip nat outside" on same interface

villi1977 · ‎05-04-2012

Hello All.

I have a problem.

service-policy input Sawary isn't working for fake ip addreses.

It's working for 77.87.16.98 but it's not working for network 10.12.0.0.

We using "ip nat outside" rules on same interface where we using "service-policy input Sawary".

Any ideas please please please.

You can see example:

class-map match-all Sawary

match access-group name Sawary

policy-map Sawary

class Sawary

police 2048000 256000 512000 conform-action transmit exceed-action drop violate-action drop

interface GigabitEthernet0/0.100

ip nat outside

service-policy input Sawary

service-policy output Sawary

ip access-list extended Sawary

permit ip any host 10.12.0.9

permit ip host 10.12.0.9 any

permit ip any host 10.12.0.5

permit ip host 10.12.0.5 any

permit ip any host 10.12.0.7

permit ip host 10.12.0.7 any

permit ip any host 10.12.0.11

permit ip host 10.12.0.11 any

permit ip any host 10.12.0.12

permit ip host 10.12.0.12 any

permit ip any host 10.12.0.6

permit ip host 10.12.0.6 any

permit ip any host 10.12.0.3

permit ip host 10.12.0.3 any

permit ip any host 10.12.0.4

permit ip host 10.12.0.4 any

permit ip any host 10.12.0.15

permit ip host 10.12.0.15 any

permit ip any host 10.12.0.16

permit ip host 10.12.0.16 any

permit ip any host 77.87.16.98

permit ip host 77.87.16.98 any

Giuseppe Larosa · ‎05-05-2012

Hello Villi1977,

please add the NAT configuration, where network 10.12.0.0 is supposed to be ? on the internal LAN?

additional info is needed to get help

Hope to help

Giuseppe

villi1977 · ‎05-05-2012

You can see nat:

interface GigabitEthernet0/0.100

encapsulation dot1Q 100

ip address 77.87.16.3 255.255.255.224

ip broadcast-address 0.0.0.0

ip flow ingress

ip flow egress

ip nat outside

no ip virtual-reassembly

service-policy input Sawary

service-policy output Sawary

!

ip nat pool 1 77.87.16.3 77.87.16.3 netmask 255.255.255.224

ip nat inside source list 110 pool 1 overload

access-list 110 remark DSL-data-customers

access-list 110 permit ip host 10.12.0.9 any

access-list 110 permit ip host 10.12.0.5 any

access-list 110 permit ip host 10.12.0.7 any

access-list 110 permit ip host 10.12.0.11 any

access-list 110 permit ip host 10.12.0.12 any

access-list 110 permit ip host 10.12.0.6 any

access-list 110 permit ip host 10.12.0.3 any

access-list 110 permit ip host 10.12.0.4 any

access-list 110 permit ip host 10.12.0.15 any

access-list 110 permit ip host 10.12.0.16 any

access-list 110 permit ip host 10.12.0.17 any

interface Virtual-Template1

ip unnumbered Loopback0

ip broadcast-address 0.0.0.0

ip nat inside

ip virtual-reassembly

peer default ip address pool l2tp

ppp authentication pap

ppp multilink

This nat working from "interface Virtual-Template1" to "interface GigabitEthernet0/0.100"

The interface Virtual-Template1 i done for l2tp connections.

Giuseppe Larosa · ‎05-05-2012

Hello Villi1977,

from the point of view of NAT outside interface gi0/0/.100 NAT translation is already performed so ip addresses of type 10.12.0.X are not seen on it.

You should put in the named ACL Sawary used for QoS the outside ip address

77.87.16.3 instead of the inside private addresses.

It is a question of order of operations: translation of source ip address of packets is performed before QoS on outside interface examines them.

Hope to help

Giuseppe

villi1977 · ‎05-05-2012

Thank you.