Solved: Two IP NAT outside interfaces

Andrew Battersby · ‎03-20-2012

I'm trying to get what I imagine is actually something quite easy but as I've never done it I'm having some issues.

Basically I have a setup as below:

interface GigabitEthernet0/0

ip address 8.8.8.8 255.255.255.252

ip nat outside

crypto map vpn

!

interface GigabitEthernet0/1

ip address 172.17.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0/0

ip address 172.17.2.1 255.255.255.0

ip nat inside

!

ip local pool vpnpool 192.168.5.1 192.168.5.100

!

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 8.8.8.7

!1

ip route 172.17.4.0 255.255.255.0 172.17.1.250

ip route 172.22.223.97 255.255.255.255 172.17.1.240

ip route 172.22.223.98 255.255.255.255 172.17.1.240

ip route 172.22.223.101 255.255.255.255 172.17.1.240

!

ip access-list extended VPN-Traffic

permit ip 172.17.1.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 172.17.2.0 0.0.0.255 192.168.5.0 0.0.0.255

ip access-list extended nonat

permit ip 172.17.1.0 0.0.0.255 any

permit ip 172.17.2.0 0.0.0.255 any

deny ip 172.17.1.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 172.17.2.0 0.0.0.255 192.168.5.0 0.0.0.255

!

route-map nonat permit 10

match ip address nonat

I am adding an extra interface which connects to an extra router. The new interface will have an IP address of say "10.10.10.2 255.255.255.0".

What I need to happen is if any of the current internal ranges or the VPNpool client range goes to a device out of that interface then it get's natted out of the "10.10.10.2/24" range.

So all the below:

172.17.1.0/24

172.17.2.0/24

192.168.5.0/24

Should get natted to 10.10.10.2 if they need to go to an IP out of the new interface.

Below is what I thought I should add but it didn't work:

ip nat inside source route-map nonat2 interface FastEthernet0/1/0 overload

!

ip access-list extended VPN-Traffic

permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255

!

ip access-list extended nonat2

permit ip 172.17.1.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 172.17.2.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 172.17.4.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 172.22.223.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

route-map nonat2 permit 15

match ip address nonat2

Thanks in advance

patrick.preuss · ‎03-20-2012

Hi Andrew

you might miss a thing:-) Please try to figure out what dession for nat is taken.

Please have a look into you acls and your route maps

route-map nonat states:

permit ip 172.17.1.0 0.0.0.255 any

route-map nonat2 states:

permit ip 172.17.1.0 0.0.0.255 10.10.10.0 0.0.0.255

so try a debug ip nat and look what nat desision is made.

Form my point of view

route-map nonat is matched.

Try to add a second match in you routemap to make the dessision process more specific. You can add a match to the interface. Because the router allready knows where to exit the packet. https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

match interface Match first hop interface of route

match ip next-hop Match next-hop address of route

route-map nonat permit 10

match ip address nonat

match interface GigabitEthernet0/0

route-map nonat2 permit 15

match ip address nonat2

match interface FastEthernet 0/1/0

HTH

Patrick

View solution in original post

patrick.preuss · ‎03-22-2012

Andrew

is your problem solved ?

Please assign point ;-)

Patrick

View solution in original post

patrick.preuss · ‎03-20-2012

Hi Andrew

you might miss a thing:-) Please try to figure out what dession for nat is taken.

Please have a look into you acls and your route maps

route-map nonat states:

permit ip 172.17.1.0 0.0.0.255 any

route-map nonat2 states:

permit ip 172.17.1.0 0.0.0.255 10.10.10.0 0.0.0.255

so try a debug ip nat and look what nat desision is made.

Form my point of view

route-map nonat is matched.

Try to add a second match in you routemap to make the dessision process more specific. You can add a match to the interface. Because the router allready knows where to exit the packet. https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

match interface Match first hop interface of route

match ip next-hop Match next-hop address of route

route-map nonat permit 10

match ip address nonat

match interface GigabitEthernet0/0

route-map nonat2 permit 15

match ip address nonat2

match interface FastEthernet 0/1/0

HTH

Patrick

patrick.preuss · ‎03-22-2012

Andrew

is your problem solved ?

Please assign point ;-)

Patrick

Andrew Battersby · ‎03-26-2012

It is indeed thanks Patrick but I actually found the solution via someone else on these forums via a historic search.

The answer is pretty much the same as what you have provided however so points your way

patrick.preuss · ‎03-26-2012

Hi Andrew

you are welcome and please. As allways nothing new.

Tanks for the points ..