Jon

We implemented what you had so kindly provided for us.  Unfortunantly, we stopped getting responses from other traffic that is traversing that WAN (multilink) interface.

Is there something missing from the config as provided to exclude all other traffic except that which qualifies for the NAT based on the ACL?

Thanks

Kevin

Jon

All other traffic in and out of the interface stopped working.  SCADA activity on that link stopped working.  We have SCADA servers (192.168.103.59) on what is effectively the inside interface in the NAT statement on the 3825 router.  We lost some connectivity to other networks on the inside interface as well.

I am including a picture for you that is an excerpt of the customers network diagram.  I have circled the router to perform the NAT on for the workstation 192.168.103.59 and then labeled (as best I could in Paint) the inside and outside with respect to the NAT functionality.

The report i have is that all systems that we talk to (on the INSIDE) became unreachable when we implemented the changes.

Thanks Jon

Kevin

Kevin

No problem. Can you post picture ?

Also it would help if you could give some idea of what IPs stopped working and in what direction in relation to the inside and outside interfaces of the router.

Can you also post the exact config that was added. I tested this before posting and it worked perfeclty but there may be something else on your production router that is causing the problem.

Jon

Yes I am attaching the photo.

Also it would help if you could give some idea of what IPs stopped working and in what direction in relation to the inside and outside interfaces of the router.

The best I can do is tell you what I know.  We could not communicate to 192.168.103.59 from our Networks at our Headquarters sight.  We also lost the ability to communicate to our Core Switch at the DR site (shown in pic).  The core sw we could not connect to 172.16.32.1.

Here is what we implemented:

access-list 101 permit ip host 192.168.103.59 206.223.104.0 0.0.0.255

access-list 101 permit ip host 192.168.103.59 206.223.105.0 0.0.0.255

route-map NAT permit 10

match ip address 101

ip nat inside source static 192.168.103.59 172.28.6.136 route-map NAT

we then put "ip nat inside" on the G0/0 interface, and "ip nat outside" on the Multilink Interface.

Kevin

If possible could you also post the config of the router in question.

Jon

Sure thing. It is attached.

Kevin

From the config -

ip nat source static 192.168.103.59 172.28.6.133
ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.136 route-map PJMNAT

The first line is natting 192.168.103.59 to 172.28.6.133 for all traffic, do you know what this is for because i thought you only wanted to NAT 192.168.103.59 for some traffic.

Can you post the output of "sh ip nat translations" from this router ?

Jon

Good catch.  I should have seen that myself.

ip nat source static 192.168.103.59 172.28.6.133
ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.136 route-map PJMNAT

the "ip nat source static 192.168.103.59 172.28.6.133" should not be there.  I wrote that earlier in the week as I was trying to write what we needed before requesting help.

I have removed it from the config.

Here is the post (once that was removed) for the ip nat translations.

lo-mpls3825#sho ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
--- 172.28.6.133          192.168.103.59        ---                   ---
lo-mpls3825#

I had to change the translsated address from 172.28.6.136 to 133.  I had it incorrect.

Here is the NAt config on the box now:

ip nat inside source route-map PJM interface GigabitEthernet0/0 overload
ip nat inside source route-map PJMnat interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.103.59 172.28.6.133 route-map PJMNAT

I dont think I need the first two statements at all, do I?   I do not even have route maps for those two...