09-19-2012 07:13 AM - edited 03-07-2019 08:58 AM
When i configure NAT like this:
ip access-list extended acl_NAT_OTHERS
permit ip host 10.0.0.34 host 192.168.1.1
ip access-list extended acl_NAT_CUSTA
permit ip host 10.0.0.35 host 192.168.2.1
!
route-map rmap_NAT_CUSTA permit 10
match ip address acl_NAT_CUSTA
route-map rmap_NAT_OTHERS permit 10
match ip address acl_NAT_OTHERS
cisco# ip nat inside source static 10.0.0.34 172.16.0.34 route-map rmap_NAT_OTHERS
cisco# ip nat inside source static 10.0.0.35 172.16.0.34 route-map rmap_NAT_CUSTA
after last line i get:
% 10.0.0.35 already mapped (10.0.0.34 -> 172.16.0.34)
i tried extendable option too. I still get this error.
What i try to achieve is:
When i connect fom 192.168.1.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.34 and
when i connect fom 192.168.2.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.35
Please please please help!
Solved! Go to Solution.
09-25-2012 10:56 AM
Good morning ZbigniewJ
Thanks for using our forum
I recommend to you to use NAT overload instead of static NAT, with this commands
ip access-list extended acl_NAT_OTHERS
permit ip host 10.0.0.34 host 192.168.1.1
ip access-list extended acl_NAT_CUSTA
permit ip host 10.0.0.35 host 192.168.2.1
ip nat inside source list [ACL-name-1] interface [interface] overload
ip nat inside source list [ACL-name-2] interface [interface] overload
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Greetings,
Johnnatan Rodriguez Miranda
09-26-2012 07:29 AM
What i try to achieve is:
When i connect fom 192.168.1.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.34 and
when i connect fom 192.168.2.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.35
You have your acls and NAT wrong, change it to this and retry -
ip access-list extended acl_NAT_OTHERS
permit ip host 192.168.1.1 host 172.16.0.34
ip access-list extended acl_NAT_CUSTA
permit ip host 192.168.2.1 host 172.16.0.34
!
route-map rmap_NAT_CUSTA permit 10
match ip address acl_NAT_CUSTA
route-map rmap_NAT_OTHERS permit 10
match ip address acl_NAT_OTHERS
ip nat inside source static 192.168.1.1 10.0.0.34 route-map rmap_NAT_OTHERS
ip nat inside source static 192.168.2.1 10.0.0.35 route-map rmap_NAT_CUSTA
Jon
09-25-2012 10:56 AM
Good morning ZbigniewJ
Thanks for using our forum
I recommend to you to use NAT overload instead of static NAT, with this commands
ip access-list extended acl_NAT_OTHERS
permit ip host 10.0.0.34 host 192.168.1.1
ip access-list extended acl_NAT_CUSTA
permit ip host 10.0.0.35 host 192.168.2.1
ip nat inside source list [ACL-name-1] interface [interface] overload
ip nat inside source list [ACL-name-2] interface [interface] overload
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Greetings,
Johnnatan Rodriguez Miranda
09-26-2012 07:11 AM
Dammm, i accidentally clicked "answered' where in fact it doesn't solve my problem.
I cant use overload cause traffic can be initiated from both sides.
What i'm trying to do is some kind of load balacing. Client connect to the same IP but depending on source address they are redirected to server assigned to them.
I even tried to to this using SLB, but then i cant permamently assign phisical server to customer.
edit: can someone mark it unanswered?
09-26-2012 07:29 AM
What i try to achieve is:
When i connect fom 192.168.1.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.34 and
when i connect fom 192.168.2.1 to 172.16.0.34 i'm dest. NATed to 10.0.0.35
You have your acls and NAT wrong, change it to this and retry -
ip access-list extended acl_NAT_OTHERS
permit ip host 192.168.1.1 host 172.16.0.34
ip access-list extended acl_NAT_CUSTA
permit ip host 192.168.2.1 host 172.16.0.34
!
route-map rmap_NAT_CUSTA permit 10
match ip address acl_NAT_CUSTA
route-map rmap_NAT_OTHERS permit 10
match ip address acl_NAT_OTHERS
ip nat inside source static 192.168.1.1 10.0.0.34 route-map rmap_NAT_OTHERS
ip nat inside source static 192.168.2.1 10.0.0.35 route-map rmap_NAT_CUSTA
Jon
09-26-2012 07:40 AM
Ghrrrrr! This UI is not well-designed I clicked "correct anwer" insdead of "reply" again! (or rather its just me )
Jon, are you sure of what you sayin?
ip nat inside source static 192.168.1.1 10.0.0.34 changes source address 192.168.1.1 to 10.0.0.34 while going from inside to outside,
192.168.1.1 is outside global address - the IP of some host in customer network.
my inside local addresses ale 10.0.0.34 and .35 and it is them i want to translate to 172.16.0.34 and tanslate the testination address of packet going from outside to inside at the same time.
Please see the att in the original post. left is the inside, right is the outside.
09-26-2012 07:54 AM
Sorry, i missed the destination natted bit.
Could you clarify exactly what you want in terms of a traffic flow and where the connection is initiated from ?
Jon
09-26-2012 08:38 AM
Traffic flow can be initiated from both sides. Clients (right hand side) allways connect to 172.16.0.34 but then destination address must be translated to 10.0.0.34 if traffic is initiated from 192.168.1.1, or to 10.0.0.35 if initiated from 192.168.2.1
In other words each client has a dedicated server, but each of them is visible under one "public" ip
If any server (10.0.0.34 or .35) connects to any client it shout allways translate the source ip to 172.16.0.34 (that one is easy, simply overload)
So i other words in result i would like my NAT table look similar to this:
inside local inside global outside global outside local
10.0.0.34 172.16.0.34 192.168.1.1 192.168.1.1
10.0.0.35 172.16.0.34 192.168.2.1 192.168.2.1
09-26-2012 08:52 AM
I'm assuming that "ip nat inside" and "ip nat outside" cannot be switched around ie. the inside faces the clients and the outside your 10.0.0.x servers ?
I hate IOS NAT, it is so much simpler on an ASA/Pix
Jon
09-26-2012 08:58 AM
No they can not.
I agree - IOS NAT can be pain in the neck. This relativly simple example shows it.
It would be fantastic if there were a possibility to manually set a NAT table entry
09-26-2012 09:10 AM
It's the fact that you are doing it outside to inside that is causing the problem because IOS is limited in it's options. I did have a laptop with GNS3 on it but that crashed so i can't test out any scenarios at present but i do remember trying to do something similiar before and getting tied up in knots with.
I do have a spare 2600 router knocking about so if i get the chance i'll set it up and do some testing but it could be a while.
I'll also have a look at some of the docs on NAT, it may turn something up.
Apologies for not being able to sort it immediately.
Jon
09-26-2012 09:18 AM
This is my third atempt to solve this issue and probably I'll fail again
If i swapped inside and outside it wouldt work too cause then i couldnt do overload in outside->inside direction.
With best regards
Zbigniew
09-26-2012 09:23 AM
Just a quick check, is the port the same port number for both 10.0.0.x servers ?
I suspect it is but just wanted to check.
Jon
09-26-2012 11:15 PM
Yes, of course I would do a simple port forward otherwise
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide