04-08-2010 11:19 AM - edited 03-06-2019 10:31 AM
I have a situation that I believe is an IOS bug but I didn't see any notes on it. Can anyone see if I'm just missing something in my config.
We have 2 interfaces that connect to 2 different 3rd party networks. We NAT our network to protect our internal network. In the example configs I have removed the ACL's on the interfaces and I hav removed them completed during testing to ensure they aren't getting in the way. With the ACL's or without them the situation I will describe happens.
int F0/0.100
description Connection to 3rd Party #1
encaps dot1q 100
ip addr 10.1.1.1
ip nat outside
!
int F0/0.101
description Connection to 3rd Party #2
encaps dot1q 101
ip addr 10.1.2.1
ip nat outside
!
int F0/0.60
description LAN connection to WAN segment
encaps dot1q 60
ip addr 10.0.60.2
ip nat inside
!
int F0/0.10
description LAN connection to Local User Segment
encaps dot1q 10
ip addr 10.0.10.2
ip nat inside
!
router ospf 10
redistribute static subnets
network 10.0.60.0 0.0.0.255 area 0.0.0.0
network 10.0.10.0 0.0.0.255 area 0.0.0.0
!
ip route X.X.X.2 255.255.255.255 10.1.1.1
ip route X.X.X.3 255.255.255.255 10.1.1.1
ip route Y.Y.200.0 255.255.255.0 10.1.2.1
ip route Y.Y.201.0 255.255.255.0 10.1.2.1
!
ip nat pool CUST1 10.1.1.100 10.1.1.199 netmask 255.255.255.0
ip nat pool CUST2 10.1.2.100 10.1.2.199 netmask 255.255.255.0
ip nat inside source list CUST1-CLIENTS pool CUST1
ip nat inside source list CUST2-CLIENTS pool CUST2
!
ip access-list extended CUST1-CLIENTS
permit ip 10.0.10.0 0.0.0.255 host X.X.X.2
permit ip 10.0.10.0 0.0.0.255 host X.X.X.3
permit ip 10.16.0.0 0.0.0.255 host X.X.X.2
permit ip 10.16.0.0 0.0.0.255 host X.X.X.3
deny ip any any
ip access-list extended CUST2-CLIENTS
permit ip 10.0.10.0 0.0.0.255 Y.Y.200.0 0.0.0.255
permit ip 10.0.10.0 0.0.0.255 Y.Y.200.0 0.0.0.255
permit ip 10.16.0.0 0.0.0.255 Y.Y.200.0 0.0.0.255
permit ip 10.16.0.0 0.0.0.255 Y.Y.200.0 0.0.0.255
deny ip any any
NOTE: I've changed the interfaces and IP scheme to simplify the example. Also, in the example the 10.16.0.0/24 network is a network coming across the WAN (via the 10.0.60.0/24 network).
The issue is that when a user uses a service from the CUST1 network it works as expected. However when they go to use a service from the CUST2 network it does not work and the SHOW IP NAT TRANS command shows that the translation that happened matched the first connection and not the second. For example:
If HOST 10.16.0.100 was using a service on the CUST1 network the NAT table would look like this:
10.1.1.100:3456 10.16.0.100:3456 X.X.X.2:80
Which is correct. However on the next attempt for service with CUST2 (while the NAT translation still exists for the CUST1 service) the following is in the translation table:
10.1.1.100:3457 10.16.0.100:3457 Y.Y.200.7:23
It doesn't get a new IP from the other CUST2 pool for the second translation even though my NAT ACLs are specific.
Any ideas?
04-08-2010 12:15 PM
Hi,
You should create a corresponding route-map and apply it to the STATIC NAT:
ip nat inside source list CUST1-CLIENTS pool CUST1 route-map MAP1
ip nat inside source list CUST2-CLIENTS pool CUST2 route-map MAP2
The route-map should indicate when to match the translation rule.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide