Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
1
Replies

NAT issues on 12.4(9)T5

m.coakley
Level 1
Level 1

‎04-08-2010 11:19 AM - edited ‎03-06-2019 10:31 AM

I have a situation that I believe is an IOS bug but I didn't see any notes on it. Can anyone see if I'm just missing something in my config.

We have 2 interfaces that connect to 2 different 3rd party networks. We NAT our network to protect our internal network. In the example configs I have removed the ACL's on the interfaces and I hav removed them completed during testing to ensure they aren't getting in the way. With the ACL's or without them the situation I will describe happens.

int F0/0.100

description Connection to 3rd Party #1

encaps dot1q 100

ip addr 10.1.1.1

ip nat outside

!

int F0/0.101

description Connection to 3rd Party #2

encaps dot1q 101

ip addr 10.1.2.1

ip nat outside

!

int F0/0.60

description LAN connection to WAN segment

encaps dot1q 60

ip addr 10.0.60.2

ip nat inside

!

int F0/0.10

description LAN connection to Local User Segment

encaps dot1q 10

ip addr 10.0.10.2

ip nat inside
!

router ospf 10
redistribute static subnets
network 10.0.60.0 0.0.0.255 area 0.0.0.0
network 10.0.10.0 0.0.0.255 area 0.0.0.0
!
ip route X.X.X.2 255.255.255.255 10.1.1.1
ip route X.X.X.3 255.255.255.255 10.1.1.1
ip route Y.Y.200.0 255.255.255.0 10.1.2.1
ip route Y.Y.201.0 255.255.255.0 10.1.2.1
!
ip nat pool CUST1 10.1.1.100 10.1.1.199 netmask 255.255.255.0
ip nat pool CUST2 10.1.2.100 10.1.2.199 netmask 255.255.255.0
ip nat inside source list CUST1-CLIENTS pool CUST1
ip nat inside source list CUST2-CLIENTS pool CUST2
!
ip access-list extended CUST1-CLIENTS
permit ip 10.0.10.0 0.0.0.255 host X.X.X.2
permit ip 10.0.10.0 0.0.0.255 host X.X.X.3
permit ip 10.16.0.0 0.0.0.255 host X.X.X.2
permit ip 10.16.0.0 0.0.0.255 host X.X.X.3
deny   ip any any
ip access-list extended CUST2-CLIENTS
permit ip 10.0.10.0 0.0.0.255 Y.Y.200.0 0.0.0.255
permit ip 10.0.10.0 0.0.0.255 Y.Y.200.0 0.0.0.255
permit ip 10.16.0.0 0.0.0.255 Y.Y.200.0 0.0.0.255
permit ip 10.16.0.0 0.0.0.255 Y.Y.200.0 0.0.0.255
deny   ip any any

NOTE: I've changed the interfaces and IP scheme to simplify the example. Also, in the example the 10.16.0.0/24 network is a network coming across the WAN (via the 10.0.60.0/24 network).

The issue is that when a user uses a service from the CUST1 network it works as expected. However when they go to use a service from the CUST2 network it does not work and the SHOW IP NAT TRANS command shows that the translation that happened matched the first connection and not the second. For example:

If HOST 10.16.0.100 was using a service on the CUST1 network the NAT table would look like this:

10.1.1.100:3456  10.16.0.100:3456  X.X.X.2:80

Which is correct. However on the next attempt for service with CUST2 (while the NAT translation still exists for the CUST1 service) the following is in the translation table:

10.1.1.100:3457 10.16.0.100:3457 Y.Y.200.7:23

It doesn't get a new IP from the other CUST2 pool for the second translation even though my NAT ACLs are specific.

Any ideas?

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-08-2010 12:15 PM

Hi,

You should create a corresponding route-map and apply it to the STATIC NAT:


ip nat inside source list CUST1-CLIENTS pool CUST1 route-map MAP1
ip nat inside source list CUST2-CLIENTS pool CUST2 route-map MAP2

The route-map should indicate when to match the translation rule.

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card