Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2123
Views
0
Helpful
18
Replies

NAT pool issues with route-maps

Go to solution
Stratocomp
Level 1
Level 1

‎11-12-2014 09:32 AM - edited ‎03-07-2019 09:29 PM

Hello all, I have had a hard time trying to get this figured out.  Here is what I have.  A 1841 router and a 3560g L2 switch.  I have a block of 12 IP's from my ISP that I can use.  What I want to accomplish is each of the 11 external ip's will be mapped to a user subnet.  I am utilizing FA0/0 as my outside interface with the first external IP.  then I have fa0/1.xx for sub interfaces.  These sub interfaces match up with a vlan on the switch which is then trunked down to a server. 

Cisco 1841

logging buffered 16384 debugging
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.49
!
ip dhcp pool 66
   import all
   network 10.66.66.0 255.255.255.0
   default-router 10.66.66.1
   dns-server 10.10.66.1 8.8.8.8
!
ip dhcp pool 10
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1 8.8.8.8
!
ip dhcp pool 43
   import all
   network 10.10.43.0 255.255.255.0
   default-router 10.10.43.1
   dns-server 202.67.222.222 8.8.8.8
!
ip dhcp pool 44
   import all
   network 10.10.44.0 255.255.255.0
   default-router 10.10.44.1
   dns-server 202.67.222.222 8.8.8.8
!
!
ip ssh version 2
!
!
!
username strato.adm password 7 142406192C107A282B252371
archive
 path flash:
 maximum 5
 write-memory
 time-period 10
!
!
!
!
!
interface FastEthernet0/0
 description Outside
 ip address xx.xx.xx.178 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Inside
 no ip address
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.5
 encapsulation dot1Q 5
 ip address 10.10.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
!
interface FastEthernet0/1.8
 encapsulation dot1Q 8
 ip address 10.10.8.1 255.255.255.0
 no ip route-cache
!
interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
!
interface FastEthernet0/1.43
 encapsulation dot1Q 43
 ip address 10.10.43.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
!
interface FastEthernet0/1.44
 encapsulation dot1Q 44
 ip address 10.10.44.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
!
interface FastEthernet0/1.66
 encapsulation dot1Q 66
 ip address 10.66.66.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.177
!
!
no ip http server
no ip http secure-server
ip nat pool MGMT-HOME xx.xx.xx.178 xx.xx.xx.178 prefix-length 28
ip nat pool VNC 10.10.10.201 10.10.10.201 netmask 255.255.255.0 type rotary
ip nat pool client-44 xx.xx.xx.179.xx.xx.xx.179 prefix-length 28
ip nat inside source list MGMT-HOME interface FastEthernet0/0 overload
ip nat inside source route-map client-44-rmap pool client-44 overload
ip nat inside source static udp 10.66.66.47 1194 interface FastEthernet0/0 1194
ip nat inside source static tcp 10.10.10.201 3128 interface FastEthernet0/0 3128
ip nat inside source static tcp 10.10.10.201 8006 interface FastEthernet0/0 8006
ip nat inside source static tcp 10.10.10.201 22 interface FastEthernet0/0 22
ip nat inside destination list MGMT-HOME pool VNC
!
ip access-list extended MGMT-HOME
 deny   ip host 10.10.44.6 any
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 10.66.66.0 0.0.0.255 any
 permit tcp any any range 5900 5999
ip access-list extended client-44-acl
 permit ip host 10.10.44.6 any

route-map client-44-rmap permit 10
 match ip address client-44-acl

 

I am able to ping 10.10.44.1 from the virtual machine inside the physical host that is trunked to the switch with vlan tag of 44 that routes to sub interface fa0/1.44     But I can not ping out to google.  If I add 

p access-list extended MGMT-HOME
 permit ip 10.10.44.0 0.0.0.255 any
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 10.66.66.0 0.0.0.255 any
 permit tcp any any range 5900 5999

then i can access google fine but i have always thought setting rmaps would work for something like I have and that traffic should hit the first acl, see it denied then go to the next and see it allowed for the other nat pool and allow it out.

 

Any help is greatly appreciated.

 

Labels:
0 Helpful
18 Replies 18

Go to solution
Stratocomp
Level 1
Level 1
In response to Stratocomp

‎11-12-2014 07:09 PM

Jody, thanks for the help, it was greatly appreciated.  So of coarse after looking at lines all day to figure this out, I end up being 1 number off that prevented it from working.  So your example does work and is implemented.

 

Now the next question is I need to contain these subnets to themselves.  Right now I can ping 8.8.8.8 from 10.10.10.0, 10.66.66.0 and 10.10.44.0 but i can also ping in between subnets.  I am not to concerned with 10.10.10.0 & 10.66.66.0 as those are my own controlled networks.  10.10.44.0 and other networks like it need to be contained to only themselves.  How is the best way to do this?

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to Stratocomp

‎11-12-2014 08:34 PM

For something like this, where I want the networks completely isolated, I usually use a VRF lite configuration.

0 Helpful

Go to solution
Stratocomp
Level 1
Level 1
In response to Stratocomp

‎11-12-2014 08:49 PM

Well I was able to get the containing part done.  Not sure if its best for what I am doing, but I setup vrf and those machines can not hit anything else on the network. 

So now what I am looking to do is (PAT?) for certain machines in that subnet.  for example I have 

interface FastEthernet0/1.44
 encapsulation dot1Q 44
 ip vrf forwarding client-44
 ip address 10.10.44.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache

ip route vrf client-44 0.0.0.0 0.0.0.0 FastEthernet0/0 xx.xx.xx.177

 

ip nat pool client-44-pool xx.xx.xx.179 xx.xx.xx.179 prefix-length 28

ip nat inside source list client-44-acl pool client-44-pool vrf client-44 overload

ip access-list extended client-44-acl
 permit ip 10.10.44.0 0.0.0.255 any

So any machine they have on the 10.10.44.0 network can get out but say they want rdp 3389 for 10.10.44.6.  I do not know if the above acl will let it through or if I need a 1:1 statement?  I know with the above, I can not get to the windows machine via xx.xx.xx.179 from outside my network

 

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to Stratocomp

‎11-12-2014 09:53 PM

That ACL only covers outbound traffic anyway. For inbound, you can just forward the port, but ensure that you identify the VRF.

ip nat inside source static tcp 10.10.44.6 3389 xx.xx.xx.179 3389 vrf client-44 extendable

This will forward RDP inbound to 10.10.44.6 on VRF client-44 from xx.xx.xx.179.

0 Helpful
Customers Also Viewed These Support Documents