cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1403
Views
3
Helpful
12
Replies

NAT : several 'rules' depending on outside interface ?

sylvain.munaut
Level 1
Level 1

Hi,

I have two site A & B connecter through a ptp link (172.16.0.1,2)

The site A uses a 192.168.1.0/24 range for it's LAN.

The site B uses a 10.161.1.0/24 range for it's LAN.

The router on site A also provides internet to the LAN client (WAN IP 80.80.80.1)

interface FastEthernet1/0

ip address 172.16.0.1 255.255.255.0

ip nat outside

interface FastEthernet1/1

ip address 192.168.1.254 255.255.255.0

ip nat inside

interface FastEthernet2/0

ip address 80.80.80.1 255.255.255.0

ip nat outside

Now for the internet I have this config :

ip nat inside source list acl_nat interface FastEthernet2/0 overload

ip access-list extended acl_nat

permit ip 192.168.1.0 0.0.0.255 any

And for the network translation I have this :

ip nat inside source static network 192.168.1.0 10.161.1.0 /24

Both of theses rules work separately but not together ... (because it tries to apply both).

Now with various combination I manager to have one or the other applies preferentially but couldn't work out a solution that always work.

Is there a way to say that I want one rule to apply when going out FastEtherne2/0  and I want another to apply when going out FastEthernet1/0 ?

Cheers,

    Sylvain

1 Accepted Solution

Accepted Solutions

ok try to use pool instead of network command

remove the nat with network and use the bellow

ip nat pool pool1 10.161.1.1 10.161.1.254 netmask 255.255.255.0

ip nat inside source route-map lan pool pool1

View solution in original post

12 Replies 12

Latchum Naidu
VIP Alumni
VIP Alumni

Hi Sylvain,

This can be done by user PBR.
Try like below and let us know the status.

ip nat inside source route-map FE1/0 interface FastEthernet1/0 overload
ip nat inside source route-map FE2/0 interface FastEthernet2/0 overload
 

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any


route-map FE1/0 permit 10
match ip address 101
match interface FastEthernet1/0

route-map FE2/0 permit 10
match ip address 102
match interface FastEthernet2/0


HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

@Latchum

Uh, I don't want overload for the second nat. I want a network nat (so 192.168.1.123 becomes 10.161.1.123)

Marwan ALshawi
VIP Alumni
VIP Alumni

ok there is two points here

you NATing not working becuase you need to have route map to match the out going interface when you do nating in this case you have both of them working

but before that i have question, why you translate your Site A LAN subnnet to Site B Lan subbnet when you send the traffic from A to B

this will make a probelm to Site B router how to route the traffic back

192.168.1.0---RTRA---172.----RTRB---10.161.1.0

now router B knows 10.161.1.0 is directly connected

if you send this traffic from RTR A with NATed source IP as 10.161.1.0/24 then router B will send it back to it LAN/
Site B

what you can do if you want to talnslate use the bellow example

site A LAN 192.168.1.0/24

Nated Site A to B 10.161.2.0/24

Site B LAN 10.161.1.0/24

config to work with both LAN and Internet Nating:

route-map internet

match ip address acl_nat

match interface fa2/0

route-map lan

match interface fa1/0

ip nat inside source list route-map internet interface FastEthernet2/0 overload

ip nat inside source static network 192.168.2.0 10.161.1.0 /24 route-map lan

ip access-list extended acl_nat

permit ip 192.168.1.0 0.0.0.255 any

in your router in Site i assume you have at least  two static routes

ip route 0.0.0.0 0.0.0.0 internet nexthope ip (ISP)

ip route 10.161.1.0 255.255.255.0 172.16.1.2

in your router B you need this static route to get the returne traffic working

ip route 10.161.2.0 255.255.255.0 172.16.1.1

good luck

if helpful Rate

Sorry, I got confused, site B is not the same range, it's 10.160.1.0   (160 instead of 161). The real setup is actually bigger (site B is the 'center' of a star topology).

Yes, I looked at route map ... unfortunately,

ip nat inside source static network 192.168.2.0 10.161.1.0 /24 route-map lan

doesn't work, it doesn't want to take the 'route-map lan' part it seems ...

For the routing I have ospf running and it all works fine. (using a loopback to advertise 10.161.1.0/24 )

Actually that 'route-map' part with 'ip nat inside source static network' seems to exists on 12.4  but not on IOS 15 ... (tried 15.0 and 15.1) ...

Any idea what it's been replaced with ?

ok try to use pool instead of network command

remove the nat with network and use the bellow

ip nat pool pool1 10.161.1.1 10.161.1.254 netmask 255.255.255.0

ip nat inside source route-map lan pool pool1

Well that does "work" but it doesn't do what I want because it takes a random address out of the pool and doesn't map 1:1  (i.e 192.168.1.123 => 10.161.1.123).

I can put 254 entries like

ip nat inside source static 192.168.1.123 10.161.1.123 route-map lan

But that's a real pain ...

I tried downgrading to 12.4(15)  and use the route-map with network translation and altough it accepts the commands, it doesn work. As soon as you apply a route-map on a network static translation, it never matches.

That may be why the command has been removed ... ( even 12.4(20) doesn't have it ).

I still find this weird because it looks like a pretty standard setup : site-to-site connection with overlapping address + normal internet access ...

Ok, the pool seems to work like I want it to if I define the pool with the 'match-host' argument :

ip nat pool lan_pool 10.160.1.0 10.160.1.255 prefix-length 24 type match-host

Unfortunately that doesn't allow reverse connection ... (i.e. someone trying to connect from B to 10.160.1.x ...)

(I was a little quick to press 'correct answer' ...)

thats ok, happy its working to some extent as you want

for the reverse connection can you check in the nat command if you have the keyword revesable ! i dont have a oruter infront of me this is because of the route map this happns and you need this keyword to have the revers connection !!

good luck and thanks for the rating too

Yes, I've seen the reversible keyword and it does bring it a step closer, but still not completely.

Because the reverse translation is only created when the host has first made a forward connection.

Unfortunately until it does everything, my only option is to introduce 254 static rules ... no idea what performance impact it would have tough.

Maybe I can get away with only doing a couple of static rules for the machines that need access from the outside and use the pool thing for the rest. I'll have to discuss that with the client.

(Of course the best solution would be to just change the range of the 192.168.1.x subnet but since there is a bunch of different vendors equipement all configured with static IP talking to each other, it would get messy and expensive ...)

The final solution was provided by the TAC and involves mixing both inside/outside and NVI (ip nat enable).

In theory you can use any order but due to a CEF issue,you have to use NVI for the internet routing and inside/outside for the static network translation.

(for the CEF issue, see https://supportforums.cisco.com/message/3393806#3393806)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: