07-06-2011 03:06 AM - edited 03-07-2019 01:06 AM
Hi,
I have two site A & B connecter through a ptp link (172.16.0.1,2)
The site A uses a 192.168.1.0/24 range for it's LAN.
The site B uses a 10.161.1.0/24 range for it's LAN.
The router on site A also provides internet to the LAN client (WAN IP 80.80.80.1)
interface FastEthernet1/0
ip address 172.16.0.1 255.255.255.0
ip nat outside
interface FastEthernet1/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
interface FastEthernet2/0
ip address 80.80.80.1 255.255.255.0
ip nat outside
Now for the internet I have this config :
ip nat inside source list acl_nat interface FastEthernet2/0 overload
ip access-list extended acl_nat
permit ip 192.168.1.0 0.0.0.255 any
And for the network translation I have this :
ip nat inside source static network 192.168.1.0 10.161.1.0 /24
Both of theses rules work separately but not together ... (because it tries to apply both).
Now with various combination I manager to have one or the other applies preferentially but couldn't work out a solution that always work.
Is there a way to say that I want one rule to apply when going out FastEtherne2/0 and I want another to apply when going out FastEthernet1/0 ?
Cheers,
Sylvain
Solved! Go to Solution.
07-06-2011 05:24 AM
ok try to use pool instead of network command
remove the nat with network and use the bellow
ip nat pool pool1 10.161.1.1 10.161.1.254 netmask 255.255.255.0
ip nat inside source route-map lan pool pool1
07-06-2011 03:45 AM
Hi Sylvain,
This can be done by user PBR.
Try like below and let us know the status.
ip nat inside source route-map FE1/0 interface FastEthernet1/0 overload
ip nat inside source route-map FE2/0 interface FastEthernet2/0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FE1/0 permit 10
match ip address 101
match interface FastEthernet1/0
route-map FE2/0 permit 10
match ip address 102
match interface FastEthernet2/0
HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.
07-06-2011 04:38 AM
@Latchum
Uh, I don't want overload for the second nat. I want a network nat (so 192.168.1.123 becomes 10.161.1.123)
07-06-2011 03:52 AM
ok there is two points here
you NATing not working becuase you need to have route map to match the out going interface when you do nating in this case you have both of them working
but before that i have question, why you translate your Site A LAN subnnet to Site B Lan subbnet when you send the traffic from A to B
this will make a probelm to Site B router how to route the traffic back
192.168.1.0---RTRA---172.----RTRB---10.161.1.0
now router B knows 10.161.1.0 is directly connected
if you send this traffic from RTR A with NATed source IP as 10.161.1.0/24 then router B will send it back to it LAN/
Site B
what you can do if you want to talnslate use the bellow example
site A LAN 192.168.1.0/24
Nated Site A to B 10.161.2.0/24
Site B LAN 10.161.1.0/24
config to work with both LAN and Internet Nating:
route-map internet
match ip address acl_nat
match interface fa2/0
route-map lan
match interface fa1/0
ip nat inside source list route-map internet interface FastEthernet2/0 overload
ip nat inside source static network 192.168.2.0 10.161.1.0 /24 route-map lan
ip access-list extended acl_nat
permit ip 192.168.1.0 0.0.0.255 any
in your router in Site i assume you have at least two static routes
ip route 0.0.0.0 0.0.0.0 internet nexthope ip (ISP)
ip route 10.161.1.0 255.255.255.0 172.16.1.2
in your router B you need this static route to get the returne traffic working
ip route 10.161.2.0 255.255.255.0 172.16.1.1
good luck
if helpful Rate
07-06-2011 04:43 AM
Sorry, I got confused, site B is not the same range, it's 10.160.1.0 (160 instead of 161). The real setup is actually bigger (site B is the 'center' of a star topology).
Yes, I looked at route map ... unfortunately,
ip nat inside source static network 192.168.2.0 10.161.1.0 /24 route-map lan
doesn't work, it doesn't want to take the 'route-map lan' part it seems ...
For the routing I have ospf running and it all works fine. (using a loopback to advertise 10.161.1.0/24 )
07-06-2011 04:56 AM
Actually that 'route-map' part with 'ip nat inside source static network' seems to exists on 12.4 but not on IOS 15 ... (tried 15.0 and 15.1) ...
Any idea what it's been replaced with ?
07-06-2011 05:24 AM
ok try to use pool instead of network command
remove the nat with network and use the bellow
ip nat pool pool1 10.161.1.1 10.161.1.254 netmask 255.255.255.0
ip nat inside source route-map lan pool pool1
07-06-2011 05:46 AM
Well that does "work" but it doesn't do what I want because it takes a random address out of the pool and doesn't map 1:1 (i.e 192.168.1.123 => 10.161.1.123).
I can put 254 entries like
ip nat inside source static 192.168.1.123 10.161.1.123 route-map lan
But that's a real pain ...
07-06-2011 11:36 AM
I tried downgrading to 12.4(15) and use the route-map with network translation and altough it accepts the commands, it doesn work. As soon as you apply a route-map on a network static translation, it never matches.
That may be why the command has been removed ... ( even 12.4(20) doesn't have it ).
I still find this weird because it looks like a pretty standard setup : site-to-site connection with overlapping address + normal internet access ...
07-06-2011 03:15 PM
Ok, the pool seems to work like I want it to if I define the pool with the 'match-host' argument :
ip nat pool lan_pool 10.160.1.0 10.160.1.255 prefix-length 24 type match-host
Unfortunately that doesn't allow reverse connection ... (i.e. someone trying to connect from B to 10.160.1.x ...)
(I was a little quick to press 'correct answer' ...)
07-06-2011 04:26 PM
thats ok, happy its working to some extent as you want
for the reverse connection can you check in the nat command if you have the keyword revesable ! i dont have a oruter infront of me this is because of the route map this happns and you need this keyword to have the revers connection !!
good luck and thanks for the rating too
07-07-2011 01:48 AM
Yes, I've seen the reversible keyword and it does bring it a step closer, but still not completely.
Because the reverse translation is only created when the host has first made a forward connection.
Unfortunately until it does everything, my only option is to introduce 254 static rules ... no idea what performance impact it would have tough.
Maybe I can get away with only doing a couple of static rules for the machines that need access from the outside and use the pool thing for the rest. I'll have to discuss that with the client.
(Of course the best solution would be to just change the range of the 192.168.1.x subnet but since there is a bunch of different vendors equipement all configured with static IP talking to each other, it would get messy and expensive ...)
07-14-2011 06:02 AM
The final solution was provided by the TAC and involves mixing both inside/outside and NVI (ip nat enable).
In theory you can use any order but due to a CEF issue,you have to use NVI for the internet routing and inside/outside for the static network translation.
(for the CEF issue, see https://supportforums.cisco.com/message/3393806#3393806)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide