06-25-2013 03:02 PM - edited 03-07-2019 02:04 PM
Hi there.
I am hoping someone can help me here.
Issue #1 PAT
I cant seem to get the PAT (overloaded NAT) working. the systems with IP addresses that are not statically NAT'd can reach out to the internet.
The systems with static NAT work fine and can reach out to the net and can be reached from the net via those ports where ACLs permit.
Issue #2 ACLs
Any systems in one vlan can't seem to reach systems in another VLAN (ex: 192.168.101.10 cant ssh to 192.168.50.10) even though there is an ACL the 'should' permit it.
NOTE: I have PBR to force connections to go out to the external routers where they 'should' come back another vlan.
Any help would really be appreciated.
Jerry
Config is
----------------------
!
ip dhcp pool DHCP_VLAN-101-Network101
network 192.168.101.0 255.255.255.0
domain-name Network101.com
default-router 192.168.101.1
dns-server 192.168.101.10 192.168.101.11 192.168.101.12
!
!
!
ip domain name Network101.com
no ipv6 cef
multilink bundle-name authenticated
!
!
!
redundancy
!
!
ip ssh port 22 rotary 1
ip ssh version 2
!
track 1 interface GigabitEthernet0/1 line-protocol
track 2 interface GigabitEthernet0/0 line-protocol
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.25
description NET-INT-VLAN-25-Network25
encapsulation dot1Q 25
ip address 192.168.25.2 255.255.255.0
ip access-group ACL_RULES_VLAN-25-Network25 out
ip nat inside
ip virtual-reassembly in
ip policy route-map RMAP_VLAN-25-Network25
standby version 2
standby 25 ip 192.168.25.1
standby 25 timers msec 300 1
standby 25 priority 150
standby 25 authentication md5 key-string SomePassword
standby 25 name HSRP-25
standby 25 track 1 decrement 50
!
interface GigabitEthernet0/0.26
description NET-INT-VLAN-26-Network26
encapsulation dot1Q 26
ip address 192.168.26.2 255.255.255.0
ip access-group ACL_RULES_VLAN-26-Network26 out
ip nat inside
ip virtual-reassembly in
ip policy route-map RMAP_VLAN-26-Network26
standby version 2
standby 26 ip 192.168.26.1
standby 26 timers msec 300 1
standby 26 priority 150
standby 26 authentication md5 key-string SomePassword
standby 26 name HSRP-26
standby 26 track 1 decrement 50
!
interface GigabitEthernet0/0.27
description NET-INT-VLAN-27-Network27
encapsulation dot1Q 27
ip address 192.168.27.2 255.255.255.0
ip access-group ACL_RULES_VLAN-27-Network27 out
ip nat inside
ip virtual-reassembly in
ip policy route-map RMAP_VLAN-27-Network27
standby version 2
standby 27 ip 192.168.27.1
standby 27 timers msec 300 1
standby 27 priority 150
standby 27 authentication md5 key-string SomePassword
standby 27 name HSRP-27
standby 27 track 1 decrement 50
!
interface GigabitEthernet0/0.50
description NET-INT-VLAN-50-Network50
encapsulation dot1Q 50
ip address 192.168.50.2 255.255.255.0
ip access-group ACL_RULES_VLAN-50-Network50 out
ip nat inside
ip virtual-reassembly in
ip policy route-map RMAP_VLAN-50-Network50
standby version 2
standby 50 ip 192.168.50.1
standby 50 timers msec 300 1
standby 50 priority 150
standby 50 authentication md5 key-string SomePassword
standby 50 name HSRP-50
standby 50 track 1 decrement 50
!
interface GigabitEthernet0/0.101
description NET-INT-VLAN-101-Network101
encapsulation dot1Q 101
ip address 192.168.101.2 255.255.255.0
ip access-group ACL_RULES_VLAN-101-Network101 out
ip nat inside
ip virtual-reassembly in
ip policy route-map RMAP_VLAN-101-Network101
standby version 2
standby 101 ip 192.168.101.1
standby 101 timers msec 300 1
standby 101 priority 150
standby 101 authentication md5 key-string SomePassword
standby 101 name HSRP-101
standby 101 track 1 decrement 50
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1025
description NET-EXT-VLAN-1025-Network25
encapsulation dot1Q 1025
ip address mm.mm.mm.189 255.255.255.240
ip nat outside
ip virtual-reassembly in
standby version 2
standby 1025 ip mm.mm.mm.190
standby 1025 timers msec 300 1
standby 1025 priority 150
standby 1025 authentication md5 key-string SomePassword
standby 1025 name HSRP-1025
standby 1025 track 2 decrement 50
!
interface GigabitEthernet0/1.1026
description NET-EXT-VLAN-1026-Network26
encapsulation dot1Q 1026
ip address mm.mm.mm.173 255.255.255.240
ip nat outside
ip virtual-reassembly in
standby version 2
standby 1026 ip mm.mm.mm.174
standby 1026 timers msec 300 1
standby 1026 priority 150
standby 1026 authentication md5 key-string SomePassword
standby 1026 name HSRP-1026
standby 1026 track 2 decrement 50
!
interface GigabitEthernet0/1.1027
description NET-EXT-VLAN-1027-Network27
encapsulation dot1Q 1027
ip address mm.mm.mm.205 255.255.255.240
ip nat outside
ip virtual-reassembly in
standby version 2
standby 1027 ip mm.mm.mm.206
standby 1027 timers msec 300 1
standby 1027 priority 150
standby 1027 authentication md5 key-string SomePassword
standby 1027 name HSRP-1027
standby 1027 track 2 decrement 50
!
interface GigabitEthernet0/1.1050
description NET-EXT-VLAN-1050-Network50
encapsulation dot1Q 1050
ip address nn.nn.nn.221 255.255.255.224
ip nat outside
ip virtual-reassembly in
standby version 2
standby 1050 ip nn.nn.nn.222
standby 1050 timers msec 300 1
standby 1050 priority 150
standby 1050 authentication md5 key-string SomePassword
standby 1050 name HSRP-1050
standby 1050 track 2 decrement 50
!
interface GigabitEthernet0/1.1101
description NET-EXT-VLAN-1101-Network101
encapsulation dot1Q 1101
ip address nn.nn.nn.125 255.255.255.128
ip nat outside
ip virtual-reassembly in
standby version 2
standby 1101 ip nn.nn.nn.126
standby 1101 timers msec 300 1
standby 1101 priority 150
standby 1101 authentication md5 key-string SomePassword
standby 1101 name HSRP-1101
standby 1101 track 2 decrement 50
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NAT_POOL_VLAN-25-Network25 mm.mm.mm.190 mm.mm.mm.190 prefix-length 28
ip nat pool NAT_POOL_VLAN-26-Network26 mm.mm.mm.174 mm.mm.mm.174 prefix-length 28
ip nat pool NAT_POOL_VLAN-27-Network27 mm.mm.mm.206 mm.mm.mm.206 prefix-length 28
ip nat pool NAT_POOL_VLAN-50-Network50 nn.nn.nn.222 nn.nn.nn.222 prefix-length 27
ip nat pool NAT_POOL_VLAN-101-Network101 nn.nn.nn.126 nn.nn.nn.126 prefix-length 25
ip nat inside source list ACL_INT_VLAN-25-Network25 pool NAT_POOL_VLAN-25-Network25 overload
ip nat inside source list ACL_INT_VLAN-26-Network26 pool NAT_POOL_VLAN-26-Network26 overload
ip nat inside source list ACL_INT_VLAN-27-Network27 pool NAT_POOL_VLAN-27-Network27 overload
ip nat inside source list ACL_INT_VLAN-50-Network50 pool NAT_POOL_VLAN-50-Network50 overload
ip nat inside source list ACL_INT_VLAN-101-Network101 pool NAT_POOL_VLAN-101-Network101 overload
ip nat inside source static 192.168.50.10 nn.nn.nn.196
ip nat inside source static 192.168.50.11 nn.nn.nn.197
ip nat inside source static 192.168.25.10 mm.mm.mm.180
ip nat inside source static 192.168.25.11 mm.mm.mm.181
ip nat inside source static 192.168.26.10 mm.mm.mm.165
ip nat inside source static 192.168.26.11 mm.mm.mm.166
ip nat inside source static 192.168.27.10 mm.mm.mm.197
ip nat inside source static 192.168.27.11 mm.mm.mm.198
ip nat inside source static 192.168.101.10 nn.nn.nn.10
ip nat inside source static 192.168.101.11 nn.nn.nn.11
!
!
!
!
ip access-list extended ACL_INT_VLAN-101-Network101
permit ip any 192.168.101.0 0.0.0.255
!
ip access-list extended ACL_INT_VLAN-25-Network25
permit ip any 192.168.25.0 0.0.0.255
!
ip access-list extended ACL_INT_VLAN-26-Network26
permit ip any 192.168.26.0 0.0.0.255
!
ip access-list extended ACL_INT_VLAN-27-Network27
permit ip any 192.168.27.0 0.0.0.255
!
ip access-list extended ACL_INT_VLAN-50-Network50
permit ip any 192.168.50.0 0.0.0.255
!
ip access-list extended ACL_RULES_VLAN-101-Network101
remark Allow established TCP connections to Network101
permit tcp any 192.168.101.0 0.0.0.255 established
remark FCl-NS1 UDP -> BOOTP(Client + Server)
permit udp any any eq bootps
permit udp any any eq bootpc
remark FCl-NS1 UDP -> DNS
remark FCl-NS1 UDP -> NTP
remark FCl-NS1 TCP -> SSH(22)
remark FCl-NS1 ECHO
permit tcp any host 192.168.101.10 eq 22
permit udp any host 192.168.101.10 eq domain
permit udp any eq domain host 192.168.101.10
permit icmp any host 192.168.101.10 echo-reply
permit icmp any host 192.168.101.10 echo
permit icmp any host 192.168.101.63 echo-reply
permit icmp any host 192.168.101.63 echo
remark FCl-NS2 UDP -> DNS
remark FCl-NS2 UDP -> NTP
remark FCl-NS2 TCP -> SSH
remark FCl-NS2 ECHO
permit tcp any host 192.168.101.11 eq 22
permit udp any host 192.168.101.11 eq domain
permit udp any eq domain host 192.168.101.11
permit icmp any host 192.168.101.11 echo-reply
permit icmp any host 192.168.101.11 echo
!
!
ip access-list extended ACL_RULES_VLAN-25-Network25
permit tcp any host 192.168.25.10 established
permit tcp any host 192.168.25.10 eq 22
permit udp any host 192.168.25.10 eq domain
permit udp any eq domain host 192.168.25.10
permit icmp any host 192.168.25.10 echo-reply
permit icmp any host 192.168.25.10 echo
permit tcp any host 192.168.25.11 established
permit tcp any host 192.168.25.11 eq 22
permit udp any host 192.168.25.11 eq domain
permit udp any eq domain host 192.168.25.11
permit icmp any host 192.168.25.11 echo-reply
permit icmp any host 192.168.25.11 echo
!
!
ip access-list extended ACL_RULES_VLAN-26-Network26
permit tcp any host 192.168.26.10 established
permit tcp any host 192.168.26.10 eq 22
permit udp any host 192.168.26.10 eq domain
permit udp any eq domain host 192.168.26.10
permit icmp any host 192.168.26.10 echo-reply
permit icmp any host 192.168.26.10 echo
permit tcp any host 192.168.26.11 established
permit tcp any host 192.168.26.11 eq 22
permit udp any host 192.168.26.11 eq domain
permit udp any eq domain host 192.168.26.11
permit icmp any host 192.168.26.11 echo-reply
permit icmp any host 192.168.26.11 echo
!
!
ip access-list extended ACL_RULES_VLAN-27-Network27
permit tcp any host 192.168.27.10 established
permit tcp any host 192.168.27.10 eq 22
permit udp any host 192.168.27.10 eq domain
permit udp any eq domain host 192.168.27.10
permit icmp any host 192.168.27.10 echo-reply
permit icmp any host 192.168.27.10 echo
permit tcp any host 192.168.27.11 established
permit tcp any host 192.168.27.11 eq 22
permit udp any host 192.168.27.11 eq domain
permit udp any eq domain host 192.168.27.11
permit icmp any host 192.168.27.11 echo-reply
permit icmp any host 192.168.27.11 echo
!
!
ip access-list extended ACL_RULES_VLAN-50-Network50
remark Allow established TCP connections
permit tcp any 192.168.50.0 0.0.0.255 established
remark DNS-SSH(22)-NTP to Name Server 1
permit tcp any host 192.168.50.10 eq 22
permit udp any host 192.168.50.10 eq domain
permit udp any eq domain host 192.168.50.10
permit icmp any host 192.168.50.10 echo-reply
permit icmp any host 192.168.50.10 echo
remark DNS-SSH(22)-NTP to Name Server 2
permit tcp any host 192.168.50.11 eq 22
permit udp any host 192.168.50.11 eq domain
permit udp any eq domain host 192.168.50.11
permit icmp any host 192.168.50.11 echo-reply
permit icmp any host 192.168.50.11 echo
!
!
route-map RMAP_VLAN-27-Network27 permit 10
set ip next-hop mm.mm.mm.193
!
route-map RMAP_VLAN-25-Network25 permit 10
set ip next-hop mm.mm.mm.177
!
route-map RMAP_VLAN-26-Network26 permit 10
set ip next-hop mm.mm.mm.161
!
route-map RMAP_VLAN-101-Network101 permit 10
set ip next-hop nn.nn.nn.1
!
route-map RMAP_VLAN-50-Network50 permit 10
set ip next-hop nn.nn.nn.193
!
!
!
control-plane
!
!
!
line con 0
length 50
width 150
stopbits 1
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
rotary 1
length 50
width 150
transport input ssh
!
scheduler allocate 20000 1000
!
end
06-26-2013 12:10 AM
Hi,
Concerning your NAT overload , can you do this:
no ip nat inside source list ACL_INT_VLAN-25-Network25 pool NAT_POOL_VLAN-25-Network25 overload
no ip nat inside source list ACL_INT_VLAN-26-Network26 pool NAT_POOL_VLAN-26-Network26 overload
no ip nat inside source list ACL_INT_VLAN-27-Network27 pool NAT_POOL_VLAN-27-Network27 overload
no ip nat inside source list ACL_INT_VLAN-50-Network50 pool NAT_POOL_VLAN-50-Network50 overload
no ip nat inside source list ACL_INT_VLAN-101-Network101 pool NAT_POOL_VLAN-101-Network101 overload
route-map VLAN-25-Network25
match ip address ACL_INT_VLAN-25-Network25
match interface GigabitEthernet0/1.1025
route-map VLAN-26-Network26
match ip address ACL_INT_VLAN-26-Network26
match interface GigabitEthernet0/1.1026
route-map VLAN-27-Network27
match ip address ACL_INT_VLAN-27-Network27
match interface GigabitEthernet0/1.1027
route-map VLAN-50-Network50
match ip address ACL_INT_VLAN-50-Network50
match interface GigabitEthernet0/1.1050
route-map VLAN-101-Network101
match ip address ACL_INT_VLAN-101-Network101
match interface GigabitEthernet0/1.1101
ip nat inside source route-map VLAN-25-Network25 pool NAT_POOL_VLAN-25-Network25 overload
ip nat inside source route-map VLAN-26-Network26 pool NAT_POOL_VLAN-26-Network26 overload
ip nat inside source route-map VLAN-27-Network27 pool NAT_POOL_VLAN-27-Network27 overload
ip nat inside source route-map VLAN-50-Network50 pool NAT_POOL_VLAN-50-Network50 overload
ip nat inside source route-map VLAN-101-Network101 pool NAT_POOL_VLAN-101-Network101 overload
For second problem, can you put a explicit deny ip any any at the end of your filtering ACLs and try to ssh from 101.10 to 50.10 and do sh access-list before and after to see if you see any hit count on the deny.
Regards
Alain
Don't forget to rate helpful posts.
06-26-2013 07:12 AM
Cadetalain,
I will give this a try, but it would be most helpful if I understood the impact of using a route map with the interface in addition to the acl vs using just the acl itself.
Jerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide