ACE SNAT Problem

Unanswered Question

I currently have 2 nat policies that work fine. I'm trying to add the 3rd but it's not working.

I pretty sure the config is correct but i'm not sure if i can only have 1 snat policy per interface.

-NAT policy snat's anything coming in externally except smtp & ftp

-NAT-EMAIL policy snat's anything coming in externally to go back out vlan 215 to our internal lan.

-NAT-DMZ policy is suppose to allow communication between 204 vlan and 215 VIPS but it doesn't work.

So the service policy NAT-DMZ on vlan 204 should intercept traffic destined for 10.10.215.0 and snat

all of it to 10.10.215.88 i believe but it's not work.

Any thoughts or am i missing something??

access-list NAT line 10 extended deny tcp any any eq smtp

access-list NAT line 12 extended deny tcp any any eq ftp

access-list NAT line 13 extended deny tcp any any eq ftp-data

access-list NAT line 100 extended permit tcp any any eq www

access-list NAT line 110 extended permit tcp any any eq https

access-list NAT line 118 extended permit udp any any eq domain

access-list NAT line 126 extended permit tcp any any eq domain

access-list NAT line 134 extended permit tcp any any eq smtp

access-list NAT line 142 extended permit tcp any any eq 20022

access-list NAT-DMZ line 8 extended permit tcp any 10.10.215.0 255.255.255.0

access-list NAT-DMZ line 16 extended permit udp any 10.10.215.0 255.255.255.0

access-list NAT-DMZ line 24 extended permit tcp 10.10.215.0 255.255.255.0 any

access-list NAT-DMZ line 32 extended permit udp 10.10.215.0 255.255.255.0 any

access-list NAT-DMZ line 40 extended permit icmp any 10.10.215.0 255.255.255.0

access-list NAT-DMZ line 48 extended permit icmp 10.10.215.0 255.255.255.0 any

access-list NAT-EMAIL line 8 extended permit tcp any any eq www

access-list NAT-EMAIL line 16 extended permit tcp any any eq https

class-map match-any NAT

2 match access-list NAT

class-map match-any NAT-DMZ

2 match access-list NAT-DMZ

class-map match-any NAT-EMAIL

2 match access-list NAT-EMAIL

policy-map multi-match NAT

class NAT

nat dynamic 1 vlan 204

policy-map multi-match NAT-DMZ

class NAT-DMZ

nat dynamic 5 vlan 215

policy-map multi-match NAT_EMAIL

class NAT-EMAIL

nat dynamic 10 vlan 215

policy-map multi-match VIPS

class email.microchip.com_80_vs

loadbalance vip inservice

loadbalance policy email.microchip.com_80_l7slb

loadbalance vip icmp-reply

nat dynamic 10 vlan 215

class email.microchip.com_443_vs

loadbalance vip inservice

loadbalance policy email.microchip.com_443_l7slb

loadbalance vip icmp-reply

nat dynamic 10 vlan 215

appl-parameter http advanced-options HTTP-PARAM

ssl-proxy server email.microchip.com_allSSL

interface vlan 204

description WEBDMZ

ip address 10.10.204.50 255.255.255.0

alias 10.10.204.1 255.255.255.0

peer ip address 10.10.204.3 255.255.255.0

access-group input EVERYONE

nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat <--Works

service-policy input NAT-DMZ <--Doesn't work

no shutdown

interface vlan 215

description WebDMZ External Interface

ip address 10.10.215.11 255.255.255.0

alias 10.10.215.10 255.255.255.0

peer ip address 10.10.215.12 255.255.255.0

access-group input EXTERNAL

nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat <--Works

nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat <--Doesn't work

service-policy input Management-Policy

service-policy input VIPS

service-policy input NAT

no shutdown

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Tue, 03/04/2008 - 17:35

Try this

policy-map multi-match NAT

class NAT

nat dynamic 1 vlan 204

policy-map multi-match NAT-DMZ

class NAT-DMZ

nat dynamic 5 vlan 215

class NAT-EMAIL

nat dynamic 10 vlan 215

interface vlan 204

description WEBDMZ

ip address 10.10.204.50 255.255.255.0

alias 10.10.204.1 255.255.255.0

peer ip address 10.10.204.3 255.255.255.0

access-group input EVERYONE

nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat

service-policy input NAT-DMZ

no shutdown

interface vlan 215

description WebDMZ External Interface

ip address 10.10.215.11 255.255.255.0

alias 10.10.215.10 255.255.255.0

peer ip address 10.10.215.12 255.255.255.0

access-group input EXTERNAL

nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat

nat-pool 5 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat

service-policy input Management-Policy

service-policy input VIPS

service-policy input NAT

no shutdown

Syed

Tried that but the only difference was that i added NAT-DMZ to NAT-EMAIL instead. Just easier for me that way but it didn't work.

access-list NAT-DMZ line 56 extended permit tcp any host 10.10.215.210

access-list NAT-DMZ line 64 extended permit tcp host 10.10.215.210 any

access-list NAT-DMZ line 72 extended permit udp any host 10.10.215.210

access-list NAT-DMZ line 80 extended permit udp host 10.10.215.210 any

access-list NAT-EMAIL line 8 extended permit tcp any any eq www

access-list NAT-EMAIL line 16 extended permit tcp any any eq https

policy-map multi-match NAT_EMAIL

class NAT-DMZ

nat dynamic 5 vlan 215

class NAT-EMAIL

nat dynamic 10 vlan 215

interface vlan 204

description WEBDMZ

ip address 10.10.204.50 255.255.255.0

alias 10.10.204.1 255.255.255.0

peer ip address 10.10.204.3 255.255.255.0

access-group input EVERYONE

nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat

service-policy input NAT_EMAIL

no shutdown

interface vlan 215

description WebDMZ External Interface

ip address 10.10.215.11 255.255.255.0

alias 10.10.215.10 255.255.255.0

peer ip address 10.10.215.12 255.255.255.0

access-group input EXTERNAL

nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat

nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat

service-policy input Management-Policy

service-policy input VIPS

service-policy input NAT

no shutdown

I tested from a host in 10.10.204.x to 10.10.215.210 but it didn't work. I tested to the 10.10.215.210

from the outside(vlan215) and it does work, so i know the VIP works and is taking connections.

Syed Iftekhar Ahmed Wed, 03/05/2008 - 10:24

both nat pools on vlan 215 are numbered as "10" and in policy you are referencing them as "5" & "10"

Shouldnt

interface vlan 215

nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat

nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat

be

interface vlan 215

nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat

nat-pool 5 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat

Syed

Sorry Syed I copied that from notepad. They are setup with the correct nat id in the running config. I just tried it again with no luck.

policy-map multi-match NAT_EMAIL

class NAT-DMZ

nat dynamic 5 vlan 215

class NAT-EMAIL

nat dynamic 10 vlan 215

interface vlan 204

description WEBDMZ

ip address 10.10.204.50 255.255.255.0

alias 10.10.204.1 255.255.255.0

peer ip address 10.10.204.3 255.255.255.0

access-group input EVERYONE

nat-pool 1 10.10.204.90 10.10.204.90

netmask 255.255.255.0 pat

service-policy input NAT_EMAIL

no shutdown

interface vlan 215

description WebDMZ External Interface

ip address 10.10.215.11 255.255.255.0

alias 10.10.215.10 255.255.255.0

peer ip address 10.10.215.12 255.255.255.0

access-group input EXTERNAL

nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat

nat-pool 5 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat

service-policy input Management-Policy

service-policy input VIPS

service-policy input NAT

no shutdown

rmathiyalagan Thu, 03/06/2008 - 10:55

We had this same problem. Multiple service policies applied on the interfaces doesnt work properly. You need to configure the NAT policies and the VIP policies under a single Service policy before applying it on the interface.

Note:- Cisco recommends all vip & nat policies to be binded under one service policy.

We had to fight for this problem before we got this tested in a cisco lab and got it worked.

Thanks,

Raja.

phil.wightman Fri, 09/05/2008 - 06:33

Darren,

Could you possibly share your final config for the multiple NAT pools? I dont exactly understand what is being said to get this to work. After looking at the config I can probably figure it out.

Thanks!

Gilles Dufour Thu, 03/06/2008 - 12:20

It absolutely does not matter if you are using one policy or more.

Both solution would work the same way.

The config is anyway translated into special code instruction.

So whatever way you configure your policies (one or more), the instruction set will be the same at end so you get the same result.

Gilles.

Actions

This Discussion