03-04-2008 02:46 PM
I currently have 2 nat policies that work fine. I'm trying to add the 3rd but it's not working.
I pretty sure the config is correct but i'm not sure if i can only have 1 snat policy per interface.
-NAT policy snat's anything coming in externally except smtp & ftp
-NAT-EMAIL policy snat's anything coming in externally to go back out vlan 215 to our internal lan.
-NAT-DMZ policy is suppose to allow communication between 204 vlan and 215 VIPS but it doesn't work.
So the service policy NAT-DMZ on vlan 204 should intercept traffic destined for 10.10.215.0 and snat
all of it to 10.10.215.88 i believe but it's not work.
Any thoughts or am i missing something??
access-list NAT line 10 extended deny tcp any any eq smtp
access-list NAT line 12 extended deny tcp any any eq ftp
access-list NAT line 13 extended deny tcp any any eq ftp-data
access-list NAT line 100 extended permit tcp any any eq www
access-list NAT line 110 extended permit tcp any any eq https
access-list NAT line 118 extended permit udp any any eq domain
access-list NAT line 126 extended permit tcp any any eq domain
access-list NAT line 134 extended permit tcp any any eq smtp
access-list NAT line 142 extended permit tcp any any eq 20022
access-list NAT-DMZ line 8 extended permit tcp any 10.10.215.0 255.255.255.0
access-list NAT-DMZ line 16 extended permit udp any 10.10.215.0 255.255.255.0
access-list NAT-DMZ line 24 extended permit tcp 10.10.215.0 255.255.255.0 any
access-list NAT-DMZ line 32 extended permit udp 10.10.215.0 255.255.255.0 any
access-list NAT-DMZ line 40 extended permit icmp any 10.10.215.0 255.255.255.0
access-list NAT-DMZ line 48 extended permit icmp 10.10.215.0 255.255.255.0 any
access-list NAT-EMAIL line 8 extended permit tcp any any eq www
access-list NAT-EMAIL line 16 extended permit tcp any any eq https
class-map match-any NAT
2 match access-list NAT
class-map match-any NAT-DMZ
2 match access-list NAT-DMZ
class-map match-any NAT-EMAIL
2 match access-list NAT-EMAIL
policy-map multi-match NAT
class NAT
nat dynamic 1 vlan 204
policy-map multi-match NAT-DMZ
class NAT-DMZ
nat dynamic 5 vlan 215
policy-map multi-match NAT_EMAIL
class NAT-EMAIL
nat dynamic 10 vlan 215
policy-map multi-match VIPS
class email.microchip.com_80_vs
loadbalance vip inservice
loadbalance policy email.microchip.com_80_l7slb
loadbalance vip icmp-reply
nat dynamic 10 vlan 215
class email.microchip.com_443_vs
loadbalance vip inservice
loadbalance policy email.microchip.com_443_l7slb
loadbalance vip icmp-reply
nat dynamic 10 vlan 215
appl-parameter http advanced-options HTTP-PARAM
ssl-proxy server email.microchip.com_allSSL
interface vlan 204
description WEBDMZ
ip address 10.10.204.50 255.255.255.0
alias 10.10.204.1 255.255.255.0
peer ip address 10.10.204.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat <--Works
service-policy input NAT-DMZ <--Doesn't work
no shutdown
interface vlan 215
description WebDMZ External Interface
ip address 10.10.215.11 255.255.255.0
alias 10.10.215.10 255.255.255.0
peer ip address 10.10.215.12 255.255.255.0
access-group input EXTERNAL
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat <--Works
nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat <--Doesn't work
service-policy input Management-Policy
service-policy input VIPS
service-policy input NAT
no shutdown
03-04-2008 05:35 PM
Try this
policy-map multi-match NAT
class NAT
nat dynamic 1 vlan 204
policy-map multi-match NAT-DMZ
class NAT-DMZ
nat dynamic 5 vlan 215
class NAT-EMAIL
nat dynamic 10 vlan 215
interface vlan 204
description WEBDMZ
ip address 10.10.204.50 255.255.255.0
alias 10.10.204.1 255.255.255.0
peer ip address 10.10.204.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat
service-policy input NAT-DMZ
no shutdown
interface vlan 215
description WebDMZ External Interface
ip address 10.10.215.11 255.255.255.0
alias 10.10.215.10 255.255.255.0
peer ip address 10.10.215.12 255.255.255.0
access-group input EXTERNAL
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
nat-pool 5 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
service-policy input Management-Policy
service-policy input VIPS
service-policy input NAT
no shutdown
Syed
03-05-2008 07:34 AM
Tried that but the only difference was that i added NAT-DMZ to NAT-EMAIL instead. Just easier for me that way but it didn't work.
access-list NAT-DMZ line 56 extended permit tcp any host 10.10.215.210
access-list NAT-DMZ line 64 extended permit tcp host 10.10.215.210 any
access-list NAT-DMZ line 72 extended permit udp any host 10.10.215.210
access-list NAT-DMZ line 80 extended permit udp host 10.10.215.210 any
access-list NAT-EMAIL line 8 extended permit tcp any any eq www
access-list NAT-EMAIL line 16 extended permit tcp any any eq https
policy-map multi-match NAT_EMAIL
class NAT-DMZ
nat dynamic 5 vlan 215
class NAT-EMAIL
nat dynamic 10 vlan 215
interface vlan 204
description WEBDMZ
ip address 10.10.204.50 255.255.255.0
alias 10.10.204.1 255.255.255.0
peer ip address 10.10.204.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat
service-policy input NAT_EMAIL
no shutdown
interface vlan 215
description WebDMZ External Interface
ip address 10.10.215.11 255.255.255.0
alias 10.10.215.10 255.255.255.0
peer ip address 10.10.215.12 255.255.255.0
access-group input EXTERNAL
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
service-policy input Management-Policy
service-policy input VIPS
service-policy input NAT
no shutdown
I tested from a host in 10.10.204.x to 10.10.215.210 but it didn't work. I tested to the 10.10.215.210
from the outside(vlan215) and it does work, so i know the VIP works and is taking connections.
03-05-2008 10:24 AM
both nat pools on vlan 215 are numbered as "10" and in policy you are referencing them as "5" & "10"
Shouldnt
interface vlan 215
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
be
interface vlan 215
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
nat-pool 5 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
Syed
03-05-2008 10:30 AM
Sorry Syed I copied that from notepad. They are setup with the correct nat id in the running config. I just tried it again with no luck.
policy-map multi-match NAT_EMAIL
class NAT-DMZ
nat dynamic 5 vlan 215
class NAT-EMAIL
nat dynamic 10 vlan 215
interface vlan 204
description WEBDMZ
ip address 10.10.204.50 255.255.255.0
alias 10.10.204.1 255.255.255.0
peer ip address 10.10.204.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.204.90 10.10.204.90
netmask 255.255.255.0 pat
service-policy input NAT_EMAIL
no shutdown
interface vlan 215
description WebDMZ External Interface
ip address 10.10.215.11 255.255.255.0
alias 10.10.215.10 255.255.255.0
peer ip address 10.10.215.12 255.255.255.0
access-group input EXTERNAL
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
nat-pool 5 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
service-policy input Management-Policy
service-policy input VIPS
service-policy input NAT
no shutdown
03-06-2008 10:55 AM
We had this same problem. Multiple service policies applied on the interfaces doesnt work properly. You need to configure the NAT policies and the VIP policies under a single Service policy before applying it on the interface.
Note:- Cisco recommends all vip & nat policies to be binded under one service policy.
We had to fight for this problem before we got this tested in a cisco lab and got it worked.
Thanks,
Raja.
03-06-2008 12:08 PM
Thanks for the info. I actually got it working this morning by creating an additional policy map and applying it to the necessary interface.
09-05-2008 06:33 AM
Darren,
Could you possibly share your final config for the multiple NAT pools? I dont exactly understand what is being said to get this to work. After looking at the config I can probably figure it out.
Thanks!
03-06-2008 12:20 PM
It absolutely does not matter if you are using one policy or more.
Both solution would work the same way.
The config is anyway translated into special code instruction.
So whatever way you configure your policies (one or more), the instruction set will be the same at end so you get the same result.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide