server side source NAT

Answered Question
Jul 20th, 2008
User Badges:

Hello!


The below simple config is not working.

We would like to change the server source IP in the server initiated connection.

The access-list state is NOT-ACTIVE.

Why ? Any help would be appreciated !


Regards,



class-map match-any NAT_CLASS

2 match access-list NAT_ACCESS


policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 87


interface vlan 73

description ACE-Application

ip address 192.168.29.18 255.255.255.248

alias 192.168.29.22 255.255.255.248

peer ip address 192.168.29.20 255.255.255.248

access-group input ALL

access-group output ALL

nat-pool 1 10.42.16.30 10.42.16.30 netmask 255.255.255.0 pat

no shutdown


interface vlan 87

ip address 192.168.13.86 255.255.255.248

access-group input ALL

service-policy input NAT_POLICY

no shutdown


access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any


--------------------------------------------------------------------------------------------


Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any



Correct Answer by Syed Iftekhar Ahmed about 8 years 9 months ago

Make the following change


policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 73


Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Syed Iftekhar Ahmed Sun, 07/20/2008 - 23:59
User Badges:
  • Blue, 1500 points or more

Make the following change


policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 73


Syed Iftekhar Ahmed

KAROLY KOHEGYI Mon, 07/21/2008 - 00:10
User Badges:

Hi!


I overlooked.

Situation changed a little.


Status : ACTIVE

-----------------------------------------

Interface: vlan 87

service-policy: NAT_POLICY

class: NAT_CLASS

nat:

nat dynamic 1 vlan 73

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 59 , client byte count: 2754

server pkt count : 56 , server byte count: 3324

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0


Lajos-ACE/Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any


The policu is working but the accesslist is not.


The NAT is not working also.


Regards,

KAROLY KOHEGYI Mon, 07/21/2008 - 00:16
User Badges:

Hi!


I overlooked.

Situation changed a little.


Status : ACTIVE

-----------------------------------------

Interface: vlan 87

service-policy: NAT_POLICY

class: NAT_CLASS

nat:

nat dynamic 1 vlan 73

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 59 , client byte count: 2754

server pkt count : 56 , server byte count: 3324

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0


Lajos-ACE/Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any


The policu is working but the accesslist is not.


The NAT is not working also.


Regards,

Syed Iftekhar Ahmed Mon, 07/21/2008 - 00:25
User Badges:
  • Blue, 1500 points or more

Access-list "NOT-ACTIVE " means that it is not applied to an interface. Which is normal for ACLs that are only used in class maps.


Is the traffic for NAT is covered by the ACL (ACL applied to the interfaces) to allow the traffic through the ACE?


Syed Iftekhar Ahmed



KAROLY KOHEGYI Mon, 07/21/2008 - 00:34
User Badges:

Hi!


Yes. I use the ALL access-list on the interfaces.


Lajos-ACE/Admin# sho access-list ALL

access-list:ALL, elements: 2, status: ACTIVE

remark :

access-list ALL line 10 extended permit ip any any (hitcount=19682682)

access-list ALL line 20 extended permit icmp any any (hitcount=0)


I make a telnet connection from 192.168.13.81 to outside device.

the connection is made but the source IP is 192.168.16.81 instead of 10.42.16.30.


Regards,

Syed Iftekhar Ahmed Mon, 07/21/2008 - 01:13
User Badges:
  • Blue, 1500 points or more

Your config looks ok.

Are you sure the server initiated connection is not bypassing ACE? Do you see this conn on ACE (sh conn)?


Just for testing remove ACL from the class-map ,Instead use source-address



class-map match-any NAT_CLASS

2 match source 192.168.13.81 255.255.255.255



Syed

Actions

This Discussion