Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
10
Replies

Multiple NAT Statements

alraycisco
Level 1
Level 1

‎10-08-2008 02:48 AM - edited ‎03-03-2019 11:50 PM

Hi,

I have a Cisco 1721 router setup with a nat statement as follows:

ip access-lisct extended acl_nat

deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list acl_nat interface Ethernet0 overload

The above works fine. I then added the statements below for a site to site VPN:

ip access-list extended acl_nat2

permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1

ip nat pool nat_pool 192.168.10.1 192.168.10.10 netmask 255.255.255.0

ip nat inside source list acl_nat pool nat_pool

I can now connect to the remote VPN host 10.1.1.1, however, I am no longer able to browse the web. As soon as I remove the 'ip nat inside source list acl_nat pool nat_pool' statement, I am able to browse the web. Should I be able to have the 2 NAT statements above work in conjunction with one another?

Thanks

Labels:
0 Helpful
10 Replies 10

Marwan ALshawi
VIP Alumni
VIP Alumni

‎10-08-2008 04:12 AM

the thing is the pool u were using was using private IP address

for internet u need public IPs from ur ISP

when u used the ip nat inside source list acl_nat interface Ethernet0 overload

this one was using the IP address on the Ethernet0 wiether it is static public or dynamicly assigned from ur ISP which is routeable over internet

by the way

the pool u were useing even if it was public IPs it will allow only 10 connections u need oveloading word to make pating after those IPs finished from the pool

i suggest u to use the first nating which is

ip nat inside source list acl_nat interface Ethernet0 overload

unless u get public IP address from ur ISP

good luck

if helpful Rate

0 Helpful

alraycisco
Level 1
Level 1
In response to Marwan ALshawi

‎10-08-2008 05:19 AM

Hi,

The first NAT is for internet traffic and the second NAT is for traffic over a site-to-site VPN. This is why I have used private addresses for the second NAT. Also, I only need a few addresses in the pool as only a few people will use it.

I just need both to function simultaneously.

Thanks

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎10-08-2008 05:24 AM

in the next nat try to use diffent ACL name or number

0 Helpful

ozzyosbu1
Level 1
Level 1
In response to Marwan ALshawi

‎10-08-2008 06:30 AM

Hello u seem to have created two seperate ACLs but are using only one..

Instead of ip nat inside source list acl_nat pool nat_pool

use

ip nat inside source list acl_nat2 pool nat_pool

0 Helpful

alraycisco
Level 1
Level 1
In response to ozzyosbu1

‎10-08-2008 07:54 AM

apologies, that was a typo. I am using acl_nat2 for the second nat. Natting to the nat pool works fine when i configure it, it just stops the internet nat (the first nat) from working.

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to alraycisco

‎10-08-2008 08:01 AM

To summarize, this is the config;

!

ip access-list extended acl_nat

deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.1.0 0.0.0.255 any

!

ip access-list extended acl_nat2

permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1

!

ip nat pool nat_pool 192.168.10.1 192.168.10.10 netmask 255.255.255.0

!

ip nat inside source list acl_nat interface Ethernet0 overload

ip nat inside source list acl_nat2 pool nat_pool

...correct me if I'm wrong.

0 Helpful

alraycisco
Level 1
Level 1
In response to Danilo Dy

‎10-08-2008 08:07 AM

that's the correct config. With this config, i can connect to the 10.1.1.1 host using the second nat, but can't browse the web. as soon as I remove the nat statement that uses the pool, i can browse the web.

0 Helpful

alraycisco
Level 1
Level 1
In response to alraycisco

‎10-10-2008 05:15 AM

It looks like the problem only occurs when there's an active translation for the nat pool.

This is the output of show ip nat transaltaions:

Pro Inside global Inside local Outside local Outside global

tcp our_external_ip:2178 192.168.1.230:2178 84.53.137.11:80 84.53.137.11:80

tcp our_external_ip:2179 192.168.1.230:2179 84.53.137.11:80 84.53.137.11:80

tcp our_external_ip:2180 192.168.1.230:2180 84.53.137.11:80 84.53.137.11:80

tcp our_external_ip:2181 192.168.1.230:2181 84.53.137.11:80 84.53.137.11:80

--- 192.168.10.1 192.168.1.230 --- ---

0 Helpful

miguel.rosario
Level 1
Level 1

‎10-10-2008 05:45 AM

Check all access-list an then permit all http traffic

0 Helpful

alraycisco
Level 1
Level 1
In response to miguel.rosario

‎10-10-2008 07:30 AM

I thing the last entry in the nat translation table I posted, probably explains why internet traffic stops working. Having done some looking around it looks like, I may be able to get round the problem by using either a route-map.

I've tested the config with a route map, now a translation entry for the site-to-site vpn includes outside local and outside global entries. However, although internet traffic is now working, traffic for the remote VPN is not.

Below is a sample of my config:

route-map rmap_nat permit 1

match ip address acl_nat

route-map rmap_nat2 permit 1

match ip address acl_nat2

ip nat inside source route-map rmap_nat interface ethernet0 overload

ip nat inside source route-map rmap_nat2 pool nat_pool

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card