Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
4
Replies

IOS NAT

alraycisco
Level 1
Level 1

‎10-10-2008 02:58 AM - edited ‎03-06-2019 01:51 AM

Hi,

I have the config below on my router. I would like to PAT users to the outside interface for internet traffic and NAT them to a nat pool for a site-to-site VPN. When I add the second nat statement for the NAT pool, the internet nat stops working, however, the second nat works.

Can anyone tell me the the config below should work?

Thanks

interface e0

desc outside

ip nat outside

interface e1

desc inside

ip nat inside

ip access-list extended acl_nat

deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.1.0 0.0.0.255 any

!

ip access-list extended acl_nat2

permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1

!

ip nat pool nat_pool 192.168.10.1 192.168.10.10 netmask 255.255.255.0

!

ip nat inside source list acl_nat interface Ethernet0 overload

ip nat inside source list acl_nat2 pool nat_pool

Labels:
0 Helpful
4 Replies 4

alraycisco
Level 1
Level 1

‎10-10-2008 05:14 AM

It looks like the problem only occurs when there's an active translation for the nat pool.

This is the output of show ip nat transaltaions:

Pro Inside global Inside local Outside local Outside global

tcp our_external_ip:2178 192.168.1.230:2178 84.53.137.11:80 84.53.137.11:80

tcp our_external_ip:2179 192.168.1.230:2179 84.53.137.11:80 84.53.137.11:80

tcp our_external_ip:2180 192.168.1.230:2180 84.53.137.11:80 84.53.137.11:80

tcp our_external_ip:2181 192.168.1.230:2181 84.53.137.11:80 84.53.137.11:80

--- 192.168.10.1 192.168.1.230 --- ---

0 Helpful

alraycisco
Level 1
Level 1
In response to alraycisco

‎10-10-2008 07:41 AM

I thing the last entry in the nat translation table I posted, probably explains why internet traffic stops working. Having done some looking around it looks like, I may be able to get round the problem by using either a route-map.

I've tested the config with a route map, now a translation entry for the site-to-site vpn includes outside local and outside global entries. However, although internet traffic is now working, traffic for the remote VPN is not.

Below is a sample of my config:

route-map rmap_nat permit 1

match ip address acl_nat

route-map rmap_nat2 permit 1

match ip address acl_nat2

ip nat inside source route-map rmap_nat interface ethernet0 overload

ip nat inside source route-map rmap_nat2 pool nat_pool

0 Helpful

attrib7575
Level 1
Level 1
In response to alraycisco

‎10-10-2008 07:41 AM

So hosts who's traffic is destined only for

10.1.1.1 you want to NAT POOL? That really looks like it should work. HMMM

0 Helpful

alraycisco
Level 1
Level 1
In response to attrib7575

‎10-13-2008 01:06 AM

Hi,

I've changed the config so only the first nat (internet nat) no longer uses the route-map but the second nat does. This allowed both sets of traffic to work. A strange behaviour I found was, I couldn't have multiple connections open to the same remote VPN client, but when I changed the nat statement to 'overload', I could open multiple connections to the same client.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card