NAT with 2 outside interfaces

Answered Question
Jul 12th, 2010
User Badges:

Hi All,


I have a 2811 router with 2 external "outside" interfaces Fa0/1 and Fa0/2/0.  My problem is when I come to NAT inside source addresses,  'nat'ing  only works for addresses listed in the first access list of the first NAT statement.   I have included config snippets below.


interface FastEthernet0/1
ip address 172.24.170.39 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
ip address 10.1.1.198 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

access-list 30 permit 172.16.4.0 0.0.3.255
access-list 30 permit 172.16.8.0 0.0.3.255
access-list 30 permit 172.16.20.0 0.0.3.255
access-list 30 permit 192.168.100.0 0.0.0.255

access-list 31 permit 172.16.20.0 0.0.3.255 log

ip nat inside source list 30 interface FastEthernet0/1 overload
ip nat inside source list 31 interface FastEthernet0/2/0 overload


   172.17.0.0/30 is subnetted, 1 subnets
C       172.17.254.4 is directly connected, FastEthernet0/0
     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
S       172.16.20.0/22 [1/0] via 172.17.254.6
S       172.16.16.0/22 [1/0] via 172.17.254.6
S       172.16.12.0/22 [1/0] via 172.17.254.6
S       172.16.8.0/22 [1/0] via 172.17.254.6
S       172.16.10.14/32 [1/0] via 172.24.170.1
S       172.16.4.0/22 [1/0] via 172.17.254.6
     172.24.0.0/16 is variably subnetted, 2 subnets, 2 masks
S       172.24.42.132/32 [1/0] via 172.24.170.1
C       172.24.170.0/25 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.8.0.0/16 [1/0] via 172.24.170.1
C       10.1.1.0/24 is directly connected, FastEthernet0/2/0
S    192.168.100.0/24 [1/0] via 172.17.254.6


For example client with IP 172.16.20.25 ping s 10.8.27.71 -> nat takes place with new source IP of fa0/1 which is 172.24.170.39 shown with debug below:


NAT*: s=172.16.20.25->172.24.170.39, d=10.8.27.71 [11077]


Now same client pings 10.1.1.254 but the router is still nating with new source ip of fa0/1


NAT*: s=172.16.20.25->172.24.170.39, d=10.1.1.254 [11175]


Why is it not using the routing table and 'nat'ing to fa0/2/0 ???


I must be overlooking something.


Thanks,

Correct Answer by nbhandarkar about 6 years 9 months ago

ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.


The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.


I would suggest that you use extended ACL like below:


access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255  10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log


ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload


The route table looks okay to me.


Try this and let me know if it works out.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
nbhandarkar Tue, 07/13/2010 - 01:17
User Badges:

ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.


The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.


I would suggest that you use extended ACL like below:


access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255  10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log


ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload


The route table looks okay to me.


Try this and let me know if it works out.

simon.irwin Tue, 07/13/2010 - 06:22
User Badges:

Thanks!, that worked a treat but I now have another issue.


When I am adding more subnets to ACL 101 they are not being translated!!  for example this is how my ACL looks


Extended IP access list 101
    10 permit ip 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
    20 permit ip 172.16.20.0 0.0.3.255 172.24.42.0 0.0.0.255
    30 permit ip 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255

For subnet 172.16.20.x everything works fine so I added subnet 172.16.4.0 and nothing happens, no tranlation takes place.  I have played about with this and I think it must be something to do with the way I am adding addresses to the list.


This is the method I am using to add more addresses to ACL 101,


conf t

ip access-list extended 101 (enter)

permit ip 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255 log

exit


That subnet can access the router fine so I know routing is OK.

nbhandarkar Tue, 07/13/2010 - 11:42
User Badges:

Well, there's nothing wrong in your method of appending lines in the existing ACL. What IOS version are you using?


Can you try re-applying the whole ACL access-list command.

simon.irwin Wed, 07/14/2010 - 11:36
User Badges:

Got it working now.  I had to strip out all the NAT configuration and apply the all the steps again.


Thanks for your replies.

Actions

This Discussion