Solved: NAT with 2 outside interfaces

simon.irwin · ‎07-12-2010

Hi All,

I have a 2811 router with 2 external "outside" interfaces Fa0/1 and Fa0/2/0. My problem is when I come to NAT inside source addresses, 'nat'ing only works for addresses listed in the first access list of the first NAT statement. I have included config snippets below.

interface FastEthernet0/1
ip address 172.24.170.39 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
ip address 10.1.1.198 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

access-list 30 permit 172.16.4.0 0.0.3.255
access-list 30 permit 172.16.8.0 0.0.3.255
access-list 30 permit 172.16.20.0 0.0.3.255
access-list 30 permit 192.168.100.0 0.0.0.255

access-list 31 permit 172.16.20.0 0.0.3.255 log

ip nat inside source list 30 interface FastEthernet0/1 overload
ip nat inside source list 31 interface FastEthernet0/2/0 overload

   172.17.0.0/30 is subnetted, 1 subnets
C       172.17.254.4 is directly connected, FastEthernet0/0
     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
S       172.16.20.0/22 [1/0] via 172.17.254.6
S       172.16.16.0/22 [1/0] via 172.17.254.6
S       172.16.12.0/22 [1/0] via 172.17.254.6
S       172.16.8.0/22 [1/0] via 172.17.254.6
S       172.16.10.14/32 [1/0] via 172.24.170.1
S       172.16.4.0/22 [1/0] via 172.17.254.6
     172.24.0.0/16 is variably subnetted, 2 subnets, 2 masks
S       172.24.42.132/32 [1/0] via 172.24.170.1
C       172.24.170.0/25 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.8.0.0/16 [1/0] via 172.24.170.1
C       10.1.1.0/24 is directly connected, FastEthernet0/2/0
S    192.168.100.0/24 [1/0] via 172.17.254.6

For example client with IP 172.16.20.25 ping s 10.8.27.71 -> nat takes place with new source IP of fa0/1 which is 172.24.170.39 shown with debug below:

NAT*: s=172.16.20.25->172.24.170.39, d=10.8.27.71 [11077]

Now same client pings 10.1.1.254 but the router is still nating with new source ip of fa0/1

NAT*: s=172.16.20.25->172.24.170.39, d=10.1.1.254 [11175]

Why is it not using the routing table and 'nat'ing to fa0/2/0 ???

I must be overlooking something.

Thanks,

nbhandarkar · ‎07-13-2010

ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.

The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.

I would suggest that you use extended ACL like below:

access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log

ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload

The route table looks okay to me.

Try this and let me know if it works out.

View solution in original post

nbhandarkar · ‎07-13-2010

ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.

The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.

I would suggest that you use extended ACL like below:

access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log

ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload

The route table looks okay to me.

Try this and let me know if it works out.

simon.irwin · ‎07-13-2010

Thanks!, that worked a treat but I now have another issue.

When I am adding more subnets to ACL 101 they are not being translated!! for example this is how my ACL looks

Extended IP access list 101
    10 permit ip 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
    20 permit ip 172.16.20.0 0.0.3.255 172.24.42.0 0.0.0.255
    30 permit ip 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255

For subnet 172.16.20.x everything works fine so I added subnet 172.16.4.0 and nothing happens, no tranlation takes place. I have played about with this and I think it must be something to do with the way I am adding addresses to the list.

This is the method I am using to add more addresses to ACL 101,

conf t

ip access-list extended 101 (enter)

permit ip 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255 log

exit

That subnet can access the router fine so I know routing is OK.

nbhandarkar · ‎07-13-2010

Well, there's nothing wrong in your method of appending lines in the existing ACL. What IOS version are you using?

Can you try re-applying the whole ACL access-list command.

simon.irwin · ‎07-14-2010

Got it working now. I had to strip out all the NAT configuration and apply the all the steps again.

Thanks for your replies.