ACE static nat issue

Unanswered Question
Sep 16th, 2010

Hello,

basically I want to static two-way nat 2 networks:

network 192.168.1.x into 20.168.1.x

network 10.x.x.x into 20.x.x.x

this is my actual config:

class-map match-all NAT_192.168.1.0_24
  2 match source-address 192.168.1.0 255.255.255.0

class-map match-all GLOBAL_NAT

  2 match source-address 10.0.0.0 255.0.0.0

policy-map multi-match Policy_NAT
  class NAT_192.168.1.0_24
    nat static 20.168.1.0 netmask 255.255.255.0 vlan 2

    nat static 20.168.1.0 netmask 255.255.255.0 vlan 3
  class GLOBAL_NAT
    nat static 20.0.0.0 netmask 255.0.0.0 vlan 2

    nat static 20.0.0.0 netmask 255.0.0.0 vlan 3


interface vlan 1  (global outside interface)

service-policy input Policy_NAT

....

interface vlan 2  (inside / server interface)

.....

interface vlan 3  (inside / server interface)

.....

i want to accomplish bi-directional nat, but this seems to work in an odd way:

it is good when the traffic comes from vlan 1 to vlans 2 and 3

when traffic originates from vlans 2 and 3, headed towards vlan 1, everything

gets natted into 10.x.x.x regardless if traffic is destined 20.168.1.x that should become,

in my intentions,192.168.1.x, it becames 10.168.1.x instead.

What could be wrong? Am I missing something basic here?

thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
litrenta Wed, 09/22/2010 - 08:28

In Your config you only have a nat service policy applied on vlan 1 so your nat actions will happen only if traffic comes into the ace on vlan 1.

so if you want to nat traffic that originates to the ace on vlan 2 or 3 and goes out vlan 1 you need a policy applied to those interfaces along with nat statements that nat if egress is vlan 1.

ie

policy-map multi-match Policy_NAT
  class NAT_192.168.1.0_24
    nat static 20.168.1.0 netmask 255.255.255.0 vlan 2

    nat static 20.168.1.0 netmask 255.255.255.0 vlan 3

    nat static 20.168.1.0 netmask 255.255.255.0 vlan 1
  class GLOBAL_NAT
    nat static 20.0.0.0 netmask 255.0.0.0 vlan 2

    nat static 20.0.0.0 netmask 255.0.0.0 vlan 3

   nat static 20.0.0.0 netmask 255.0.0.0 vlan 1

then apply

service-policy input Policy_NAT

to vlan 2 and 3 interfaces.

silk Wed, 09/22/2010 - 08:49

Thanks for your reply.

that would be certainly a good solution unfortunately I can't configure it.

When I try to apply the policy to the other interface vlan I get this error:

Error: Cannot service a policy to more than one interface when it has nat static configured!

so I can't apply it to both directions.

Actions

This Discussion