×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT works for Host destination but not for network statement

Unanswered Question
Oct 29th, 2014
User Badges:

I have a weird situation and try to find an answer for...

In my NAT ACL if I put a host as destination, NAT works and the destination is reachable however if I use the network, I can't get out to destination! No match will appear on my statement in ACL and no NAT will appear in sh ip nat tr

Here is the config (only two hosts 207.2.207.132 and 8.8.8.8 are reachable and nothing on network 207.2.204.0/22):

 

int vlan20

 ip address 10.23.254.1 255.255.255.128

 ip nat inside

 no ip redirects
 no ip unreachables
 no ip proxy-arp

!

interface FastEthernet8
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

!

ip access-list extended AW-nat
 deny   ip 10.23.254.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 10.23.254.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 10.23.254.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 10.23.254.0 0.0.0.255 host 8.8.8.8
 permit ip 10.23.254.0 0.0.0.255 207.2.204.0 0.0.3.255 log
 permit ip 10.23.254.0 0.0.0.255 host 207.2.207.132

!

ip nat inside source list AW-nat interface FastEthernet8 overload

!

ip route 207.2.204.0 255.255.252.0 FastEthernet8 dhcp

 

Any idea please??? The test is done on Cisco 891 router.

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yunas Thu, 10/30/2014 - 22:09
User Badges:

The best way to do your task is:

Select your source networks which you want to be NAT in the NAT ACL, and if you don't want some host access some destination, use different inbound ACL filter on interface vlan 20. 

SATISH KATTIKA Sun, 11/02/2014 - 12:01
User Badges:

Did  you configured the NAT on the switch ? what is the model of the switch do you have ip routing enabled for that.. ?

 

I don't see any issues with the configuration.

Aref Alsouqi Sun, 11/02/2014 - 12:50
User Badges:
  • Bronze, 100 points or more

Hi,

Just remove the "log" keyword at the end of the ace of the network 207.2.204.0/22. Log keyword won't work neither with PBR.

Regards,

Aref

Actions

This Discussion

Related Content