07-20-2008 11:49 PM
Hello!
The below simple config is not working.
We would like to change the server source IP in the server initiated connection.
The access-list state is NOT-ACTIVE.
Why ? Any help would be appreciated !
Regards,
class-map match-any NAT_CLASS
2 match access-list NAT_ACCESS
policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 1 vlan 87
interface vlan 73
description ACE-Application
ip address 192.168.29.18 255.255.255.248
alias 192.168.29.22 255.255.255.248
peer ip address 192.168.29.20 255.255.255.248
access-group input ALL
access-group output ALL
nat-pool 1 10.42.16.30 10.42.16.30 netmask 255.255.255.0 pat
no shutdown
interface vlan 87
ip address 192.168.13.86 255.255.255.248
access-group input ALL
service-policy input NAT_POLICY
no shutdown
access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet
access-list NAT_ACCESS line 30 extended permit icmp any any
--------------------------------------------------------------------------------------------
Admin# sho access-list NAT_ACCESS
access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE
remark :
access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet
access-list NAT_ACCESS line 30 extended permit icmp any any
Solved! Go to Solution.
07-20-2008 11:59 PM
Make the following change
policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 1 vlan 73
Syed Iftekhar Ahmed
07-20-2008 11:59 PM
Make the following change
policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 1 vlan 73
Syed Iftekhar Ahmed
07-21-2008 12:10 AM
Hi!
I overlooked.
Situation changed a little.
Status : ACTIVE
-----------------------------------------
Interface: vlan 87
service-policy: NAT_POLICY
class: NAT_CLASS
nat:
nat dynamic 1 vlan 73
curr conns : 1 , hit count : 3
dropped conns : 0
client pkt count : 59 , client byte count: 2754
server pkt count : 56 , server byte count: 3324
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
Lajos-ACE/Admin# sho access-list NAT_ACCESS
access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE
remark :
access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet
access-list NAT_ACCESS line 30 extended permit icmp any any
The policu is working but the accesslist is not.
The NAT is not working also.
Regards,
07-21-2008 12:16 AM
Hi!
I overlooked.
Situation changed a little.
Status : ACTIVE
-----------------------------------------
Interface: vlan 87
service-policy: NAT_POLICY
class: NAT_CLASS
nat:
nat dynamic 1 vlan 73
curr conns : 1 , hit count : 3
dropped conns : 0
client pkt count : 59 , client byte count: 2754
server pkt count : 56 , server byte count: 3324
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
Lajos-ACE/Admin# sho access-list NAT_ACCESS
access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE
remark :
access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet
access-list NAT_ACCESS line 30 extended permit icmp any any
The policu is working but the accesslist is not.
The NAT is not working also.
Regards,
07-21-2008 12:25 AM
Access-list "NOT-ACTIVE " means that it is not applied to an interface. Which is normal for ACLs that are only used in class maps.
Is the traffic for NAT is covered by the ACL (ACL applied to the interfaces) to allow the traffic through the ACE?
Syed Iftekhar Ahmed
07-21-2008 12:34 AM
Hi!
Yes. I use the ALL access-list on the interfaces.
Lajos-ACE/Admin# sho access-list ALL
access-list:ALL, elements: 2, status: ACTIVE
remark :
access-list ALL line 10 extended permit ip any any (hitcount=19682682)
access-list ALL line 20 extended permit icmp any any (hitcount=0)
I make a telnet connection from 192.168.13.81 to outside device.
the connection is made but the source IP is 192.168.16.81 instead of 10.42.16.30.
Regards,
07-21-2008 01:12 AM
Hi!
sorry it is working !
Regards
07-21-2008 01:13 AM
Your config looks ok.
Are you sure the server initiated connection is not bypassing ACE? Do you see this conn on ACE (sh conn)?
Just for testing remove ACL from the class-map ,Instead use source-address
class-map match-any NAT_CLASS
2 match source 192.168.13.81 255.255.255.255
Syed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: