cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1526
Views
0
Helpful
7
Replies

server side source NAT

KAROLY KOHEGYI
Level 2
Level 2

Hello!

The below simple config is not working.

We would like to change the server source IP in the server initiated connection.

The access-list state is NOT-ACTIVE.

Why ? Any help would be appreciated !

Regards,

class-map match-any NAT_CLASS

2 match access-list NAT_ACCESS

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 87

interface vlan 73

description ACE-Application

ip address 192.168.29.18 255.255.255.248

alias 192.168.29.22 255.255.255.248

peer ip address 192.168.29.20 255.255.255.248

access-group input ALL

access-group output ALL

nat-pool 1 10.42.16.30 10.42.16.30 netmask 255.255.255.0 pat

no shutdown

interface vlan 87

ip address 192.168.13.86 255.255.255.248

access-group input ALL

service-policy input NAT_POLICY

no shutdown

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

--------------------------------------------------------------------------------------------

Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

1 Accepted Solution

Accepted Solutions

Make the following change

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 73

Syed Iftekhar Ahmed

View solution in original post

7 Replies 7

Make the following change

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 73

Syed Iftekhar Ahmed

Hi!

I overlooked.

Situation changed a little.

Status : ACTIVE

-----------------------------------------

Interface: vlan 87

service-policy: NAT_POLICY

class: NAT_CLASS

nat:

nat dynamic 1 vlan 73

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 59 , client byte count: 2754

server pkt count : 56 , server byte count: 3324

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

Lajos-ACE/Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

The policu is working but the accesslist is not.

The NAT is not working also.

Regards,

Hi!

I overlooked.

Situation changed a little.

Status : ACTIVE

-----------------------------------------

Interface: vlan 87

service-policy: NAT_POLICY

class: NAT_CLASS

nat:

nat dynamic 1 vlan 73

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 59 , client byte count: 2754

server pkt count : 56 , server byte count: 3324

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

Lajos-ACE/Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

The policu is working but the accesslist is not.

The NAT is not working also.

Regards,

Access-list "NOT-ACTIVE " means that it is not applied to an interface. Which is normal for ACLs that are only used in class maps.

Is the traffic for NAT is covered by the ACL (ACL applied to the interfaces) to allow the traffic through the ACE?

Syed Iftekhar Ahmed

Hi!

Yes. I use the ALL access-list on the interfaces.

Lajos-ACE/Admin# sho access-list ALL

access-list:ALL, elements: 2, status: ACTIVE

remark :

access-list ALL line 10 extended permit ip any any (hitcount=19682682)

access-list ALL line 20 extended permit icmp any any (hitcount=0)

I make a telnet connection from 192.168.13.81 to outside device.

the connection is made but the source IP is 192.168.16.81 instead of 10.42.16.30.

Regards,

Hi!

sorry it is working !

Regards

Your config looks ok.

Are you sure the server initiated connection is not bypassing ACE? Do you see this conn on ACE (sh conn)?

Just for testing remove ACL from the class-map ,Instead use source-address

class-map match-any NAT_CLASS

2 match source 192.168.13.81 255.255.255.255

Syed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: