Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

server side source NAT

Hello!

The below simple config is not working.

We would like to change the server source IP in the server initiated connection.

The access-list state is NOT-ACTIVE.

Why ? Any help would be appreciated !

Regards,

class-map match-any NAT_CLASS

2 match access-list NAT_ACCESS

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 87

interface vlan 73

description ACE-Application

ip address 192.168.29.18 255.255.255.248

alias 192.168.29.22 255.255.255.248

peer ip address 192.168.29.20 255.255.255.248

access-group input ALL

access-group output ALL

nat-pool 1 10.42.16.30 10.42.16.30 netmask 255.255.255.0 pat

no shutdown

interface vlan 87

ip address 192.168.13.86 255.255.255.248

access-group input ALL

service-policy input NAT_POLICY

no shutdown

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

--------------------------------------------------------------------------------------------

Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

1 ACCEPTED SOLUTION

Accepted Solutions

Re: server side source NAT

Make the following change

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 73

Syed Iftekhar Ahmed

7 REPLIES

Re: server side source NAT

Make the following change

policy-map multi-match NAT_POLICY

class NAT_CLASS

nat dynamic 1 vlan 73

Syed Iftekhar Ahmed

New Member

Re: server side source NAT

Hi!

I overlooked.

Situation changed a little.

Status : ACTIVE

-----------------------------------------

Interface: vlan 87

service-policy: NAT_POLICY

class: NAT_CLASS

nat:

nat dynamic 1 vlan 73

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 59 , client byte count: 2754

server pkt count : 56 , server byte count: 3324

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

Lajos-ACE/Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

The policu is working but the accesslist is not.

The NAT is not working also.

Regards,

New Member

Re: server side source NAT

Hi!

I overlooked.

Situation changed a little.

Status : ACTIVE

-----------------------------------------

Interface: vlan 87

service-policy: NAT_POLICY

class: NAT_CLASS

nat:

nat dynamic 1 vlan 73

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 59 , client byte count: 2754

server pkt count : 56 , server byte count: 3324

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

Lajos-ACE/Admin# sho access-list NAT_ACCESS

access-list:NAT_ACCESS, elements: 2, status: NOT-ACTIVE

remark :

access-list NAT_ACCESS line 1 extended permit tcp host 192.168.13.81 any eq telnet

access-list NAT_ACCESS line 30 extended permit icmp any any

The policu is working but the accesslist is not.

The NAT is not working also.

Regards,

Re: server side source NAT

Access-list "NOT-ACTIVE " means that it is not applied to an interface. Which is normal for ACLs that are only used in class maps.

Is the traffic for NAT is covered by the ACL (ACL applied to the interfaces) to allow the traffic through the ACE?

Syed Iftekhar Ahmed

New Member

Re: server side source NAT

Hi!

Yes. I use the ALL access-list on the interfaces.

Lajos-ACE/Admin# sho access-list ALL

access-list:ALL, elements: 2, status: ACTIVE

remark :

access-list ALL line 10 extended permit ip any any (hitcount=19682682)

access-list ALL line 20 extended permit icmp any any (hitcount=0)

I make a telnet connection from 192.168.13.81 to outside device.

the connection is made but the source IP is 192.168.16.81 instead of 10.42.16.30.

Regards,

New Member

Re: server side source NAT

Hi!

sorry it is working !

Regards

Re: server side source NAT

Your config looks ok.

Are you sure the server initiated connection is not bypassing ACE? Do you see this conn on ACE (sh conn)?

Just for testing remove ACL from the class-map ,Instead use source-address

class-map match-any NAT_CLASS

2 match source 192.168.13.81 255.255.255.255

Syed

473
Views
0
Helpful
7
Replies