Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2615
Views
0
Helpful
8
Replies

C2911 NAT outside to inside not working

Go to solution
markus.forrer
Level 4
Level 4

‎11-05-2010 02:21 AM - edited ‎03-06-2019 01:54 PM

Hi community

I've to configure nat on a Cisco 2911 mit IOS 2900-universalk9-mz.SPA.150-1.M3.

I should nat the source address when the connection will go to a specific ip address. In my example

any connection to 10.118.1.11 should become a source address from the nat pool.

On a older Cisco 2600 the configuration works. But my new 2911 will do nothing.

!
interface Loopback0
ip address 10.118.0.65 255.255.255.192
ip nat outside
!
interface GigabitEthernet0/1
ip address 10.118.1.12 255.255.255.240
ip nat outside
standby 0 ip 10.118.1.14
!
interface GigabitEthernet0/2
ip address 10.118.0.60 255.255.255.192
ip virtual-reassembly
ip policy route-map NAT-TO-LO0
standby 1 ip 10.118.0.62
!

ip nat pool NAT-POOL 10.118.0.70 10.118.0.80 netmask 255.255.255.192
ip nat outside source list MATCH-DST pool NAT-POOL
!
ip access-list extended MATCH-DST
permit ip any host 10.118.1.11
!
route-map NAT-TO-LO0 permit 10
match ip address MATCH-DST
set ip next-hop 10.118.0.65
!

Any hint is very welcome. I tried a lot and I also tried the configuration in the simulator. There I saw that it will work on a C2600...

Markus

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lgijssel
Level 9
Level 9

‎11-05-2010 05:21 AM

Hi Markus,

Just one question, you may consider this a hint:

where is your ip nat inside interface?

regards,

Leo

View solution in original post

0 Helpful
8 Replies 8

Go to solution
lgijssel
Level 9
Level 9

‎11-05-2010 05:21 AM

Hi Markus,

Just one question, you may consider this a hint:

where is your ip nat inside interface?

regards,

Leo

0 Helpful

Go to solution
markus.forrer
Level 4
Level 4
In response to lgijssel

‎11-05-2010 05:47 AM

ooups copy paste error! Inside Interface is the GigabitEthernet0/1

!
interface Loopback0
ip address 10.118.0.65 255.255.255.192
ip nat outside
!
interface GigabitEthernet0/1
ip address 10.118.1.12 255.255.255.240
ip nat inside
standby 0 ip 10.118.1.14
!
interface GigabitEthernet0/2
ip address 10.118.0.60 255.255.255.192
ip virtual-reassembly
ip policy route-map NAT-TO-LO0
standby 1 ip 10.118.0.62
!

ip nat pool NAT-POOL 10.118.0.70 10.118.0.80 netmask 255.255.255.192
ip nat outside source list MATCH-DST pool NAT-POOL
!
ip access-list extended MATCH-DST
permit ip any host 10.118.1.11
!
route-map NAT-TO-LO0 permit 10
match ip address MATCH-DST
set ip next-hop 10.118.0.65
!

0 Helpful

Go to solution
lgijssel
Level 9
Level 9
In response to markus.forrer

‎11-05-2010 06:24 AM

You are making it far more complex than necessary. The loopback is not needed here and neither is the policy route-map.

The acl for outside nat will match only for one host and route all else. You do not need to introduce an extra hop for this.

Try it as below: (required changes in bold print)

interface Loopback0
ip address 10.118.0.65 255.255.255.192
no ip nat outside
!
interface GigabitEthernet0/1
ip address 10.118.1.12 255.255.255.240
ip nat inside
standby 0 ip 10.118.1.14
!
interface GigabitEthernet0/2
ip address 10.118.0.60 255.255.255.192
ip virtual-reassembly
no ip policy route-map NAT-TO-LO0
ip nat outside
standby 1 ip 10.118.0.62

!

ip nat pool NAT-POOL 10.118.0.70 10.118.0.80 netmask 255.255.255.192
ip nat outside source list MATCH-DST pool NAT-POOL

regards,

Leo

0 Helpful

Go to solution
markus.forrer
Level 4
Level 4
In response to lgijssel

‎11-05-2010 07:04 AM

Hi Leo

In tried your configuration, but in this way the router make the nat also for the destination 10.118.1.12

Can the problem occurs because the nat router has a interface attached to the 10.118.1. network?

regards

Markus

0 Helpful

Go to solution
lgijssel
Level 9
Level 9
In response to markus.forrer

‎11-05-2010 07:14 AM

Does this also happen when you keep the acl?

I did not list it but it's obvious that the acl is still needed to determine what to nat (and what not).

0 Helpful

Go to solution
markus.forrer
Level 4
Level 4
In response to lgijssel

‎11-05-2010 07:20 AM

yes the acl is still active in the configuration. I only removed the policy based routing and changed the ip nat outside interface as you described

0 Helpful

Go to solution
lgijssel
Level 9
Level 9
In response to markus.forrer

‎11-05-2010 07:46 AM

Markus,

I cannot exactly oversee the various connections and how you came to this test result.

As far as I can see, the .12 address is on the same subnet as the end host so it should never traverse the acl in order to reach the system.

Perhaps it is possible to adjust the acl in order to make it work, for example by excluding any unwanted addresses before the match ip any line?

regards,

Leo

0 Helpful

Go to solution
markus.forrer
Level 4
Level 4
In response to lgijssel

‎11-16-2010 01:30 AM

Hi Leo

Finally it didn't work with the C2911. So I changed the router model and now it works without problem with the first configuration.

Thanks for your help.

Regards Markus

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card