Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

C2911 NAT outside to inside not working

Hi community

I've to configure nat on a Cisco 2911 mit IOS 2900-universalk9-mz.SPA.150-1.M3.

I should nat the source address when the connection will go to a specific ip address. In my example

any connection to 10.118.1.11 should become a source address from the nat pool.

On a older Cisco 2600 the configuration works. But my new 2911 will do nothing.

!
interface Loopback0
ip address 10.118.0.65 255.255.255.192
ip nat outside
!
interface GigabitEthernet0/1
ip address 10.118.1.12 255.255.255.240
ip nat outside
standby 0 ip 10.118.1.14
!
interface GigabitEthernet0/2
ip address 10.118.0.60 255.255.255.192
ip virtual-reassembly
ip policy route-map NAT-TO-LO0
standby 1 ip 10.118.0.62
!

ip nat pool NAT-POOL 10.118.0.70 10.118.0.80 netmask 255.255.255.192
ip nat outside source list MATCH-DST pool NAT-POOL
!
ip access-list extended MATCH-DST
permit ip any host 10.118.1.11
!
route-map NAT-TO-LO0 permit 10
match ip address MATCH-DST
set ip next-hop 10.118.0.65
!

Any hint is very welcome. I tried a lot and I also tried the configuration in the simulator. There I saw that it will work on a C2600...

Markus

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: C2911 NAT outside to inside not working

Hi Markus,

Just one question, you may consider this a hint:

where is your ip nat inside interface?

regards,

Leo

8 REPLIES

Re: C2911 NAT outside to inside not working

Hi Markus,

Just one question, you may consider this a hint:

where is your ip nat inside interface?

regards,

Leo

New Member

Re: C2911 NAT outside to inside not working

ooups copy paste error! Inside Interface is the GigabitEthernet0/1

!
interface Loopback0
ip address 10.118.0.65 255.255.255.192
ip nat outside
!
interface GigabitEthernet0/1
ip address 10.118.1.12 255.255.255.240
ip nat inside
standby 0 ip 10.118.1.14
!
interface GigabitEthernet0/2
ip address 10.118.0.60 255.255.255.192
ip virtual-reassembly
ip policy route-map NAT-TO-LO0
standby 1 ip 10.118.0.62
!

ip nat pool NAT-POOL 10.118.0.70 10.118.0.80 netmask 255.255.255.192
ip nat outside source list MATCH-DST pool NAT-POOL
!
ip access-list extended MATCH-DST
permit ip any host 10.118.1.11
!
route-map NAT-TO-LO0 permit 10
match ip address MATCH-DST
set ip next-hop 10.118.0.65
!

Re: C2911 NAT outside to inside not working

You are making it far more complex than necessary. The loopback is not needed here and neither is the policy route-map.

The acl for outside nat will match only for one host and route all else. You do not need to introduce an extra hop for this.

Try it as below: (required changes in bold print)

interface Loopback0
ip address 10.118.0.65 255.255.255.192
no ip nat outside
!
interface GigabitEthernet0/1
ip address 10.118.1.12 255.255.255.240
ip nat inside
standby 0 ip 10.118.1.14
!
interface GigabitEthernet0/2
ip address 10.118.0.60 255.255.255.192
ip virtual-reassembly
no ip policy route-map NAT-TO-LO0
ip nat outside
standby 1 ip 10.118.0.62

!

ip nat pool NAT-POOL 10.118.0.70 10.118.0.80 netmask 255.255.255.192
ip nat outside source list MATCH-DST pool NAT-POOL

regards,

Leo

New Member

Re: C2911 NAT outside to inside not working

Hi Leo

In tried your configuration, but in this way the router make the nat also for the destination 10.118.1.12

Can the problem occurs because the nat router has a interface attached to the 10.118.1. network?

regards

Markus

Re: C2911 NAT outside to inside not working

Does this also happen when you keep the acl?

I did not list it but it's obvious that the acl is still needed to determine what to nat (and what not).

New Member

Re: C2911 NAT outside to inside not working

yes the acl is still active in the configuration. I only removed the policy based routing and changed the ip nat outside interface as you described

Re: C2911 NAT outside to inside not working

Markus,

I cannot exactly oversee the various connections and how you came to this test result.

As far as I can see, the .12 address is on the same subnet as the end host so it should never traverse the acl in order to reach the system.

Perhaps it is possible to adjust the acl in order to make it work, for example by excluding any unwanted addresses before the match ip any line?

regards,

Leo

New Member

Re: C2911 NAT outside to inside not working

Hi Leo

Finally it didn't work with the C2911. So I changed the router model and now it works without problem with the first configuration.

Thanks for your help.

Regards Markus

1637
Views
0
Helpful
8
Replies