Re: help configuring NAT

fredluneau · ‎10-27-2013

I am having difficulties configuring NAT POOL for traffic on my internal network when hitting a specific interface to my firewall. When traffic from a specific subnet (matching the ACL) goes to a specific interface (firewall VLAN) I need that traffic to NAT from pool. Here is my config:

Router#(config)

ip nat pool Remote-Offices 10.168.0.0 10.168.255.255 prefix-length 16 type match-host

access-list 150 permit ip 192.168.168.0 0.0.3.255 any log

ip nat inside source list 150 pool Remote-Offices

!

Router#(config-if)

interface Vlan170

description Firewall Network

ip address 172.18.7.4 255.255.255.240

ip directed-broadcast

ip nat inside

end

With this config I do not see any nat translations when issuing a pingfrom a host on the 192.168.168.0/22 to a destination address on my firewall dmz which passes through VLAN170, which is also my static default route (172.18.7.1)

Any assistance would be most appreciated. Thanks.

cadet alain · ‎10-27-2013

Hi,

log keyword is not supported for NAT ACLs so just get rid of it.Also make sure your routing is correct because packets are routed first before being natted.

Regards

Alain

Don't forget to rate helpful posts.

fredluneau · ‎10-27-2013

Hi Alain, Thanks for your reply. I did remove the log keyword as suggested however that did not change the result. Routing is functioning correctly as a traceroute I ran plots the expected path.

Any other thoughts? Is there any additional detail I can provide which would help towards a solution?

cadet alain · ‎10-27-2013

Hi,

Have you got a route back to this 192.168.168.0/22 on the NAT device ?

Regards

Alain

Don't forget to rate helpful posts.

fredluneau · ‎10-28-2013

Alain,

Sorry for the delay in responding. Yes, routing for this subnet has and still is working normally.

Question....the svi interface, VLAN 170, should the configuration for NAT function as currently configured or do I need to change the switchports connecting the firewall to routed interfaces and put IPs on the gigabit interfaces?

Thanks.

-Fred

cadet alain · ‎10-29-2013

Hi,

No you can leave it as is but where is the nat outside configured ? I don't see it in your config snippet and could you also post a quick diagram of your topology ?

Regards

Alain

Don't forget to rate helpful posts.

fredluneau · ‎10-29-2013

Alain,

I have attached a diagram that should help explain better what we are attempting to do.

We have been internally discussing this this morning and re-reading the documentation and may have come up with a reason why we haven't been successful. Is it likely that we have been putting the ip nat inside statement on the wrong interface(s)?

cadet alain · ‎10-29-2013

Hi,

I don't see the diagram so I can't tell you.

Regards

Alain

Don't forget to rate helpful posts.

fredluneau · ‎11-01-2013

Alain, Sorry. I had difficulties in getting the attachment in this duscussion. Somehow the previous attachment I attempted went into a discussion area. Anyway, I have attached the diagram into this discussion thread. I am still hoping you can help.

Thanks

Fred