Solved: NAT pool issues with route-maps

Stratocomp · ‎11-12-2014

Hello all, I have had a hard time trying to get this figured out. Here is what I have. A 1841 router and a 3560g L2 switch. I have a block of 12 IP's from my ISP that I can use. What I want to accomplish is each of the 11 external ip's will be mapped to a user subnet. I am utilizing FA0/0 as my outside interface with the first external IP. then I have fa0/1.xx for sub interfaces. These sub interfaces match up with a vlan on the switch which is then trunked down to a server.

Cisco 1841

logging buffered 16384 debugging
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.49
!
ip dhcp pool 66
import all
network 10.66.66.0 255.255.255.0
default-router 10.66.66.1
dns-server 10.10.66.1 8.8.8.8
!
ip dhcp pool 10
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1 8.8.8.8
!
ip dhcp pool 43
import all
network 10.10.43.0 255.255.255.0
default-router 10.10.43.1
dns-server 202.67.222.222 8.8.8.8
!
ip dhcp pool 44
import all
network 10.10.44.0 255.255.255.0
default-router 10.10.44.1
dns-server 202.67.222.222 8.8.8.8
!
!
ip ssh version 2
!
!
!
username strato.adm password 7 142406192C107A282B252371
archive
path flash:
maximum 5
write-memory
time-period 10
!
!
!
!
!
interface FastEthernet0/0
description Outside
ip address xx.xx.xx.178 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Inside
no ip address
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
ip address 10.10.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.8
encapsulation dot1Q 8
ip address 10.10.8.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.43
encapsulation dot1Q 43
ip address 10.10.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.44
encapsulation dot1Q 44
ip address 10.10.44.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.66
encapsulation dot1Q 66
ip address 10.66.66.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface Serial0/0/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.177
!
!
no ip http server
no ip http secure-server
ip nat pool MGMT-HOME xx.xx.xx.178 xx.xx.xx.178 prefix-length 28
ip nat pool VNC 10.10.10.201 10.10.10.201 netmask 255.255.255.0 type rotary
ip nat pool client-44 xx.xx.xx.179.xx.xx.xx.179 prefix-length 28
ip nat inside source list MGMT-HOME interface FastEthernet0/0 overload
ip nat inside source route-map client-44-rmap pool client-44 overload
ip nat inside source static udp 10.66.66.47 1194 interface FastEthernet0/0 1194
ip nat inside source static tcp 10.10.10.201 3128 interface FastEthernet0/0 3128
ip nat inside source static tcp 10.10.10.201 8006 interface FastEthernet0/0 8006
ip nat inside source static tcp 10.10.10.201 22 interface FastEthernet0/0 22
ip nat inside destination list MGMT-HOME pool VNC
!
ip access-list extended MGMT-HOME
deny ip host 10.10.44.6 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 10.66.66.0 0.0.0.255 any
permit tcp any any range 5900 5999
ip access-list extended client-44-acl
permit ip host 10.10.44.6 any

route-map client-44-rmap permit 10
match ip address client-44-acl

I am able to ping 10.10.44.1 from the virtual machine inside the physical host that is trunked to the switch with vlan tag of 44 that routes to sub interface fa0/1.44 But I can not ping out to google. If I add

p access-list extended MGMT-HOME
permit ip 10.10.44.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 10.66.66.0 0.0.0.255 any
permit tcp any any range 5900 5999

then i can access google fine but i have always thought setting rmaps would work for something like I have and that traffic should hit the first acl, see it denied then go to the next and see it allowed for the other nat pool and allow it out.

Any help is greatly appreciated.

ghostinthenet · ‎11-12-2014

Mixing ACL-defined NAT and RM-defined NAT can sometimes produce unpredictable results, as does mixing IP-based NAT and interface-based NAT. Let's standardize on RMs and IP addresses and give this a try:

ip nat pool MGMT-HOME xx.xx.xx.178 xx.xx.xx.178 prefix-length 28
ip nat pool client-44 xx.xx.xx.179.xx.xx.xx.179 prefix-length 28
ip nat inside source route-map MGMT-HOME pool MGMT-HOME overload
ip nat inside source route-map client-44-rmap pool client-44 overload
ip nat inside source static udp 10.66.66.47 1194 xx.xx.xx.178 1194
ip nat inside source static tcp 10.10.10.201 3128 xx.xx.xx.178 3128
ip nat inside source static tcp 10.10.10.201 8006 xx.xx.xx.178 8006
ip nat inside source static tcp 10.10.10.201 22 xx.xx.xx.178 22
!
ip access-list extended MGMT-HOME
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 10.66.66.0 0.0.0.255 any
ip access-list extended client-44-acl
 permit ip 10.10.44.0 0.0.0.255 any
!
route-map MGMT-HOME permit 10
 match ip address MGMT-HOME
!
route-map client-44-rmap permit 10
 match ip address client-44-acl

The following configuration entries don't really play into what you appear to be trying to do, so I would take them out for now:

ip access-list extended MGMT-HOME
 permit tcp any any range 5900 5999
ip nat pool VNC 10.10.10.201 10.10.10.201 netmask 255.255.255.0 type rotary
ip nat inside destination list MGMT-HOME pool VNC

What are you trying to do with those?

View solution in original post

ghostinthenet · ‎11-12-2014

For something like this, where I want the networks completely isolated, I usually use a VRF lite configuration.

View solution in original post

ghostinthenet · ‎11-12-2014

Mixing ACL-defined NAT and RM-defined NAT can sometimes produce unpredictable results, as does mixing IP-based NAT and interface-based NAT. Let's standardize on RMs and IP addresses and give this a try:

ip nat pool MGMT-HOME xx.xx.xx.178 xx.xx.xx.178 prefix-length 28
ip nat pool client-44 xx.xx.xx.179.xx.xx.xx.179 prefix-length 28
ip nat inside source route-map MGMT-HOME pool MGMT-HOME overload
ip nat inside source route-map client-44-rmap pool client-44 overload
ip nat inside source static udp 10.66.66.47 1194 xx.xx.xx.178 1194
ip nat inside source static tcp 10.10.10.201 3128 xx.xx.xx.178 3128
ip nat inside source static tcp 10.10.10.201 8006 xx.xx.xx.178 8006
ip nat inside source static tcp 10.10.10.201 22 xx.xx.xx.178 22
!
ip access-list extended MGMT-HOME
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 10.66.66.0 0.0.0.255 any
ip access-list extended client-44-acl
 permit ip 10.10.44.0 0.0.0.255 any
!
route-map MGMT-HOME permit 10
 match ip address MGMT-HOME
!
route-map client-44-rmap permit 10
 match ip address client-44-acl

The following configuration entries don't really play into what you appear to be trying to do, so I would take them out for now:

ip access-list extended MGMT-HOME
 permit tcp any any range 5900 5999
ip nat pool VNC 10.10.10.201 10.10.10.201 netmask 255.255.255.0 type rotary
ip nat inside destination list MGMT-HOME pool VNC

What are you trying to do with those?

Stratocomp · ‎11-12-2014

So I am sure some of what I was trying to do was because of my lack of understanding and just trying to stitch things together.

In essence what I want to achieve is I have 2 servers that will provide vps out of my home. The first ip of my 12 will be for everything in my house that is home related and for a few ports for my business MGMT subnet. The other IP's will be for different VPS clients that need to have traffic flow in and out of their own subnet to their own NAT ip address but not have access to anything else.

The virtualization software I use has VNC for clients to access their vps via console through my website and since the server controls the vnc to each vps i did a rotary statement for vnc console access to the server internal ip.

ghostinthenet · ‎11-12-2014

Stratocomp wrote 3 minutes ago:
> In essence what I want to achieve is I have 2 servers that will provide vps out of my home.
> The first ip of my 12 will be for everything in my house that is home related and for a few
> ports for my business MGMT subnet. The other IP's will be for different VPS clients that
> need to have traffic flow in and out of their own subnet to their own NAT ip address but not
> have access to anything else.

Okay, the configuration example I gave above should cover that easily enough. Let me know if it works for you.

> The virtualization software I use has VNC for clients to access their vps via console through
> my website and since the server controls the vnc to each vps i did a rotary statement for vnc
> console access to the server internal ip.

So you're just using destination NAT to be able to forward a huge range of ports inbound then?

Stratocomp · ‎11-12-2014

So oddly enough after doing that config my computer said I had internet access but i could not ping google dns or access any web page. below is my config I did clear ip nat trans to make sure

version 12.4
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.49
!
ip dhcp pool 66
import all
network 10.66.66.0 255.255.255.0
default-router 10.66.66.1
dns-server 10.10.66.1 8.8.8.8
!
ip dhcp pool 10
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1 8.8.8.8
!
ip dhcp pool 43
import all
network 10.10.43.0 255.255.255.0
default-router 10.10.43.1
dns-server 202.67.222.222 8.8.8.8
!
ip dhcp pool 44
import all
network 10.10.44.0 255.255.255.0
default-router 10.10.44.1
dns-server 202.67.222.222 8.8.8.8
!
!
ip ssh version 2
!
!
!
archive
path flash:
maximum 5
write-memory
time-period 10
!
!
!
!
!
interface FastEthernet0/0
description Outside
ip address xx.xx.xx.178 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Inside
no ip address
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
ip address 10.10.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.8
encapsulation dot1Q 8
ip address 10.10.8.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.43
encapsulation dot1Q 43
ip address 10.10.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.44
encapsulation dot1Q 44
ip address 10.10.44.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface FastEthernet0/1.66
encapsulation dot1Q 66
ip address 10.66.66.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface Serial0/0/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.177
!
!
no ip http server
no ip http secure-server
ip nat pool MGMT-HOME xx.xx.xx.178 xx.xx.xx.178 prefix-length 28
ip nat pool client-44 xx.xx.xx.179 xx.xx.xx.179 prefix-length 28
ip nat inside source route-map MGMT-HOME pool MGMT-HOME overload
ip nat inside source route-map client-44-rmap pool client-44 overload
ip nat inside source static udp 10.66.66.47 1194 interface FastEthernet0/0 1194
ip nat inside source static tcp 10.10.10.201 3128 interface FastEthernet0/0 3128
ip nat inside source static tcp 10.10.10.201 8006 interface FastEthernet0/0 8006
ip nat inside source static tcp 10.10.10.201 22 interface FastEthernet0/0 22
!
ip access-list extended MGMT-HOME
permit ip 10.10.10.0 0.0.0.255 any
permit ip 10.66.66.0 0.0.0.255 any
ip access-list extended client-44-acl
permit ip 10.10.44.0 0.0.0.255 any
!
logging trap debugging
logging facility local0
logging host 54.228.220.150 transport udp port 10798

!
route-map client-44-rmap permit 10
match ip address client-44-acl
!
route-map MGMT-HOME permit 10
match ip address MGMT-HOME
!
!
!
!
control-plane
!
!
!

!
scheduler allocate 20000 1000
ntp clock-period 17178380
ntp update-calendar
ntp server 72.14.183.239
end

ghostinthenet · ‎11-12-2014

The configuration looks good. Try attempting to ping 8.8.8.8 from the 10.10.10.0/24, 10.66.66.0/24 and 10.10.44.0/24 networks and then do a "show ip nat translations" to see if the translations are being generated properly. Are you able to reach 8.8.8.8 from any of these networks?

Stratocomp · ‎11-12-2014

So I can not ping 8.8.8.8 from any of the networks but i do see lots of translations under show ip nat trans.

StratoRouter#show ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp xx.xx.xx.178:22 10.10.10.201:22 --- ---
tcp xx.xx.xx.178:3128 10.10.10.201:3128 --- ---
tcp xx.xx.xx.178:8006 10.10.10.201:8006 --- ---
udp xx.xx.xx.178:123 10.10.10.202:123 66.135.44.92:123 66.135.44.92:123
udp xx.xx.xx.178:123 10.10.10.202:123 98.143.24.53:123 98.143.24.53:123
icmp xx.xx.xx.179:1 10.10.44.6:1 8.8.8.8:1 8.8.8.8:1
udp xx.xx.xx.179:123 10.10.44.7:123 198.60.22.240:123 198.60.22.240:123
icmp xx.xx.xx.179:7039 10.10.44.7:7039 8.8.8.8:7039 8.8.8.8:7039
udp xx.xx.xx.178:34215 10.66.66.2:34215 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:37300 10.66.66.2:37300 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:38570 10.66.66.2:38570 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:40858 10.66.66.2:40858 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:43210 10.66.66.2:43210 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:46495 10.66.66.2:46495 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:47632 10.66.66.2:47632 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:48810 10.66.66.2:48810 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:51724 10.66.66.2:51724 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:58686 10.66.66.2:58686 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:60918 10.66.66.2:60918 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:52074 10.66.66.18:52074 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:52074 10.66.66.18:52074 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:55430 10.66.66.18:55430 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:55430 10.66.66.18:55430 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:58194 10.66.66.18:58194 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:58194 10.66.66.18:58194 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:63345 10.66.66.18:63345 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:64540 10.66.66.18:64540 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:64540 10.66.66.18:64540 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:54337 10.66.66.20:54337 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:54337 10.66.66.20:54337 10.10.66.1:53 10.10.66.1:53
icmp xx.xx.xx.178:1 10.66.66.22:1 8.8.8.8:1 8.8.8.8:1
udp xx.xx.xx.178:61853 10.66.66.22:61853 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:61853 10.66.66.22:61853 10.10.66.1:53 10.10.66.1:53
udp xx.xx.xx.178:64400 10.66.66.22:64400 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:64400 10.66.66.22:64400 10.10.66.1:53 10.10.66.1:53
tcp xx.xx.xx.178:65161 10.66.66.22:65161 111.221.74.48:40018 111.221.74.48:40018
tcp xx.xx.xx.178:65162 10.66.66.22:65162 111.221.77.162:80 111.221.77.162:80
tcp xx.xx.xx.178:65164 10.66.66.22:65164 64.4.23.143:40001 64.4.23.143:40001
tcp xx.xx.xx.178:65165 10.66.66.22:65165 111.221.74.48:443 111.221.74.48:443
tcp xx.xx.xx.178:65166 10.66.66.22:65166 111.221.77.154:40021 111.221.77.154:40021
tcp xx.xx.xx.178:65167 10.66.66.22:65167 64.4.23.143:443 64.4.23.143:443
tcp xx.xx.xx.178:65169 10.66.66.22:65169 111.221.74.48:80 111.221.74.48:80
tcp xx.xx.xx.178:65170 10.66.66.22:65170 111.221.77.154:443 111.221.77.154:443
tcp xx.xx.xx.178:65171 10.66.66.22:65171 64.4.23.143:80 64.4.23.143:80
tcp xx.xx.xx.178:65173 10.66.66.22:65173 111.221.77.154:80 111.221.77.154:80
tcp xx.xx.xx.178:65174 10.66.66.22:65174 91.190.216.52:12350 91.190.216.52:12350
tcp xx.xx.xx.178:65181 10.66.66.22:65181 91.190.216.52:443 91.190.216.52:443
tcp xx.xx.xx.178:65183 10.66.66.22:65183 91.190.216.52:80 91.190.216.52:80
tcp xx.xx.xx.178:65188 10.66.66.22:65188 157.55.56.140:40033 157.55.56.140:40033
tcp xx.xx.xx.178:65189 10.66.66.22:65189 157.55.130.141:40007 157.55.130.141:40007
tcp xx.xx.xx.178:65191 10.66.66.22:65191 157.55.56.140:443 157.55.56.140:443
tcp xx.xx.xx.178:65192 10.66.66.22:65192 64.4.23.158:40019 64.4.23.158:40019
tcp xx.xx.xx.178:65193 10.66.66.22:65193 157.55.130.141:443 157.55.130.141:443
tcp xx.xx.xx.178:65194 10.66.66.22:65194 157.55.56.140:80 157.55.56.140:80
tcp xx.xx.xx.178:65196 10.66.66.22:65196 64.4.23.158:443 64.4.23.158:443
tcp xx.xx.xx.178:65197 10.66.66.22:65197 213.199.179.146:40021 213.199.179.146:40021
tcp xx.xx.xx.178:65198 10.66.66.22:65198 157.55.130.141:80 157.55.130.141:80
tcp xx.xx.xx.178:65199 10.66.66.22:65199 64.4.23.158:80 64.4.23.158:80
tcp xx.xx.xx.178:65201 10.66.66.22:65201 213.199.179.146:443 213.199.179.146:443
tcp xx.xx.xx.178:65202 10.66.66.22:65202 157.56.52.31:40026 157.56.52.31:40026
tcp xx.xx.xx.178:65204 10.66.66.22:65204 213.199.179.146:80 213.199.179.146:80
tcp xx.xx.xx.178:65205 10.66.66.22:65205 65.55.223.31:40014 65.55.223.31:40014
Pro Inside global Inside local Outside local Outside global
tcp xx.xx.xx.178:65206 10.66.66.22:65206 157.56.52.31:443 157.56.52.31:443
tcp xx.xx.xx.178:65207 10.66.66.22:65207 157.56.52.21:40005 157.56.52.21:40005
tcp xx.xx.xx.178:65209 10.66.66.22:65209 65.55.223.31:443 65.55.223.31:443
tcp xx.xx.xx.178:65210 10.66.66.22:65210 157.56.52.31:80 157.56.52.31:80
tcp xx.xx.xx.178:65211 10.66.66.22:65211 157.56.52.21:443 157.56.52.21:443
tcp xx.xx.xx.178:65213 10.66.66.22:65213 65.55.223.31:80 65.55.223.31:80
tcp xx.xx.xx.178:65214 10.66.66.22:65214 157.56.52.21:80 157.56.52.21:80
udp xx.xx.xx.178:52733 10.66.66.27:52733 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:56704 10.66.66.27:56704 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:63073 10.66.66.27:63073 8.8.8.8:53 8.8.8.8:53
udp xx.xx.xx.178:1194 10.66.66.47:1194 --- ---
tcp xx.xx.xx.178:38636 10.66.66.47:38636 209.221.132.10:443 209.221.132.10:443
tcp xx.xx.xx.178:52046 10.66.66.47:52046 209.221.132.9:443 209.221.132.9:443

ghostinthenet · ‎11-12-2014

Okay... it looks like NAT is working. Here we can see that traffic from 10.10.44.0/24 is translating to xx.xx.xx.179 and traffic from 10.66.66.0/24 is translating to xx.xx.xx.178.

 Pro Inside global         Inside local          Outside local         Outside global
icmp xx.xx.xx.179:1       10.10.44.6:1          8.8.8.8:1             8.8.8.8:1
icmp xx.xx.xx.178:1       10.66.66.22:1         8.8.8.8:1             8.8.8.8:1

Now we just need to figure out why traffic isn't coming back. Are you able to ping 8.8.8.8 from the router?

Stratocomp · ‎11-12-2014

yes I can ping 8.8.8.8 from the router

Stratocomp · ‎11-12-2014

Also FYI, here is info from the original guy that helped me try to get this working last year. He is not around anymore so I can not look to him for help. This is my old config when i had my equipment in a datacenter and it is no longer there.

Below is the simple config for doing what you want it is basicly the same
as the standard nat config. However what you need to be aware of is ALL
traffic that is initiated from the inside will have the have the overload
IP address. Sometimes this is not a problem at all and this will work just
fine.

interface FastEthernet0/0
description Outside
ip address 66.182.137.89 255.255.255.248
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Inside
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.90 443 66.182.137.90 443 extendable
ip nat inside source static tcp 192.168.0.91 443 66.182.137.91 443 extendable
!
ip access-list extended NAT-ACL
permit ip 192.168.0.0 0.0.0.255 any
!

===============================================================================

Below is a more coplex config. However it fixes the outbound traffic problem
for the configured machines.

interface FastEthernet0/0
description Outside
ip address 66.182.137.89 255.255.255.248
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Inside
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat pool WEB01-NAT-POOL 66.182.137.90 66.182.137.90 prefix-length 29
ip nat pool WEB02-NAT-POOL 66.182.137.91 66.182.137.91 prefix-length 29
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip nat inside source route-map WEB01-NAT-RMAP pool WEB01-NAT-POOL overload
ip nat inside source route-map WEB02-NAT-RMAP pool WEB02-NAT-POOL overload
ip nat inside source static tcp 192.168.0.90 443 66.182.137.90 443 extendable
ip nat inside source static tcp 192.168.0.91 443 66.182.137.91 443 extendable
!
ip access-list extended NAT-ACL
deny ip host 192.168.0.90 any
deny ip host 192.168.0.91 any
permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended WEB01-NAT-ACL
permit ip host 192.168.0.90 any
!
ip access-list extended WEB02-NAT-ACL
permit ip host 192.168.0.91 any
!
route-map WEB01-NAT-RMAP permit 10
match ip address WEB01-NAT-ACL
!
route-map WEB02-NAT-RMAP permit 10
match ip address WEB02-NAT-ACL
!

ghostinthenet · ‎11-12-2014

This looks almost identical to what we have, except that the sample configuration is using ACLs to subdivide the NAT within the same segment rather than doing NAT on separate segments.

What happens when you try "ping 8.8.8.8 source Gi0/1.44" and "ping 8.8.8.8 source Gi0/1.66" from the router?

ghostinthenet · ‎11-12-2014

I'm not seeing anything in the configuration that would account for this. If you can't ping 8.8.8.8 from any of the networks, but there is reachability from the router, there are entries in the NAT table and everything is directly connected, it should be working correctly. Unless there is a typo or mismatch between the various IP references that have been masked with xx.xx.xx.#, everything looks pretty standard here.

Stratocomp · ‎11-12-2014

StratoRouter#ping 8.8.8.8 source fa0/1.66

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.66.66.1
.....
Success rate is 0 percent (0/5)
StratoRouter#ping 8.8.8.8 source fa0/1.44

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.44.1
.....
Success rate is 0 percent (0/5)
StratoRouter#ping 8.8.8.8 source fa0/1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.....
Success rate is 0 percent (0/5)

also if i put in

ip nat inside source list MGMT-HOME interface FastEthernet0/0 overload

I get internet on my 10.66.66.22 machine

ghostinthenet · ‎11-12-2014

That's very interesting.

ip nat inside source list MGMT-HOME interface FastEthernet0/0 overload

and

route-map MGMT-HOME permit 10
 match ip address MGMT-HOME
!
ip nat pool MGMT-HOME xx.xx.xx.178 xx.xx.xx.178 prefix-length 28
!
ip nat inside source route-map MGMT-HOME pool MGMT-HOME overload

are functionally identical configurations. If the first one is working and the second one isn't, something is likely wrong with the addressing.

Can you make sure that x.x.x.178 in the "ip nat pool" and x.x.x.178 on the IP address configuration command for interface FastEthernet0/0 are identical and that there isn't a typo?

Stratocomp · ‎11-12-2014

yea the IP's match up. Could it be something with the version I have or maybe a route missing or something? Or do I need to assign the route-maps on the sun interfaces?