Thanks Martin, that looks like a workable solution.

Do you know what the limitations of NAT overload are as we could have 10,000 users hit the NAT Gateway simultaneously?

Regards

Rob

OK, I've started playing with NAT configurations on one of our 6500's which is running:

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-JK9SV-M), Version 12.2(17d)SXB10, RELEASE SOFTWARE (fc1)

The configuration is as follows:

!

! Test NAT configuration for CM VLAN's - Novell/Anti Virus Proxy

!

access-list 50 permit 192.168.64.0 0.0.0.255

access-list 50 deny any log

!

ip nat pool campus-manager X.X.X.227 X.X.X.231 netmask 255.255.255.224

ip nat inside source list 50 pool campus-manager

!

! Inside interface

!

Interface vlan449

shutdown

ip address 192.168.64.1 255.255.255.0

ip nat inside

!

! Outside interface

!

Interface Vlan450

shutdown

ip address X.X.X.226 255.255.255.240

ip nat outside

!

The 6500 doesn't seem to be performing NAT for some reason, the 192.168 address range is not added as an EIGRP network but I'm still managing to communicate with systems in other subnets across the Campus from a host on Vlan449. When I enter the 'show ip nat translations' command there's no entries and I can see the source IP address my host is using of 192.168.64.2 in the logs of the servers I'm connecting to.

I'm getting the following error messages in the logs:

Jan 20 12:10:09: %FM_EARL7-4-MLS_FLOWMASK_CONFLICT: mls flowmask may not be honored on interface Vlan450 due to flowmask conflict

Jan 20 12:10:22: %FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan450 have conflicting flowmask requirements, traffic may be switched in software

Jan 20 14:57:34: %SEC-6-IPACCESSLOGS: list 50 denied X.X.X.226 16 packets (THIS IS THE OUTSIDE ROUTER INTERFACE!)

Is this something particular to the way the Cat 6500 implements NAT or am I doing something wrong here? The examples I've seen seem consistent with what I've configured.

I'm going to try a few other things in the meantime i.e. NAT Overload, Static NAT and a Route Map instead of the ACL but I'd be interested to know why this isn't working!?

I'm still struggling to get this to work on the 6500. A colleague tried the same configuration on a 2500 Router and this worked fine.

The only way I could generate an entry in the NAT tables was by using static NAT but this still didn't seem to work properly as I was still seeing packets with a source IP of 192.168.64.2 in my server logs.

Is there a global command or something that needs to be enabled on the 6500?

I tried the above configuration on a 1700 Router and again this worked without any issues.

Can anyone offer any pointers as to why this doesn't work on the 6500?

The IOS feature locater on CCO tells me we're using is the correct image to support NAT on the Sup720!

By the way - I did spot the error in the nat pool netmask which should be 255.255.255.240 to match the vlan450 interface!

Progress!

Configuration is now as follows:

!

ip nat pool campus-manager X.X.X.226 X.X.X.231 netmask 255.255.255.240

ip nat inside source route-map NAT pool campus-manager

!

route-map NAT permit 10

match ip address 100

set interface Vlan450

!

interface Vlan449

ip address 192.168.64.1 255.255.255.0

ip nat inside

!

interface Vlan450

ip address X.X.X.225 255.255.255.240

ip nat outside

ip policy route-map NAT

!

access-list 100 permit ip 192.168.64.0 0.0.0.255 X.X.0.0 0.0.255.255

access-list 100 permit icmp 192.168.64.0 0.0.0.255 X.X.0.0 0.0.255.255

!

This results in the NAT translation tables being populated which is a first on the Cat 6500 however I'm not getting any traffic back :0(

Hi,

I tried the same thing on one of my 6500's and couldnt get NAT working. Using your configuration

the translation table only contains translations for the outside interface no inside translations.

Have you had any more luck in this configuration?

Regards

Miron

Did you have your 6500 MLS enabled? Try disable it. I have NAT working on my sup720.