Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual NAT construct, problems from outside to inside

Dear Experts,

I have a problem using 2 different NATs. Please have a look at the attached topology.

Users at the Branch need local internet access. That's why an overload NAT is configured on the interface Fa0/0 (connected to the Internet):

RouterA

access-list 150 deny   ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 150 deny   ip 192.168.2.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 150 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 192.168.2.0 0.0.0.255 any

route-map NAT-INET-RM permit 10

match ip address 150

ip nat inside source route-map NAT-INET-RM interface FastEthernet0/0 overload

interface FastEthernet0/1

ip nat inside

interface FastEthernet0/0

ip nat outside

Additionally I need to masquerade the Branch LAN behind 172.18.7.0/24, because the 192.168.2.0/24 is already used in the Headquarter:

RouterA

access-list 151 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 151 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 151 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255

route-map NAT-VPN-RM permit 10

match ip address 151

ip nat pool NAT-VPN-POOL 172.18.7.1 172.18.7.254 prefix-length 24 type match-host

ip nat inside source route-map NAT-VPN-RM pool NAT-VPN-POOL reversible

interface Tunnel1

ip nat outside

This setup works fine in general. The only problem is, that NAT entries are only generated, when traffic comes from the Branch hosts. If a host from the HQ network tries to initiate a session with the Branch server, and no NAT entry is existing yet, the router does not generate a new NAT entry. The router only generates a new entry, when traffic is initiated from the inside (from the Branch LAN).

I already tried to implement an additional static NAT entry for the server like

RouterA

ip nat inside source static 192.168.2.6 172.18.7.6

but this didn't work either. The router generates a simple static NAT entry, but when I ping from the HQ, I see the ICMP request get's NATed, but the reply doesn't.

Can anyone give me a hint?

What does the "reversible" do exactly?

Thanks!

Everyone's tags (2)
326
Views
0
Helpful
0
Replies