12-16-2013 03:24 PM - edited 03-04-2019 09:52 PM
Hi experts!
I'm currently working on a project and I am noticing some abnormal behaviors with NAT when I'm using NAT with route-map, as below:
ip nat inside source route-map RM_PAT_EMBRATEL_51 pool EMBRATEL_POOL_51 overload
route-map RM_PAT_EMBRATEL_51, permit, sequence 10
Match clauses:
ip address (access-lists): ACL_PAT_EMBRATEL_51
interface GigabitEthernet0/0.902
Set clauses:
Policy routing matches: 0 packets, 0 bytes
RT-RJ-SCBF1#
RT-RJ-SCBF1#sh ip access-list ACL_PAT_EMBRATEL_51
Extended IP access list ACL_PAT_EMBRATEL_51
10 permit tcp host 10.21.2.188 any eq smtp
20 permit tcp host 10.21.2.188 any eq 465
40 permit tcp host 10.21.2.51 any eq smtp
50 permit tcp host 10.21.2.151 any eq smtp
60 permit tcp host 10.21.2.50 any eq smtp
!
My client complained that some servers do not accessed the network then after do some troubleshoting I realize that NAT was not working 100%. For instance the server 10.21.2.188 was not able to reach the Internet and I validated using the ACL below on the outside interface to catch servers that didn't was NATed when passed through the Cisco routers:
#sh ip access-lists teste2
Extended IP access list teste2
5 permit tcp host 10.21.2.50 any eq smtp (25 matches)
10 permit tcp host 10.21.2.50 any eq www
20 permit tcp host 10.21.2.188 any eq www (122 matches)
30 permit tcp 10.21.2.0 0.0.0.255 any
40 permit ip any any (589424 matches)
!
I am quite sure that my configuration is right, but I'm showing below the important information to you guys analyze:
interface GigabitEthernet0/0.901
description ** INSIDE INTERFACE **
encapsulation dot1Q 901
ip address 10.21.254.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
standby 1 ip 10.21.254.1
standby 1 priority 150
standby 1 preempt
standby 1 name HSRP
ip policy route-map RM_POLICY_ROUTING
logging event subif-link-status
!
interface GigabitEthernet0/0.902
description ** MAIN ISP **
encapsulation dot1Q 902
ip address X.X.X.X 255.255.255.240
ip access-group teste2 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
no ip virtual-reassembly in
!
interface GigabitEthernet0/0.903
description ** ISP 2 **
encapsulation dot1Q 903
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
logging event subif-link-status
!
route-map RM_POLICY_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): NAVIGATION_ADLS_OI
Set clauses:
ip next-hop verify-availability 172.16.0.1 1 track 30 [down]
Policy routing matches: 3971854 packets, 766578013 bytes
!
#sh ip route
Gateway of last resort is MAIN_ISP to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via X.X.X.X
I'm currently using IOS Version 15.4(1)T, but I have tried all startind from version 15.3.
If someone have passed through this situation please let me know what was the solution.
Regards,
Rodrigo Alves
12-16-2013 03:28 PM
I forgot to say that if I change the NAT to not use route-map, but using the ACL that is inside route-map really work, but this way I cannot select the outside interface to the one I would like to NAT. Eg below:
ACL
ACL_PAT_EMBRATEL_51
ip nat inside source list ACL_PAT_EMBRATEL_51 pool EMBRATEL_POOL_51 overload
12-16-2013 04:35 PM
Rodrigo
Which interface do the 10.21.2.x address arrive on in the above config. Is it gi0/0.901 ?
Can you post the actual config for -
the full NAT config with route-map
the full PBR config with route-map.
In your PBR route map you seem to be tracking 172.16.0.1 which is down. What is this meant do and how does it interact with the NAT.
gi0/0.903 does not have an IP in your config ?
So you are trying to select interfaces to send traffic out with PBR ?
If you could give more detail it might help.
Jon
12-16-2013 05:28 PM
Jon,
That's right, all IPs from range 10.21.x.x/16 arrive on interface gi0/0.901 that has a PBR when I select, based on some information, whitch link I will use.
GigabitEthernet0/0.903 = It is a simple ADSL link that the router receive via DHCP an private IP to access to Internet and the modem (GW) IP address is 172.16.0.1 but if one of the two links become down all traffic is redirect to the other one.
GigabitEthernet0/0.902 = It is a corporate link and I got I range of public IPs from my local ISP where I can configure static NAT and PAT to my server.
But to not cause confusion, I would like to say that I had remove PBR and put the subinterface g0/0.903 in shutdown to make sure that them was causing problem to NAT to my main link, g0/0.902. But unfortunly when I use route-map some dynamic NAT doesn't work as it should be.
I'm attaching the config with some minor changes to not show personal information.
Warm Regards!
12-17-2013 03:27 AM
Rodrigo
Firstly if it was you that marked my response as 1 (Not Helpful) please don't do that as i am simply asking questions so you do not need to mark it (and certainly not with a 1).
So the config you posted is the config you are using at the moment ?
If so would it be possible to send the config of what didn't work so i can see exactly how you had it setup ?
Also from your original post is it safe to say that when server 10.21.2.188 tries to access a web server on the internet it is not getting subject to NAT ?
Jon
12-17-2013 03:56 AM
Jon, sorry man! I click incorrectly on the star and tried to removed but appers to be impossible to remove after click, but is was not my intension. Sorry again!
By the way the config I attached is running right now I had to configured the commands below to make things to work:
ip nat inside source list ACL_PAT_PROVIDER_51 pool PROVIDER_POOL_51 overload
ip nat inside source list ACL_PAT_USUARIOS interface GigabitEthernet0/0.902 overload
But I need to activated the second link and if I remove the commands above and leave only route-maps some servers will not be natted.
"Also from your original post is it safe to say that when server 10.21.2.188 tries to access a web server on the internet it is not getting subject to NAT ? " yes, you are correct!
To be sincere, I really think it is a bug because I tried on IOS 12.4 using GNS3 and worked correctly. But I tried all versions equal and over 15.3.
ah, I even tried to remove "match interface GigabitEthernet0/0.902" from route-map and leave it only with ACL and didn't work too.
Any thoughts?
12-17-2013 04:25 AM
Rodrigo
Jon, sorry man! I click incorrectly on the star and tried to removed but appers to be impossible to remove after click, but is was not my intension. Sorry again!
No problem, it's easy to make that mistake and yes, they won't let you change it once it's been done.
It may well be a bug because i cannot see anything wrong with your config at the moment. I'm going to print it off and have a good look at it but if you have tested in GNS3 and it worked with 12.4 it does sound like something to do with the IOS.
Is it just the servers in your acl in the original post that were not getting subjected to NAT ie. these 2 -
5 permit tcp host 10.21.2.50 any eq smtp (25 matches)
10 permit tcp host 10.21.2.50 any eq www
20 permit tcp host 10.21.2.188 any eq www (122 matches)
30 permit tcp 10.21.2.0 0.0.0.255 any
40 permit ip any any (589424 matches)
When it wasn't working did you manage to have a look at the translation table to see what they were showing ?
Like i say, i'll have a good look at it and see if anything is obviously wrong but it looks okay to me.
Jon
12-17-2013 05:04 AM
Yeah Jon, I got some information using an ACL on outside interface, where I got some ports that the dynamic translation did not work and using "show ip nat translation" I couldn't see on the table the information been created for port 80.
Other strange thing that is happen is that some static PAT stop working and I need to remove and reply, for instance:
ip nat inside source static tcp 10.21.4.50 80 X.X.43.51 80 route-map RM_PROVIDER redundancy HSRP extendable
And before remove if I use "show ip alias" the IP "X.X.43.51" do not appears on the list, so the router do not respond any ARP REQUEST for that IP Address, but after remove and reply the command above it show up the ip address on the list correctly. Very very strange. but I really care because I had tried 3 different versions of IOS e all of them the problem showed up...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide