Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
9
Replies

IOS NAT Overload

Go to solution
lambay2000
Level 2
Level 2

‎01-17-2014 03:32 PM - edited ‎03-04-2019 10:06 PM

Dears,

please find the attached topology.

When i confgure a nat overload for my internal subnet to go through the ADSL i am not able to ping leased line next-hop which is conencted to my internet router, when i remove the command  ip nat inside source list 1 interface gig0/0 overload then i am able to ping, why that so ???? Is it i have to deny my leased line ip in below access-list to be denied for natting.

how  nat is chosen in cisco router as what i know in ASA there is a sequence, ASA choose when there are multiple NAT.

ip nat inside source list 1 interface gig0/0 overload

ip access-list standard internal

permit any

ip nat inside source static 10.10.10.10 94.94.94.94

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎01-17-2014 05:20 PM

Hello

Your nat statement is okay but you not actually specifying any internal network with the current acl
Try using a standard numbered acl referencing your internal network to be natted

Say you internal network is 10.10.10.0/24/24

Access-list 1 permit 10.10.10.0 0.0.0.255

Res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-18-2014 02:58 AM

Hi,

When you have 2 WAN interfaces to nat on, you must use a route-map for NAT statement where you match the traffic and outgoing interface.

You should also try to avoid permit any in NAT ACL because it can cause some problems on some platforms/codes.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-19-2014 02:06 PM

Hi,

According to your reply above, we need to distribute matching traffic in  2 subnets for 2 Nat statements, If suppose i am using 10.X.X.X subnet  in my internal network, then how we can break them.

What I said is that when you are natting on 2 outside interface  you should use a route-map in your NAT statements instead of simply ACLs.

Now this is for 1 internal subnet being load-balanced out the WAN interface, if you want some subnet(or some part of the subnet and/or some traffic type segregation) you'll have to use Policy based routing in addition.

For 1 subnet only here is what to do:

access-list 1 permit 10.0.0.0 0.0.0.255

route-map NAT1

match ip add 1

match interface dialer1

route-map NAT2

match ip add 1

match interface dialer2

ip nat inside source route-map NAT1 interface dialer1

ip nat inside source route-map NAT2 interface dialer2

ip route 0.0.0.0 0.0.0.0 dialer1

ip route 0.0.0.0 0.0.0.0 dialer2

int dialer1

ip nat out

int dialer2

ip nat out

int vlan 1

ip add 10.0.0.1 255.255.255.0

ip nat in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
paul driver
VIP
VIP

‎01-17-2014 05:20 PM

Hello

Your nat statement is okay but you not actually specifying any internal network with the current acl
Try using a standard numbered acl referencing your internal network to be natted

Say you internal network is 10.10.10.0/24/24

Access-list 1 permit 10.10.10.0 0.0.0.255

Res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to paul driver

‎01-17-2014 06:47 PM

Dear Paul,

Thanks for replying my post.

i have just created one small setup in dynamips and confgured according to what i have posted above and ping is still working with below commands,  i have not specfied any specifc internal networks. The IOS on dynamips is

c3640-js-mz.124-21.bin and the IOS on actual setup is flash0:c2900-universalk9-mz.SPA.150-1.M4.bin" does it makes difference ?????

ip access-list standard internal

permit any

I have one more doubt please clear.

If i removed the switch which is in between of  ADSL  and internet router then i can specify two nat statement as below with two default route, the traffic will be distributed among both the links ???

ip nat inside source list 1 interface gig0/0 overload

ip nat inside source list 1 interface gig0/1 overload

ip route 0.0.0.0.0.0.0.0 192.168.10.1

ip route 0.0.0.0.0.0.0.0 192.168.20.1

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-18-2014 02:58 AM

Hi,

When you have 2 WAN interfaces to nat on, you must use a route-map for NAT statement where you match the traffic and outgoing interface.

You should also try to avoid permit any in NAT ACL because it can cause some problems on some platforms/codes.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to lambay2000

‎01-18-2014 09:30 AM

Hello

"ping is still working with below commands"

Hum do you have nat apply to any interfaces?

Internal interface(s)
==============
Ip nat inside

Wan interface(s)
============
Ip nat outside



Single wan interface

Access-list 1 permit x.x.x.x y.y.y.y

Ip nat inside source list 1 interface xx overload

Or

Dual wan interfaces

ip access-list extended Nat
Permit ip x.x.x.x y.y.y.y any

Route-map Nat permit 10
Match IP address Nat


Ip nat inside source route-map Nat interface gig0/1 overload
Ip nat inside source route-map Nat interface gig0/2 overload

Res
Paul



Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to paul driver

‎01-18-2014 12:11 PM

Hello,

Hum do you have nat apply to any interfaces?

yes i have applied to internal interface ip nat inside and wan interface ip nat outside

I have a single WAN interface,

Question:

If i have a ip nat inside on internal interface and ip nat outside on WAN interface but assume i dont have any

Ip nat inside source route-map Nat interface gig0/1 overload  command , so still the traffic will passed to the switch or the traffic will dropped????

Thanks

0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-18-2014 01:01 PM

Hello
Then NAT isnt used whatsoever

Meaning NOTHING will be translated So if your topology is using nat to provide connectivity for private address ranges to public internet then you be will restricted from doing so.

You will however be able.to connect sourced from your Lan/wan interfaces if.these interfaces have public routable ip addresses assigned

Res
Paul

Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to paul driver

‎01-18-2014 01:50 PM

Dears,

Thanks for the replies

0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to lambay2000

‎01-19-2014 12:24 PM

Hello Cadet

When you have 2 WAN interfaces to nat on, you must use a  route-map for NAT statement where you match the traffic and outgoing  interface.
You should also try to avoid permit any in NAT ACL because it can cause some problems on some platforms/codes.

According to your reply above, we need to distribute matching traffic in 2 subnets for 2 Nat statements, If suppose i am using 10.X.X.X subnet in my internal network, then how we can break them.

Thanks

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-19-2014 02:06 PM

Hi,

According to your reply above, we need to distribute matching traffic in  2 subnets for 2 Nat statements, If suppose i am using 10.X.X.X subnet  in my internal network, then how we can break them.

What I said is that when you are natting on 2 outside interface  you should use a route-map in your NAT statements instead of simply ACLs.

Now this is for 1 internal subnet being load-balanced out the WAN interface, if you want some subnet(or some part of the subnet and/or some traffic type segregation) you'll have to use Policy based routing in addition.

For 1 subnet only here is what to do:

access-list 1 permit 10.0.0.0 0.0.0.255

route-map NAT1

match ip add 1

match interface dialer1

route-map NAT2

match ip add 1

match interface dialer2

ip nat inside source route-map NAT1 interface dialer1

ip nat inside source route-map NAT2 interface dialer2

ip route 0.0.0.0 0.0.0.0 dialer1

ip route 0.0.0.0 0.0.0.0 dialer2

int dialer1

ip nat out

int dialer2

ip nat out

int vlan 1

ip add 10.0.0.1 255.255.255.0

ip nat in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card