Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19970
Views
5
Helpful
8
Replies

NAT with one inside and two outside interfaces

hsticher
Level 1
Level 1

‎05-13-2014 01:55 AM - edited ‎03-04-2019 10:58 PM

Hi,

My Problem is:

If I initiate traffic for both outside NAT interface (G0/1 and G0/2) from NAT inside  interface G0/0 the NAT translation table for both interfaces will be established but only from outside interface  G0/1  targets got responses. If I remove the configuration  for interface G0/1, I got answers from targets at G0/2.

The problem results from subneting/overlapping  of the address spaces of g0/1 and G0/2.
If I use two class C network masks for G0/1 and G0/2 it all works fine. Because I can't change the address space, my question is: Is there any  possibility  to  configure a functionable  NAT-configuration by keep the address overlapping for G0/1 and G0/2.

 

                         C2911 with IOS: 15.4(2)T

Int G0/0

IP address 10.58.7.1 255.255.255.0

Ip nat inside

 

Int G0/1

IP address 10.10.58.1 255.255.255.0

Ip nat outside

 

Int G0/2

Ip address 10.10.0.1 255.255.240.0

Ip nat outside

 

ip nat inside source route-map RM-G1 interface GigabitEthernet0/1 overload

ip nat inside source route-map RM-G2 interface GigabitEthernet0/2 overload

 

route-map RM-G1 permit 10

match ip address 110

 

route-map RM-G2 permit 10

match ip address 120

 

access-list 110 permit ip 10.58.7.0  0.0.0.255  10.10.50.0 0.0.0.255

access-list 120 permit ip 10.58.7.0  0.0.0.255  10.20.20.0 0.0.0.255

 

IP route 10.10.50.0 255.255.255.0 10.10.58.2

IP route 10.20.20.0 255.255.255.0 10.10.0.2

 

1 person had this problem
Labels:
0 Helpful
8 Replies 8

tkatsiaounis
Level 1
Level 1

‎05-13-2014 02:18 AM

Sorry wrong message response!!!!!!

Please ignore.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎05-13-2014 12:14 PM

Hi,

route-map RM-G1 permit 10

match ip address 110

match interface g0/1

route-map RM-G2 permit 10

match ip address 120

match interface g0/2

 

Regards

 

Alain

Don't forget to rate helpful posts.

hsticher
Level 1
Level 1
In response to cadet alain

‎05-14-2014 12:55 AM

Hi Alain,

thanks for your answer. I did it already without success.

I believe, that IOS (I tried two different IOS versions) in conjunction with my C2911 can’t handle the configuration of two outside NAT interfaces. The NAT-debug message is:

 NAT-SymDB: DB is either not enabled or not initiated.

Only the first NAT-statement (ip nat inside source route-map RM-G1 interface GigabitEthernet0/1 overload) works. But I have to delete the second NAT-statement (ip nat inside source route-map RM-G2 interface GigabitEthernet0/2 overload) and set the interface (GigabitEthernet0/2) pointing to the second NAT-statement to shut down.

At time I use two router (C1841) for the connections and wanted to reduce one, but I believe CISCO doesn't like it ;-)

0 Helpful

manish arora
Level 6
Level 6
In response to hsticher

‎05-14-2014 11:36 AM

Alain's answer is the correct solution at least as per the doc's :-)  for multiple PAT interfaces with route-maps.

Can you post the output of :

"debug ip nat detailed"  & also try the solution from the following link for your 2900 series router.

http://www.addoway.com/cisco2900router/blog/b/Cisco-2901-Unable-to-NAT-to-Internet

or

https://supportforums.cisco.com/discussion/11444666/unable-nat-internet-cisco-2901

 

both show the same NAT debug error.

Manish

0 Helpful

guibarati
Level 4
Level 4
In response to manish arora

‎05-14-2014 01:28 PM

Actually he is using different destinations on the access-lists used for the route-maps.

Because of it, I believe he doesn't need to specify the interface also. 

0 Helpful

hsticher
Level 1
Level 1
In response to manish arora

‎05-15-2014 01:37 AM

Sending PINGs  from my PC (10.58.7.254) connected at G0/0:  to  10.130.13.140 reachable over Interface G0/1

Part of Debug NAT detail:
001167: *May 15 09:16:07.171 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14912]
001168: *May 15 09:16:07.171 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14912]
001169: *May 15 09:16:12.179 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14919]
001170: *May 15 09:16:12.179 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14919]
001171: *May 15 09:16:17.171 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14920]
001172: *May 15 09:16:17.171 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14920]
001173: *May 15 09:16:22.179 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14922]
001174: *May 15 09:16:22.179 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14922]
001175: *May 15 09:16:27.171 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14923]
001176: *May 15 09:16:27.171 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14923]
001177: *May 15 09:16:32.175 PCTime: NAT: i: icmp (10.58.7.254, 1) -> (10.130.13.140, 1) [14924]
001178: *May 15 09:16:32.175 PCTime: NAT: s=10.58.7.254->10.246.0.2, d=10.130.13.140 [14924]
001179: *May 15 09:16:32.855 PCTime: NAT: expiring 10.246.58.253 (10.58.7.254) icmp 1 (1)
001180: *May 15 09:16:32.855 PCTime: NAT-SymDB: DB is either not enabled or not initiated.

#######################################################################
                    
I only have to change the netmask for the IP address of the interface G0/1
to:  ip address 10.246.0.2 255.255.255.0
and  all works fine. But that is not really possible for me in my real network.


                                       Complete Config
###################### S  T A R T  ######################################
!
! Last configuration change at 09:05:23 PCTime Thu May 15 2014 by shanjue
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname F26-BVA-H88
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-2.T.bin
boot system flash:c2900-universalk9-mz.SPA.152-4.M5.bin
boot system flash:
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 10000000
!
no aaa new-model
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ip source-route
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name bgr.de
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-441080002
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-441080002
 revocation-check none
 rsakeypair TP-self-signed-441080002
!
!
crypto pki certificate chain TP-self-signed-441080002
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
license udi pid CISCO2911/K9 sn FTX1712AJ65
!
!
archive
 log config
  hidekeys
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description to:C148:P39:VL104
 ip address 10.58.7.249 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description to:X2:1(SINA-IVBV)
 ip address 10.246.0.2 255.255.240.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2
 description to-X3:1(SINA-BMWi)
 ip address 10.246.58.253 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no mop enabled
!
router ospf 100
 redistribute static metric 1 subnets
 network 10.58.7.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map RM-BMWI interface GigabitEthernet0/2 overload
ip nat inside source route-map RM-IVBV interface GigabitEthernet0/1 overload
ip nat inside source static 10.58.7.221 10.246.0.21 route-map RM-IVBV
ip nat inside source static 10.58.7.222 10.246.0.22 route-map RM-IVBV
ip nat inside source static 10.58.7.30 10.246.0.30 route-map RM-IVBV
ip nat inside source static 10.58.7.233 10.246.0.233 route-map RM-IVBV
ip route 10.6.77.0 255.255.255.0 10.246.0.1
ip route 10.6.79.0 255.255.255.0 10.246.0.1
ip route 10.130.13.0 255.255.255.0 10.246.0.1
ip route 10.130.145.0 255.255.255.0 10.246.0.1
ip route 10.130.164.0 255.255.255.0 10.246.0.1
ip route 10.192.0.0 255.255.255.0 10.246.0.1
ip route 10.246.0.0 255.255.255.0 10.246.58.254
ip route 10.246.50.0 255.255.255.0 10.246.58.254
ip route 10.247.32.0 255.255.255.0 10.246.0.1
ip route 10.248.155.0 255.255.255.0 10.246.0.1
ip route 10.248.200.0 255.255.255.0 10.246.0.1
ip route 10.248.204.0 255.255.255.0 10.246.0.1
ip route 10.248.208.0 255.255.255.0 10.246.0.1
ip route 10.248.252.0 255.255.255.0 10.246.0.1
ip route 10.251.128.0 255.255.255.0 10.246.0.1
!
no logging trap
!
route-map RM-BMWI permit 10
 match ip address 122
 match interface GigabitEthernet0/2
!
route-map RM-IVBV permit 10
 match ip address 121
 match interface GigabitEthernet0/1
!
!
access-list 1 permit 10.58.7.0 0.0.0.255 log
access-list 2 permit 10.58.7.0 0.0.0.255 log
access-list 3 permit 10.246.0.0 0.0.0.255
access-list 3 permit 10.246.50.0 0.0.0.255
access-list 99 permit 10.58.7.0 0.0.0.255 log
access-list 100 permit ip any any log
access-list 101 permit ip any any log
access-list 102 permit ip any any log
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.6.77.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.6.79.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.130.13.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.130.145.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.130.164.0 0.0.0.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.192.0.0 0.0.255.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.248.0.0 0.0.255.255
access-list 121 permit ip 10.58.7.0 0.0.0.255 10.251.128.0 0.0.0.255
access-list 122 permit ip 10.58.7.0 0.0.0.255 10.246.50.0 0.0.0.255
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 login local
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 session-timeout 180
 access-class 99 in
 exec-timeout 60 0
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

############################  E  N  D  ##############################

0 Helpful

hsticher
Level 1
Level 1
In response to hsticher

‎05-15-2014 04:45 AM

Sometimes one has tomatoes at the eyes. I wrote the solution (work around) already. In my special situation I simply have to change the netmask for interface G0/1 to 255.255.255.0 at my side and nothing else.

0 Helpful

guibarati
Level 4
Level 4

‎05-14-2014 11:07 AM

It's not clear to me what is the overlapping you said you have. Can you detail it?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card