I have a problem with the rule that static NAT has higher priority then dynamic NAT, to be exactly that this rule doesn't work. I will explain it on example: I have LAN 10.10.10.0 /24 (LAN1), that will be dynamically NAT'ed to 184.108.40.206. There is also some Server with IP address 10.10.10.3 (local) and 220.127.116.11 (global). The second LAN (LAN2) has the network address 192.168.1.0 and the traffic between LAN1 and LAN2 should not be NAT'ed.
Now I write on R3: ! dynamic NAT list, NAT allways to 18.104.22.168 except for 192.168.1.0 /24 Network access-list 122 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 122 permit ip 10.10.10.0 0.0.0.255 any ! static NAT list: NAT allways to 22.214.171.124, except for LAN2 access-list 150 deny ip host 10.10.10.3 192.168.1.0 0.0.0.255 access-list 150 permit ip host 10.10.10.3 any ip nat inside source list 122 interface Serial0/0 overload ip nat inside source static 10.10.10.3 126.96.36.199 route-map nonat route-map nonat permit 10 match ip address 150 ! But without the line access-list 122 deny ip host 10.10.10.3 any
whole traffic from 10.10.10.3 will be NAT'ed to 188.8.131.52 and not to 184.108.40.206!
How is it possible? Static NAT will be done first, and if the address 220.127.116.11 is already set (and it is set, because with the line "access-list 122 deny ip host 10.10.10.3 any" it works fine), why it will be NAT'ed again to 18.104.22.168?
I see the situation that you're having and I agree with you that the static NAT should take precedence.
I'm thinking that the problem might be that you have a conditional static NAT (not a plain static NAT), and since both NAT rules depend on ACLs, the traffic from the server is actually checked against both rules. This is way if you deny the server from the dynamic rule then it works fine.
I know for a fact that static NAT takes precedence over dynamic NAT on ASAs, but even though it should be the same on routers, I believe routers have more problems with NAT.
As a test can you take out the condition (route-map) to the static NAT and see if it takes precedence?
I understand this is not the way you need it, but just to confirm the priority of the static NAT over dynamic.
I will try to lab this and let you know if the same thing happen to me.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...