[c-nsp] problems with NAT

Bøvre Jon Harald Jon.Harald.Bovre at hafslund.no
Mon Aug 23 08:58:41 EDT 2010


Try changing nat source list to a route map:
ip nat inside source list 10 pool pool1 overload

access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.20.1.0 0.0.0.255

to
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.20.1.0 0.0.0.255

route-map NAT permit 10
match ip address 10

ip nat inside route-map NAT pool pool1 overload



Jon

-----Opprinnelig melding-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] På vegne av Lee Starnes
Sendt: 22. august 2010 21:03
Til: cisco-nsp at puck.nether.net
Emne: [c-nsp] problems with NAT

Hi,

We are seeing a problem with NAT on a Cisco 7206VXR that has us completely
stumped. The setup is working using a 1721, but when replacing that with the
7206 it does not seem to work.

Current setup:

Internet connection comes into a 2950 switch switch. They is handed to
several devices on vlan 10 including the 1721 as a trunked vlan on its
fa0.1. The 1721 also have fa0.2 on vlan 20 which is the private network.
There are 2 T1s connected to this router on s0 and s1 in a multilink bundle
(multilink1). Interfaces multilink1 and fa0.2 are configured as ip nat
inside. fa0.1 is configured as ip nat outside. Static nat mappings to
devices on the private ethernet and to the T1 network work great.

Now, we replaced that 1721 with a 7206VXR and the NAT does not work
correctly and the behavior is different depending upon what IOS version we
load. The difference is network configuration now is that instead of using a
trunk of vlans, there are individual fast ethernet ports. So fa0.1 and fa0.2
get replaced with fa0/0 and fa0/1.

Here is the issue. On c7200-is-mz.123-25.bin, NAT only works on devices on
the private ethernet. On c7200-is-mz.122-3.bin, NAT works on everything
except for SIP traffic (udp 5060) from the multilink1. On
c7200-advipservicesk9-mz.124-
2.T5.bin, NAT does not seem to work on any traffic on the multilink and only
partially works on private ethernet traffic. Seems to not want to NAT some
traffic and leaves it as sourced from the private IP.

I have included the interface and NAT portions of the config below. There
are more NAT mappings than shown, but just included the first two. Does
anyone know why this would work on the 1721 and not the 7206?

interface Multilink1
 description T1s to office
 ip address 172.20.1.1 255.255.255.252
 ip nat inside
 load-interval 30
 ppp multilink
 ppp multilink fragment disable
 ppp multilink links maximum 2
 ppp multilink links minimum 1
 ppp multilink group 1
 service-policy output adtran-VoIP-policy
!
interface FastEthernet0/0
 description Public internet at colo
 ip address y.y.y.17 255.255.255.240
 ip nat outside
!
interface FastEthernet0/1
 description Private network at colo
 ip address 10.10.100.254 255.255.255.0
 ip nat inside
!


ip nat translation max-entries 10000
ip nat pool pool1 y.y.y.18 y.y.y.18 netmask 255.255.255.240
ip nat inside source list 10 pool pool1 overload


ip nat inside source static 172.20.1.2 y.y.y.19
ip nat inside source static 10.10.100.21 y.y.y.21
ip nat inside source static tcp 10.2.2.3 443 y.y.y.51 443 extendable
ip nat inside source static tcp 10.2.2.3 80 y.y.y.51 80 extendable
!
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.20.1.0 0.0.0.255


Thanks,

-Lee
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list