[c-nsp] problems with NAT

Lee Starnes lee.t.starnes at gmail.com
Tue Aug 24 04:21:33 EDT 2010 

Hi Jon,

Thanks for the input. It would seem that this fixed almost everything.

We have 10.2.2.x at the office which is connected to the router in the colo
(the new 7206) which works now with this config change, but the IP range
172.20.1.x which is used between the 7206 and the router at the office does
not seem to get nat'd. Since the office router terminates SIP traffic from
the outside... 10.10.100.x is in the colo and this seems to still work. I
broke down the access-list 10 be separate entries for the three netblocks to
get the office to work.

access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.20.1.0 0.0.0.255

changed to:

access-list 10 permit 10.10.100.0 0.0.0.255
access-list 10 permit 10.2.2.0 0.0.0.255
access-list 10 permit 172.20.1.0 0.0.0.3


I'm wondering if this is an issue where NAT is not wanting to match more
than one subnet/netblock per interface source. Seems kind of odd, but this
does seem to be what is happening.

Thanks for your help.

-Lee

2010/8/23 Bøvre Jon Harald <Jon.Harald.Bovre at hafslund.no>

> Try changing nat source list to a route map:
> ip nat inside source list 10 pool pool1 overload
>
> access-list 10 permit 10.0.0.0 0.255.255.255
> access-list 10 permit 172.20.1.0 0.0.0.255
>
> to
> access-list 10 permit 10.0.0.0 0.255.255.255
> access-list 10 permit 172.20.1.0 0.0.0.255
>
> route-map NAT permit 10
> match ip address 10
>
> ip nat inside route-map NAT pool pool1 overload
>
>
>
> Jon
>
> -----Opprinnelig melding-----
> Fra: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] På vegne av Lee Starnes
> Sendt: 22. august 2010 21:03
> Til: cisco-nsp at puck.nether.net
> Emne: [c-nsp] problems with NAT
>
> Hi,
>
> We are seeing a problem with NAT on a Cisco 7206VXR that has us completely
> stumped. The setup is working using a 1721, but when replacing that with
> the
> 7206 it does not seem to work.
>
> Current setup:
>
> Internet connection comes into a 2950 switch switch. They is handed to
> several devices on vlan 10 including the 1721 as a trunked vlan on its
> fa0.1. The 1721 also have fa0.2 on vlan 20 which is the private network.
> There are 2 T1s connected to this router on s0 and s1 in a multilink bundle
> (multilink1). Interfaces multilink1 and fa0.2 are configured as ip nat
> inside. fa0.1 is configured as ip nat outside. Static nat mappings to
> devices on the private ethernet and to the T1 network work great.
>
> Now, we replaced that 1721 with a 7206VXR and the NAT does not work
> correctly and the behavior is different depending upon what IOS version we
> load. The difference is network configuration now is that instead of using
> a
> trunk of vlans, there are individual fast ethernet ports. So fa0.1 and
> fa0.2
> get replaced with fa0/0 and fa0/1.
>
> Here is the issue. On c7200-is-mz.123-25.bin, NAT only works on devices on
> the private ethernet. On c7200-is-mz.122-3.bin, NAT works on everything
> except for SIP traffic (udp 5060) from the multilink1. On
> c7200-advipservicesk9-mz.124-
> 2.T5.bin, NAT does not seem to work on any traffic on the multilink and
> only
> partially works on private ethernet traffic. Seems to not want to NAT some
> traffic and leaves it as sourced from the private IP.
>
> I have included the interface and NAT portions of the config below. There
> are more NAT mappings than shown, but just included the first two. Does
> anyone know why this would work on the 1721 and not the 7206?
>
> interface Multilink1
>  description T1s to office
>  ip address 172.20.1.1 255.255.255.252
>  ip nat inside
>  load-interval 30
>  ppp multilink
>  ppp multilink fragment disable
>  ppp multilink links maximum 2
>  ppp multilink links minimum 1
>  ppp multilink group 1
>  service-policy output adtran-VoIP-policy
> !
> interface FastEthernet0/0
>  description Public internet at colo
>  ip address y.y.y.17 255.255.255.240
>  ip nat outside
> !
> interface FastEthernet0/1
>  description Private network at colo
>  ip address 10.10.100.254 255.255.255.0
>  ip nat inside
> !
>
>
> ip nat translation max-entries 10000
> ip nat pool pool1 y.y.y.18 y.y.y.18 netmask 255.255.255.240
> ip nat inside source list 10 pool pool1 overload
>
>
> ip nat inside source static 172.20.1.2 y.y.y.19
> ip nat inside source static 10.10.100.21 y.y.y.21
> ip nat inside source static tcp 10.2.2.3 443 y.y.y.51 443 extendable
> ip nat inside source static tcp 10.2.2.3 80 y.y.y.51 80 extendable
> !
> access-list 10 permit 10.0.0.0 0.255.255.255
> access-list 10 permit 172.20.1.0 0.0.0.255
>
>
> Thanks,
>
> -Lee
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list