Search this Blog

Friday, July 16, 2010

ACL Nating issue

We have a 2811 router with 2 external "outside" interfaces Fa0/1 and Fa0/2/0. The problem is when it come to NAT inside source addresses, 'nat'ing only works for addresses listed in the first access list of the first NAT statement. Below are the config snippets.

interface FastEthernet0/1
ip address 172.24.170.39 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
ip address 10.1.1.198 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 30 permit 172.16.4.0 0.0.3.255
access-list 30 permit 172.16.8.0 0.0.3.255
access-list 30 permit 172.16.20.0 0.0.3.255
access-list 30 permit 192.168.100.0 0.0.0.255
access-list 31 permit 172.16.20.0 0.0.3.255 log
ip nat inside source list 30 interface FastEthernet0/1 overload
ip nat inside source list 31 interface FastEthernet0/2/0 overload
172.17.0.0/30 is subnetted, 1 subnets
C 172.17.254.4 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
S 172.16.20.0/22 [1/0] via 172.17.254.6
S 172.16.16.0/22 [1/0] via 172.17.254.6
S 172.16.12.0/22 [1/0] via 172.17.254.6
S 172.16.8.0/22 [1/0] via 172.17.254.6
S 172.16.10.14/32 [1/0] via 172.24.170.1
S 172.16.4.0/22 [1/0] via 172.17.254.6
172.24.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 172.24.42.132/32 [1/0] via 172.24.170.1
C 172.24.170.0/25 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.8.0.0/16 [1/0] via 172.24.170.1
C 10.1.1.0/24 is directly connected, FastEthernet0/2/0
S 192.168.100.0/24 [1/0] via 172.17.254.6

For example client with IP 172.16.20.25 ping s 10.8.27.71 -> nat takes place with new source IP of fa0/1 which is 172.24.170.39 shown with debug below:
NAT*: s=172.16.20.25->172.24.170.39, d=10.8.27.71 [11077]
Now same client pings 10.1.1.254 but the router is still nating with new source ip of fa0/1
NAT*: s=172.16.20.25->172.24.170.39, d=10.1.1.254 [11175]
Why is it not using the routing table and 'nat'ing to fa0/2/0 ???

ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.
The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.
It is suggested that you use extended ACL like below:
access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */